Thread: PDO and MYSQLI

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    8
    Rep Power
    0

    PDO and MYSQLI


    can someone move this code to PDO and to mysqli using prepared statement to fight sql injection.


    Code:
    <?php
    //Make a database connection
    session_start();
    mysql_connect("localhost", "root", "");
    mysql_select_db("test");
    
    //Login section start
    
    if(!isset($_SESSION["logged"])) {
      if(isset($_POST["username"]) && ($_POST['password'])) {
        $query = mysql_query("SELECT id FROM login WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "'");
        if(mysql_num_rows($query) > 0) {
          $row = mysql_fetch_array($query);
          $_SESSION["logged"] = $row["id"];
          header("Location: " . $_SERVER["PHP_SELF"]);
        }
      } 
    
    
    
    
    if(isset($_GET["add"])) {
        $query = mysql_query("SELECT * FROM data WHERE leo = '" . $_GET["add"] . "' AND jon = '" . $_SESSION["logged"] . "'");
        if(mysql_num_rows($query) > 0) {
          
          $_query = mysql_query("SELECT * FROM login WHERE id = '" . $_GET["add"] . "'");
          $_row = mysql_fetch_array($_query);
          
          $rec = unserialize($_row["rec"]);
          $rec[] = $_SESSION["logged"];      
                    
          mysql_query("UPDATE login SET rec = '" . serialize($rec) . "' WHERE id = '" . $_GET["add"] . "'");
          
          $_query = mysql_query("SELECT * FROM login WHERE id = '" . $_SESSION["logged"] . "'");
          $_row = mysql_fetch_array($_query);
          
          $rec = unserialize($_row["rec"]);
          $rec[] = $_GET["accept"];      
                    
          mysql_query("UPDATE login SET rec = '" . serialize($rec) . "' WHERE id = '" . $_SESSION["logged"] . "'");
        }
        mysql_query("DELETE FROM data WHERE leo = '" . $_GET["add"] . "' AND jon = '" . $_SESSION["logged"] . "'");
      }
    
    
    
     $query = mysql_query("SELECT * FROM data  WHERE leo = '" . $_SESSION["logged"] . "'");
      if(mysql_num_rows($query) > 0) {
        while($row = mysql_fetch_array($query)) { 
          $_query = mysql_query("SELECT * FROM login WHERE id = '" . $row["jon"] . "'");
          while($_row = mysql_fetch_array($_query)) {
            }
        }
      }
    }
    
    ?>
    https://github.com/esheri3/OWASP-CSRFGuard
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,508
    Rep Power
    594
    Post this in the hire a programmer forum.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,143
    Rep Power
    9398
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    8
    Rep Power
    0

    pdo


    below is my code migration to PDO but is not working

    Code:
    
    
    
    
    <?php
    //Make a database connection
    session_start();
    error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
    require "config.php"; // Database connection details.
    dataConnect();
    
    
    
    
    //Login section start
    if(!isset($_SESSION["logged"])) {
      if(isset($_POST["username"]) && ($_POST['password'])) {
        $count=$dbo->prepare("select id FROM login where username=:username AND password=:password");
    $count->bindParam(":username",$username,PDO::PARAM_STRING,30);
    $count->bindParam(":password",$password,PDO::PARAM_STRING,35);
    $count->execute();
    $total = $count->rowCount();
    
    
    if($total>0){
    echo " login Success <br>";
    $row = $count->fetch(PDO::FETCH_OBJ);
    $_SESSION["logged"] = row->id;
    //$row = $count->fetch();
    //print_r($row);
    header("Location: " . $_SERVER["PHP_SELF"]);
    }else{
    echo("<form method=\"POST\">
        <input type=\"text\" name=\"username\" value=\"Type username here\">
    	<input type=\"text\" name=\"password\" value=\"Type username here\">
        <input type=\"submit\" name=\"submit\">  
        </form>");
    
    }
    
    } else {
    //end of login section
    
    
    //Section for adding friend
      if(isset($_GET["add"])) {
    $count=$dbo->prepare("select * from login where id=:add");
    $count->bindParam(":add",$id,PDO::PARAM_INT,1);
    $count->execute();
    $total = $count->rowCount();
    $row = $count->fetch(PDO::FETCH_OBJ);
    
    
    if($total>0){
    $count2=$dbo->prepare("select * from data where leo=:add AND jon=:logged");
    $count2->bindParam(":add",$leo,PDO::PARAM_STRING,1);
    $count2->bindParam(":logged",$jon,PDO::PARAM_STRING,2);
    $count2->execute();
    $total2 = $count2->rowCount();
    $row = $count2->fetch(PDO::FETCH_OBJ);
    if($total2==0){
    $sql=$dbo->prepare("INSERT INTO data SET leo =:logged,jon=:add");
    
    $sql->bindParam(':logged',$leo,PDO::PARAM_STR, 15);
    $sql->bindParam(':add',$jon,PDO::PARAM_STR, 15);
    
    if($sql->execute()){
    $id=$dbo->lastInsertId();
    echo " Thanks .. Your  id = $id ";
    }
    else{
    echo " Not able to add data please ";
    }
      }
        } 
      }
    //END
    
