Please note that this example is vulnerable to injection and uses plain-stored passwords...
mysqli::real_query
mysqli_real_query
(PHP 5, PHP 7)
mysqli::real_query -- mysqli_real_query — Execute an SQL query
Descrierea
Stil obiect-orientat
public mysqli::real_query
( string
$query
) : boolStil procedural
Executes a single query against the database whose result can then be retrieved or stored using the mysqli_store_result() or mysqli_use_result() functions.
In order to determine if a given query should return a result set or not, see mysqli_field_count().
Parametri
-
link -
Numai stilul procedural: Un identificator al legăturii întors de mysqli_connect() sau mysqli_init()
-
query -
The query, as a string.
Data inside the query should be properly escaped.
Valorile întoarse
Întoarce valoarea true în cazul
succesului sau false în cazul eșecului.
A se vedea și
- mysqli_query() - Performs a query on the database
- mysqli_store_result() - Transfers a result set from the last query
- mysqli_use_result() - Initiate a result set retrieval
add a note
User Contributed Notes 3 notes
TIL ¶
5 years ago
jay at cloudulus dot media ¶
5 years ago
Well, we don't know if $password is in plain text because it was never defined in the example.
New passwords should be stored using
<?php
$crypt_pass = password_hash($password, PASSWORD_DEFAULT);
?>
Where PASSWORD_DEFAULT = BCRYPT algorithm
Then to compare a user entered password to a database stored password, we use:
<?php
$valid = password_verify($password, $crypt_pass);
?>
Which returns true or false.
As for being vulnerable to injection, this is true. To avoid this, use sprintf() or vsprintf() to format the query and inject the values using mysqli::real_escape_string, like so:
<?php
$vals = [$db->real_escape_string($username), $db->real_escape_string($password)];
$query = vsprintf("Select * From users Where username='%s' And password='%s'", $vals);
$result = $db->real_query($query);
?>
Tinker ¶
7 years ago
Straightforward function - simply connect to the database and execute a query, similar to this function bellow.
<?php
function check_password($username, $password) {
// Create connection
$db = new mysqli('localhost','database_user','database_pass','database_name');
// Check for errors
if($db->connect_errno){
echo $db->connect_error;
}
// Execute query
$result = $db->real_query("Select * From users Where username='$username' And password='$password'");
// Always check for errors
if($db->connect_errno){
echo $db->connect_error;
}
return $result == true;
}
?>
Very easy.
Replace database_user, database_pass and database_name with the proper names, and the text inside real_query with your actual query.
Don't forget the quotes on either side (except for numbers, there you can omit them) otherwise it won't work. Hope that helps someone.
