1

I've made a php login script and it just not works.

my code :

<?php

function clean($str) { /* sanatize strings for databases & security */
  $str = trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

if (!empty($_POST['login_admin'])) {

    $username = clean($_POST['name']);
    $password = clean($_POST['password']);

      try {
        $dbh = new PDO('mysql:host=localhost;dbname=imedia', "imedia", "imedia");

        $statement = $dbh->prepare("SELECT * FROM administratori WHERE username =:username AND parola =:password");
        $statement->execute(array(":username" => $username, ":password" => md5($password)));
        $row = $statement->fetch();
        if ($row) {
            session_start("imedia_admin");
            $_SESSION['imedia_admin']['logname'] = $row['username'];
            $_SESSION['imedia_admin']['password'] = $row['password'];
            echo json_encode("success");
        } else {
            echo json_encode("error");
        }

        $dbh = null;
    } catch (PDOException $e) {
        print "Error!: " . $e->getMessage() . "<br/>";
        die();
    }
}
?>

problem is in clean function, if a do not use it, my code works, can anybody explain me what i am doing wrong please ?

John Woo
  • 258,903
  • 69
  • 498
  • 492
Dan Cantir
  • 177
  • 2
  • 12
  • what does it mean "it doesn't work"? Do you get error message? Or you don't get expected output? Please clarify as to what you mean – Lukas1 Oct 27 '12 at 15:54
  • You might see a white page or get a fatal error that the mysql_real_escape_string does not exists or someting error similar. Please see this reference question for first guidance to troubleshoot your issue: http://stackoverflow.com/q/12769982/367456 – hakre Oct 27 '12 at 15:55
  • it returns error, from ` echo json_encode("error");` – Dan Cantir Oct 27 '12 at 15:55
  • Which error? If you ask a question, always add the error information, like an error message or code (number). – hakre Oct 27 '12 at 15:56

2 Answers2

4

PDO will take care of it (it automatically escapes single quotes or sanitizes it for you). don't pass the variable with your own clean function.

Here's what's going on.

  • let's say you have this string hello world's day
  • passing to you function clean makes it hello world''s day
  • then on PDO it escapes it again making it hello world''''s day
  • causing (mismatched) hello world's day not equal to hello world''s day
John Woo
  • 258,903
  • 69
  • 498
  • 492
3

Since you are using a prepared statement and therefor bidning your values into it there is no need to "sanitize" the string by yourself.

That is one of the beauties with using prepared statements and variable bindings; they are safe out of the box.

mysql_real_escape_string will escape the special characters in $_POST['name'] ($username), which will cause a mismatch when you are searching your database (since the values being passed using PDO are treated "as is").

mysql_real_escape_string is also deprecated, check out php.net for alternative methods.

Filip Roséen - refp
  • 62,493
  • 20
  • 150
  • 196