php - SA:MP UCP login error -

-

i developing user control panel sa:mp server. working on login script @ moment have come across following error:

catchable fatal error: object of class mysqli_result not converted string in /var/www/html/login.php on line 21

login.php: 

session_start();  if(!isset($_session["user"])) {     echo 'username: '.$_post['username'].'.';     echo '<br>password: '.$_post['password'].'.';     $szuser = sanitize($_post['username']);     $szpass = sanitize($_post['password']);     echo '<br>username santizied: '.$szuser.'.';     echo '<br>password santizied & hashed: '.strtoupper(hash("whirlpool", $szpass)).'.';     //exit();     echo "<br>" . date('h:i:s');     echo '<br>logging in, please wait...';     echo "<br>select * `accounts` `username` = '".$szuser."' limit 1";     $query = "select * `accounts` `username` = '".$szuser."' limit 1";     echo "<br>\$result = mysqli_query(\$connection, \"$query\");";     $result = mysqli_query($connection, $query);// line 21.     echo "<br>mysqli_num_rows($result) == " . mysqli_num_rows($result) . ".";     if(mysqli_num_rows($result) == 1)     {         echo "<br>while(\$row = mysqli_fetch_array(\$result, mysqli_assoc))";         while($row = mysqli_fetch_array($result, mysqli_assoc))         {             echo "<br>username = ".$row["username"].".";             if($szpass == strtoupper(hash("whirlpool", $szpass)))             {                 $_session["user"] = $row["id"];                 echo '<meta http-equiv="refresh" content="0; url=index.php?page=home" />';             }             else echo '<meta http-equiv="refresh" content="0; url=index.php?page=login&error=2" />';         }     }     else echo '<meta http-equiv="refresh" content="0; url=index.php?page=login&error=1" />';     echo "<br>login.php ended";     echo date('h:i:s'); } else echo '<meta http-equiv="refresh" content="0; url=index.php?page=home" />'; exit(); ?>

mysql.php: 

$host = "localhost"; $database = "sasrp"; $password = "censored"; $user = "usrsamp";  if($user == "root") {     die("<strong>error:</strong> can't connect mysql server.<br/><strong>reason:</strong> root logins not authorised."); }  $connection = mysqli_connect($host, $user, $password, $database) or die("<strong>error:</strong> can't connect mysql server.<br/><strong>reason:</strong> login credentials incorrect.");  ini_set('display_errors', 1); error_reporting(e_all);  if (mysqli_connect_errno())  {     echo "failed connect mysql: " . mysqli_connect_error(); }   //mysqli_set_charset($link, "utf-8"); function sanitize($string) // function sanitize xss , mysql , csrf. {      $string = trim($string);     $string = stripslashes($string);     $string = htmlspecialchars($string);     return $string; }  function getusername($sqlid) {     $szquery = 'select `username` `accounts` `id` = '.$sqlid.' limit 1';      $iresult = mysqli_query($szquery);     while($irow = mysqli_fetch_array($iresult))     {         echo $row['username'];     } }  /*function getip()  {      $ip;      if (getenv("http_client_ip"))      $ip = getenv("http_client_ip");      else if(getenv("http_x_forwarded_for"))      $ip = getenv("http_x_forwarded_for");      else if(getenv("remote_addr"))      $ip = getenv("remote_addr");      else      $ip = "unknown";     return $ip;  }*/ ?>

as can see, i've heavily debugged login.php script. assistance appreciated, thanks. sean mcelholm.

first off, problem line

echo "<br>mysqli_num_rows($result) == " . mysqli_num_rows($result) . ".";

change to

echo "<br>mysqli_num_rows(\$result) == " . mysqli_num_rows($result) . ".";

now complaints: 

