0

here is my user login code.

<?php

require("Conn.php");
require("MySQLDao.php");
$email = htmlentities($_POST["email"]);
$password = htmlentities($_POST["password"]);
$returnValue = array();

if(empty($email) || empty($password))
{
    $returnValue["status"] = "error";
    $returnValue["message"] = "Missing required field";
    echo json_encode($returnValue);
    return;
}

$secure_password = md5($password);

$dao = new MySQLDao();
$dao->openConnection();
$userDetails = $dao->getUserDetailsWithPassword($email,$secure_password);

if(!empty($userDetails))
{
    $returnValue["status"] = "Success";
    $returnValue["message"] = "User is Logged in";
    echo json_encode($returnValue);
} else {

    $returnValue["status"] = "error";
    $returnValue["message"] = "User is not found";
    echo json_encode($returnValue);
}

$dao->closeConnection();

?>

and my sql code is as below:

<?php
class MySQLDao {
    var $dbhost = null;
    var $dbuser = null;
    var $dbpass = null;
    var $conn = null;
    var $dbname = null;
    var $result = null;

    function __construct() {
        $this->dbhost = Conn::$dbhost;
        $this->dbuser = Conn::$dbuser;
        $this->dbpass = Conn::$dbpass;
        $this->dbname = Conn::$dbname;
    }


    // function to open connection

    public function openConnection() {
        $this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass, $this->dbname);
        if (mysqli_connect_errno())
        echo new Exception("Could not establish connection with database");
    }

    // function to return the connection

    public function getConnection() {
        return $this->conn;
    }

    // function to close the connection

    public function closeConnection() {
        if ($this->conn != null)
        $this->conn->close();
    }

    // function to get user email

    public function getUserDetails($email)
    {
        $returnValue = array();
        $sql = "select * from ap_users where user_email='" . $email . "'";

        $result = $this->conn->query($sql);
        if ($result != null && (mysqli_num_rows($result) >= 1)) {
            $row = $result->fetch_array(MYSQLI_ASSOC);
            if (!empty($row)) {
                $returnValue = $row;
            }       
        }
        return $returnValue;
    }

    // get user details using email and password

    public function getUserDetailsWithPassword($email, $userPassword)
    {
        $returnValue = array();
        $sql = "select id,user_email from ap_users where user_email='" . $email . "' and user_password='" .$userPassword . "'";

        $result = $this->conn->query($sql);
        if ($result != null && (mysqli_num_rows($result) >= 1)) {
            $row = $result->fetch_array(MYSQLI_ASSOC);
            if (!empty($row)) {
                $returnValue = $row;
            }
        }
        return $returnValue;
    }

    // register user with all fields

    public function registerUser($email, $password, $username, $fname, $lname, $mobile, $roleid)
    {
        $sql = "insert into ap_users set user_email=?, user_password=?, user_username=?, user_fname=?, user_lname=?, user_mobile=?, user_roleid=?";
        $statement = $this->conn->prepare($sql);

        if (!$statement)
            throw new Exception($statement->error);

        $statement->bind_param("sssssss", $email, $password, $username, $fname, $lname, $mobile, $roleid);
        $returnValue = $statement->execute();

        return $returnValue;
    }

}
?>

Currently at login i am getting "success" and "user is logged in" values as per status and message. But i want to push "roleid" of user with the login message, please help!

RiggsFolly
  • 89,708
  • 20
  • 100
  • 143
sarjerav patil
  • 3
  • 2
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Jan 25 '17 at 13:06
  • 1
    Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Jan 25 '17 at 13:08
  • 1
    ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** . Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 25 '17 at 13:10
  • Now you say you want to pass `roleid` on a login message. ___Would you like to tell us where you keep this data___ – RiggsFolly Jan 25 '17 at 13:11
  • Do you mean you want to add this `roleid` to the JSON that you echo ? – RiggsFolly Jan 25 '17 at 13:12
  • The solution appears to be ridiculously simple, so why do you need our help – RiggsFolly Jan 25 '17 at 13:18
  • roleid is "user_roleid" column in same table. and i need the roleid of user which is logging in. if echo in json format for roleid will be best! thanks in advance – sarjerav patil Jan 25 '17 at 13:59

1 Answers1

0

roleid is "user_roleid" column in same table.

Change the Code in your getUserDetailsWithPassword-Method

$sql = "select id,user_email, user_roleid from ap_users where user_email..."

And please have a look at the others advices in the comments (Password and Hashing)!

BenRoob
  • 1,626
  • 5
  • 22
  • 23
  • and how will be the roleid value will be displayed! – sarjerav patil Jan 27 '17 at 06:34
  • If I understand your getUserDetailsWithPassword-Method right, then in $userDetails will be the key 'user_roleid'. You can pass it to json, e.g.: $returnValue['user_roleId'] = $userDetails['user_roleid'] – BenRoob Jan 27 '17 at 14:35