    
    //Section for exceting
      if(isset($_GET["accept"])) {
    
    $count=$dbo->prepare("select * from data where leo=:accept AND jon =:logged");
    $count->bindParam(":accept",$leo,PDO::PARAM_STRING,34);
    $count->bindParam(":logged",$jon,PDO::PARAM_STRING,34);
    $count->execute();
    $total = $count->rowCount();
    $row = $count->fetch(PDO::FETCH_OBJ);
    
    if($total>0){
    $count2=$dbo->prepare("select * from login WHERE id=:accept");
    $count2->bindParam(":accept",$id,PDO::PARAM_INT,1);
    $count2->execute();
    $total2 = $count->rowCount();
    $row = $count2->fetch(PDO::FETCH_OBJ);
    
    $rec = unserialize($row["rec"]);
     $rec[] = $_SESSION["rec"];    
    
    $sql=$dbo->prepare("update login SET rec=:serialize($rec) where id=accept");
    $sql->bindParam(":id",$id,PDO::PARAM_INT,1);
    $sql->bindParam(':rec',$rec,PDO::PARAM_STR, 15);
    if($sql->execute()){
    echo "Successfully updated";
    }
    
    
    
    $count2=$dbo->prepare("select * from login WHERE id=:logged");
    $count2->bindParam(":logged",$id,PDO::PARAM_INT,1);
    $count2->execute();
    $total2 = $count->rowCount();
    $row = $count2->fetch(PDO::FETCH_OBJ);
    
    
    $rec = unserialize($row["rec"]);
      $rec[] = $_GET["accept"];     
    
    
     $sql=$dbo->prepare("update login SET rec=:serialize($rec) where id=logged");
    $sql->bindParam(":id",$id,PDO::PARAM_INT,1);
    $sql->bindParam(':rec',$rec,PDO::PARAM_STR, 15);
    if($sql->execute()){
    echo "Successfully updated";
    }
    
        }
    $sql=$dbo->prepare("delete  from data where leo=:accept AND jon =:logged");
    $sql->bindParam(":id",$id,PDO::PARAM_INT,1);
    $sql->bindParam(':rec',$rec,PDO::PARAM_STR, 15);
    if($sql->execute()){
    echo "Successfully deleted";
    }
    
      }
    //END
    
    
    
    
    
    //Section for showing 
    $count=$dbo->prepare("select * from data where  leo =:logged");
    $count->bindParam(":logged",$leo,PDO::PARAM_STRING,34);
    $count->execute();
    $total = $count->rowCount();
    $row = $count->fetch(PDO::FETCH_OBJ);
    
    if($total>0){
    while($row = $count->fetch(PDO::FETCH_OBJ)) { 
    
    $count2=$dbo->prepare("SELECT * FROM login where  id =: $row['leo']");
    $count2->bindParam(":id",$row['leo'],PDO::PARAM_STRING,34);
    $count2->execute();
    $total 2= $count2->rowCount();
    $row2 = $count2->fetch(PDO::FETCH_OBJ);
    
    while($row2 = $count2->fetch(PDO::FETCH_OBJ)) { 
    
    echo " $row2->username";
    }
        }
      }
    //END
    
    
    //Section for showing 2
    
    $count=$dbo->prepare("SELECT * FROM login WHERE id ! =:logged");
    $count->bindParam(":logged",$id,PDO::PARAM_STRING,34);
    $count->execute();
    $total = $count->rowCount();
    $row = $count->fetch(PDO::FETCH_OBJ);
    while($row = $count->fetch(PDO::FETCH_OBJ)) { 
     $ok = false;
        $rec = unserialize($row["rec"]);
    if(isset($rec[0])) {
          foreach($rec as $rec) {
            if($rec == $_SESSION["logged"]) $ok = true;
          }
        }
        echo "not bad";
    
    
    $count2=$dbo->prepare("SELECT * from data where leo=:logged AND jon =:$row->id");
    $count2->bindParam(":id",$row->id,PDO::PARAM_STRING,34);
    $count2->execute();
    $total2= $count2->rowCount();
    $row2 = $count2->fetch(PDO::FETCH_OBJ);
    if($total2>0){
     echo " good";
        } elseif($ok == false) {
           echo " good again";
        } else {
          echo " thats me";
        }
        echo "<br />";
      }
    //END
    
    
    
    
    $count=$dbo->prepare("SELECT * FROM login WHERE id =:logged");
    $count->bindParam(":logged",$id,PDO::PARAM_STRING,34);
    $count->execute();
    $total = $count->rowCount();
    $row = $count->fetch(PDO::FETCH_OBJ);
    while($row = $count->fetch(PDO::FETCH_OBJ)) { 
    
        $rec = unserialize($row["rec"]);
    if(isset($rec[0])) {
          foreach($rec as $rec) {
    $count2=$dbo->prepare("SELECT username FROM login WHERE id =:$rec");
    $count2->bindParam(":id",$rec,PDO::PARAM_STRING,34);
    $count2->execute();
    $total2= $count2->rowCount();
    $row2 = $count2->fetch(PDO::FETCH_OBJ);
     echo "Thanks";
          }
        }
      }
    //END
    }
    
    
      
    ?>

IMN logo majestic logo threadwatch logo seochat tools logo