$szuser = sanitize($_post['username']); $szpass = sanitize($_post['password']);

remember sanitizing html, , sanitizing sql query, not same thing, thus, if you're not simultaneously sanitizing both (which doubt), you're opening site either xss/javascript injection attacks (if sanitize sql, believe case), or sql injection attacks (if sanitize html) ; also, im guessing sanitize sql, make sure sanitize function use exact same escape rules database connection? (this depends on db , character set on connection db..) should use mysqli_real_escape_string , htmlentities , not sanitize() (whatever is) 

echo '<br>username santizied: '.$szuser.'.';

should use

echo '<br>username santizied: '.htmlentities($szuser,ent_substitute).'.';

also

$szuser = sanitize($_post['username']);

should be

$szuser = mysqli_real_escape_string($connection,$_post['username']);

also

echo '<br>password santizied & hashed: '.strtoupper(hash("whirlpool", $szpass)).'.';

just unsalted hashing whirlpool not secure way store passwords, can bruteforced weak passwords, or even lookup tables strong password, consider using http://php.net/manual/en/function.password-hash.php , or salting scheme.

        echo "<br>username = ".$row["username"].".";

again, should use htmlentities (unless store usernames in html-compatible format.. doubt)

..also, consider using prepared statements , parameterized queries, it's faster , less error-prone mysqli_real_escape_string (though won't explain why)


Comments

Post a Comment

Popular posts from this blog

node.js - Mongoose: Cast to ObjectId failed for value on newly created object after setting the value -

-
this question has answer here: what's mongoose error cast objectid failed value xxx @ path “_id”? 7 answers even though has been asked many times because entity has no valid objectid field. i came across situation objectid set value can casted objectid still error. the schema: var serviceschema = parammongoose.schema({ servicename:{ type: parammongoose.schema.types.objectid , ref: 'servicenames',required:true } }); pseudo code: servicefromdb=new service({servicename:'some name'}); servicefromdb.servicename='000000000000000000000001'; servicefromdb.save(function(paramerror,paramdata){ if(paramerror){ console.log('but but...',servicefromdb,paramerror) } }); the output of code is: but but... { servicename: 000000000000000000000001, _id: 55079a90286f49280364f78b } { [casterror: cast objectid faile...
Read more

[C++][SFML 2.2] Strange Performance Issues - Moving Mouse Lowers CPU Usage -

-
i've been working on making 2d map editor past 2 weeks or so, , i've run strange problem. trying optimize code, example, making functions should've been functions begin with, did made cpu usage go through roof. i've tried commenting out different sections of code thought culprits (scrolling, rendering, other calculations) no avail. think issue might trying call things within different functions, sake of making modular possible, i'd functionality. the other major change i've made since file i'm comparing i've ported variables external cpp file, since having variables global makes lot easier use within different functions. simple issue, can't life of me understand why happens. with original code, around 2-3% cpu usage. new code, around 20-35%, but, if move mouse around, it'll drop around 6-8%. tl;dr: after trying optimize code using functions, i've somehow killed performance, , found strange quirk moving mouse reduces cpu usage.. /...
Read more

ios - Possible to get UIButton sizeThatFits to work? -

-
i have been using method of resizing uibuttons depreciated, , not robust. , other reasons, want sizethatfits work uibuttons. i've read online, i'm not sure if should work (seems working some, not others, difference maybe between style, i'm using custom). here simple test code recreate issue (i put in viewdidload test, shouldn't matter, , real code part of large project): uibutton *btn = [uibutton buttonwithtype:uibuttontypecustom]; [btn settitle:@"this test long title need word wrap more single line when displayed on tiny ipod in portrait view." forstate:uicontrolstatenormal]; btn.titlelabel.linebreakmode = uilinebreakmodewordwrap; // depreciated - nothing replace it? cgrect r = btn.frame; r.origin.x = 0; r.origin.y = 0; r.size.width = 320; r.size.height = [btn.titlelabel.text sizewithfont:btn.titlelabel.font constrainedtosize:cgsizemake(r.size.width,100000) linebreakmode:btn.titlelabel.linebreakmode].height; // returns approx 86 , changes correctly ...
Read more