Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

need some help in converting this code from mysl to pdo

mysql pdo login sql injection

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 NanaKwekuDenise

NanaKwekuDenise

    CC Lurker

  • Just Joined
  • Pip
  • 1 posts

Posted 14 March 2014 - 10:19 AM

<link rel="stylesheet" type="text/css" href="admin/css/style.css" />
<?php include('dbcon.php');
include('header.php');
 ?>
</head>
<body>

    <div class="navbar navbar-fixed-top">
    <div class="navbar-inner">
    <div class="container">
         
        <a class="brand">
        <img src="admin/images/dee.png" width="150" height="50">
     </a>
    <a class="brand">
     <h2>UNITOUCH GLOBAL ONLINE E-VOTING</h2>
     <div class="chmsc_nav"><font size="4" color="white">Uniquely Touching The Universe</font></div>
     </a>

    <?php include('head.php'); ?>
 
    </div>
    </div>
    </div>
<div class="wrapper_admin">
</br>
</br>
</br>
    <div id="element" class="hero-body-index">

    <p><font color="white"><h2>Voter Login</h2></font></p>
    
    <form method="POST" >
    <table>
    <tr><td><font color="white">UserName:</font>&nbsp;&nbsp;</td><td><input type="text"  name="UserName" class="UserName_hover"></td></tr>
    <tr><td>...<td></tr>
    <tr><td><font color="white">Password:</font>&nbsp;&nbsp;</td><td><input type="Password" name="Password" class="Password_hover"></td></tr>
    <tr><td>...<td></tr>
    <tr><td></td><td>    <button class="btn btn-primary" name="Login"><i class="icon-ok icon-large"></i>&nbsp;Login</button>
    
    </td></tr>
    <tr><td>
    </td><tr>
    </form>
    </table>
    
    </br>
    <div class="error">
            <?php

if (isset($_POST['Login'])){

$UserName=$_POST['UserName'];
$Password=$_POST['Password'];
$username = mysql_real_escape_string($UserName);
$stm = $pdo->prepare("SELECT * FROM Voters WHERE  UserName= ? AND Password = ?");
$login_query3=mysql_query("select * from voters where Username='$UserName' and Password='$Password' and Status='Unvoted' and Year='2nd year'") or die(mysql_error());
$login_query4=mysql_query("select * from voters where Username='$UserName' and Password='$Password' and Status='Unvoted' and Year='3rd year'") or die(mysql_error());
$login_query5=mysql_query("select * from voters where Username='$UserName' and Password='$Password' and Status='Unvoted' and Year='4th year'") or die(mysql_error());
//
$login_query1=mysql_query("select * from voters where Username='$UserName' and Password='$Password' and Status='Voted'");
$login_query2=mysql_query("select * from voters where Username='$UserName' and Password='$Password' and Status='Voted'");
$count=mysql_num_rows($login_query);
$count1=mysql_num_rows($login_query1);
$count3=mysql_num_rows($login_query3);
$count4=mysql_num_rows($login_query4);
$count5=mysql_num_rows($login_query5);
$row=mysql_fetch_array($login_query);
$row3=mysql_fetch_array($login_query3);
$row4=mysql_fetch_array($login_query4);
$row5=mysql_fetch_array($login_query5);
$id=$row['VoterID'];
?>
<?php
if($count == 1){
session_start();
$_SESSION['id']=$row['VoterID'];
header('location:voting.php');
}
if($count3 == 1){
session_start();
$_SESSION['id']=$row3['VoterID'];
header('location:voting.php');
}
if($count4 == 1){
session_start();
$_SESSION['id']=$row4['VoterID'];
header('location:voting.php');
}
if($count5 == 1){
session_start();
$_SESSION['id']=$row5['VoterID'];
header('location:voting.php');
}
if($count1 == 1){ ?>
    <div class="alert alert-error">
    <button class="close" data-dismiss="alert">×</button>
   You Can Only Vote Once
    </div>
<?php
}else{ ?>
<div class="alert alert-error">
    <button class="close" data-dismiss="alert">×</button>
   Please check your username and password
    </div>

    <?php
    }
?>

<?php
}

?>
</div>
</div>
</br>
</br>
</br>
</br>
</br>

    <?php include('footer.php')?>    
</div>

    </body>
    
</html>

                                                                                
                                            
  

 

 

 

I TRIED CONVERTING BUT REALISED I WAS MESSING UP THE CODE


Sorry its mysql not mysl


Edited by Roger, 16 March 2014 - 07:10 AM.
added codetags


#2 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts

Posted 24 March 2014 - 09:58 PM

Where are you messing up your code? I notice you have an initial prepared statement here:

$stm = $pdo->prepare("SELECT * FROM Voters WHERE UserName=? AND Password=?");

You have used the correct format, however you must now bind the two variables to the statement, and then execute it as desired (as a query that should return a row, or should not return a row for example.)

 

A few PDO tutorials we host that can get you started:

http://forum.codecal...ccess-beginner/

 

That is a fairly straightforward one. More can be read here:

http://forum.codecal...nd-abstraction/

 

or on the PHP.net website of course:

http://www.php.net/m...en/book.pdo.php

 

You should as well then check for its success as good form for basic error handling you should be using in your web application.

 

If replacing codes one by one with PDO calls creates too much chaos and you lose focus of what you are converting, it may be recommended to write this portion of your program from the ground up with PDO - it is not an extreme amount of code to rewrite by any means and you can certainly learn what that finished product looks like in comparison.

 

If you run in to any issues of course by all means post here your precise problems, with examples of what codes are failing, and try to help us help you.

 

Alexander.


All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.





Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download