Building a Login model using PHP PDO and MVC

Question

could use help with a simple code with both PHP and SQL (PDO) :)

Trying to access a table, withdraw 1 row from 1 column with specific details using MVC and then verifying said info, building it and then entering that info into Session storage so that I can validate what "role" and "user" is present at a certain time.

That's my controller

<?php
  class PagesController {
    public function home() {
      $first_name = 'Qwerty';
      $last_name  = 'Qwerty';
      require_once('views/pages/home.php');
    }

    public $admin_model;

    public function __construct() {
        $this->admin_model = new Admin();
    }

    public function login() {  
        session_start();
        $log = $this->admin_model->LoginModel();
        if($log == true){
            $admin= $this->admin_model->findAdmin($_POST['user'],$_POST['pass']);
            if($admin == true){
              $_SESSION['user'] = $admin['user'];
              print_r($_SESSION);
                }
           require_once('views/pages/login.php'); 
        }else if($log == false){
            echo "There is no existing account with that information. Please try a different account.";
            require_once('views/pages/home.php');
        }
    } 
?>

And this is my Admin Model.

<?php

require_once 'connection.php';

class Admin{

    public $name;
    public $role;
    public $phone;
    public $email;
    public $password;
    public $img;
    public $id;

    public function __construct() { 
    }
    public function LoginModel(){
        if(isset($_POST['user'])&&($_POST['pass'])){
            $name= $_POST['user'];
            $password=$_POST['pass'];
        }
        else{
            $name='NULL@NULL';
            $password='NULL';
        }
        $db = Db::getInstance();
        $sql = $db->prepare('SELECT * FROM `admin` WHERE "Name" = "'.$name.'" AND Password = ' . $password .'     ');
        $sql->execute();
        $result = $sql->setFetchMode(PDO::FETCH_ASSOC); 
        if($result >= 1){
            return true;
        }else{
            return false;
        }
    }
      public function findAdmin($name, $password){
        $db = Db::getInstance();
        $sql = $db->prepare('SELECT * FROM `admin` WHERE "Name" = "'.$name.'" AND Password = ' . $password .'     ');
        $sql->execute();
        $result = $sql->setFetchMode(PDO::FETCH_ASSOC); 
            if($result > 0){
            return $result;
         }    
      }
}

Now, the first one, the Login() model works, BUT it doesn't matter what $_POST['user'] or $_POST['pass'] I input it always works :/... so it seems my SQL query always returns a true (i'm inputting the same into as found in the table, username "admin" and password "12345" but no matter what information I put in? it works. which is odd..

Second of all I want to "Find" the admin after login in and putting that info into a session that I can verify on every view... any help?...

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, May 08 '17 at 20:16
**Never** store plain text passwords. You should use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, May 08 '17 at 20:16
You're setting your `$result` variable to the result of `setFetchMode()`, not the result of the query. — Alex Howansky, May 08 '17 at 20:20
Then what should I do? I want to get a True result only when there is more than 1 row from the sql query... — Liad Goren, May 08 '17 at 20:40
use PDO's error handling; you have errors and possibly php's error reporting. — Funk Forty Niner, May 08 '17 at 20:59
I don't seem to get any errors, as I do get a true result, otherwise it would crush. I just query wrong. — Liad Goren, May 09 '17 at 03:30

score 0 · Answer 1 · answered May 08 '17 at 20:21

0

I think your specific problem is that you're using the return of setFetchMode() as an indicator of whether or not rows were found by the execution. Since its return value is TRUE simply by virtue of it succeeding in setting the fetch mode, you're probably always going to see TRUE returned.

You probably need to do fetchAll() and count the records in the array, if all you want to do as verify that at least one row was returned.

answered May 08 '17 at 20:21

ashnazg

6,558
2
32
39

Note that PDO has a rowCount() method, but it is not usually implemented for use with SELECT statements... it is mainly for Data Manipulation SQL (insert, update, delete), and I think it's not necessarily implemented fully or the same on all databases. – ashnazg May 08 '17 at 20:23

Building a Login model using PHP PDO and MVC

1 Answers1