Converting sql to PDO

wamft · December 16, 2020, 9:26am

Hi have an urgent need to convert our current SQL code to PDO, I have spent all day today just trying to get our login system right can gave up restoring the code back to the original. I can play with the rest after if I can just get into the system. Can someone please help me convert the following to PDO. I have no idea what I am doing here and I know I am asking a lot but the help will be immensly appreciated.

LOGIN CODE:

    <?php 
        session_start();
        ob_start();
        include "edb.php";
        include "./functions.php";
        ?> 

        <?php
        //If the user has submitted the form
        	if($_POST['submit']){
        		$Username = protect($_POST['Username']);
        		$Password = protect(sha1($_POST['Password']));
        		if(!$Username || !$Password){
        		echo "<center>Please enter your <b>Username</b> and <b>Password</b>!</center>";
        			}else{
        		$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."'");
        				$num = mysql_num_rows($res);
        				if($num == 0){
        				echo "<center>The <b>Username</b> or <b>Password</b> you supplied is incorrect!</center>";
        				}else{
        				$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."' AND Password = '".$Password."'");
        				$num = mysql_num_rows($res);
        				if($num == 0){
        				echo "<center>The <b>Password</b> you supplied is incorrect!</center>";
        					}else{
        				$row = mysql_fetch_assoc($res);
        				if($row['Active'] != 1){
        				echo "<center>Your login has been <b>deactivated</b></center>";
        						}else{
        				header('Location: secure.php');
        				$time = date('U')+7200; //2 Hours
        				mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
        				$_SESSION['uid'] = $row['id'];
         						}
        					}
        				}
        			}
        		}
        		?>

SESSION CODE on Each Page

    <?php
    session_start();
    include "edb.php";
    include "./functions.php";
    if(strcmp($_SESSION['uid'],"") == 0){
    printf("<script>location.href='index.php'</script>"); // note: the forum s/w is not displaying the closing > and " that are near the end of this line
    }else{
    $time = date('U')+7200; //2 Hours
    $update = mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
    }
    ?>

chorn · December 16, 2020, 9:39am

you can start here

it helps people giving you useful answers when you format your code with the </> button

skawid · December 16, 2020, 9:48am

I’ll do it for you for £50.

phdr · December 16, 2020, 1:29pm

The session check code on each page, because it doesn’t stop program execution after the redirect, is still executing all the remaining code on the protected page. Every redirect needs an exit; statement after it.

GrumpyYoungMan · January 28, 2021, 10:29am

I would recommend that you also use session_regenerate_id(); but you would also need to update the session table with the new session id.

That code sample is really old and could really do with a total rewrite - what script is this a part of?

I would also recommend that you stop using sha1 and use password_hash() and password_verify()

GrumpyYoungMan · January 28, 2021, 10:55am

LogIn:

<?php

session_start();
//session_regenerate_id();
ob_start();

require_once "edb.php";

include "./functions.php";


// If the user has submitted the form
if($_POST['submit']){

    $Username = protect($_POST['Username']);
    $Password = protect(sha1($_POST['Password']));

    if(!$Username || ! $Password){
        echo "<center>Please enter your <b>Username</b> and <b>Password</b>!</center>";
    }
    else {
                    $fetchUser = $pdo->prepare("
                                            SELECT
                                                *
                                            FROM
                                                eusers
                                            WHERE
                                                Username=:username 
                                            AND
                                                Password=:password
                                            ");
                    $res = $fetchUser->execute(
                        [
                            ':username' => $Username,
                            ':password' => $Password
                        ]
                    );

                    $dbUser = $fetchUser->fetch();

                    //$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."'");

                    //$num = mysql_num_rows($res);
                    if(empty($fetchUser->rowCount()) ) {
                        echo "<center>The <b>Username</b> or <b>Password</b> you supplied is incorrect!</center>";
                    }
                    else {
                        /*$res = mysql_query("SELECT * FROM `eusers` WHERE `Username` = '".$Username."' AND Password = '".$Password."'");
                        $num = mysql_num_rows($res);
                        if($num == 0){
                            echo "<center>The <b>Password</b> you supplied is incorrect!</center>";
                        }
                        else{*/

                        // Is this LOGOUT?


                            //$row = mysql_fetch_assoc($res);
                            /*if($dbUser['Active'] != 1){
                                echo "<center>Your login has been <b>deactivated</b></center>";
                            }
                            else{*/

                                $time = date('U') + 7200; //2 Hours

                        $updateUser_Online = $pdo->prepare("
                                                            UPDATE
                                                                eusers
                                                            SET
                                                                Online=:onlineTime
                                                            WHERE
                                                                id=:id
                                                            ");

                        $updateUser_Online->execute([':onlineTime' => $time, ':id' => $dbUser['id']]);

                               // mysql_query("UPDATE `eusers` SET `Online` = '".$time."' WHERE `id` = '".$_SESSION['uid']."'");
                                $_SESSION['uid'] = $dbUser['id'];

                                exit(header('Location: secure.php'));
                            }
                       // }
                    //}
                }
}

edb.php

<?php

require_once "config.php";

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$options = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
    $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
    throw new \PDOException($e->getMessage(), (int)$e->getCode());
}

phdr · January 29, 2021, 9:53am

@GrumpyYoungMan, the correct bbcode tags are [code][/code] but they must go on their own lines. I have edited your post above.

Posting fixed code (that’s currently hashing the password twice), a month after the fact, isn’t teaching anything. Catching and re-throwing a pdo exception, with only some of the actual error/backtrace information, is typing for nothing. If your application isn’t trying to recover from a ‘user’ caused error, just let php catch and handle the original exception.

GrumpyYoungMan · January 29, 2021, 3:40pm

Thanks! I have been trying to resolve that!! Sorry!

I hadn’t notice it had been a month. My bad…

GrumpyYoungMan · January 29, 2021, 3:43pm

I also forgot to removed the second sha1 - that was becasue I wasn’t using the protect() user name and password via $_POST.