Can you help me convert this function from MySQLi to PDO?

Codes here !

Moderators: egami, macek, gesf

Post Reply
seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Sun Apr 21, 2013 11:09 pm

For a single run query, preparing the statement offers no benefit. Untested, but this should work...

Code: Select all

<?php

include 'Database.php';

function login($user, $password, $mysqli) {
    $db = Database::getInstance();
    $sql = "SELECT username, id, email, password, salt FROM members WHERE username = " . $db - quote($user) . " LIMIT 1";
    $result = $db->query($sql);
    if (!$result || $result->rowCount() == 0) {
        return false;
        ;
    }
    $row = $result->fetch(PDO::FETCH_ASSOC);
    $password = hash('sha512', $password . $salt); // hash the password with the unique salt.
    if ($row['password'] == $password) { // Check if the password in the database matches the password the user submitted.
        // Password is correct!
        $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user.
        $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
        $user_id = preg_replace("/[^0-9]+/", "", $row['user_id']); // XSS protection as we might print this value
        $_SESSION['user_id'] = $row['user_id'];
        $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $row['username']); // XSS protection as we might print this value
        $_SESSION['email'] = $row['email'];
        $_SESSION['username'] = $row['username'];
        $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_browser);
        // Login successful.
        return true;
    } else {
        // Password is not correct
        // We record this attempt in the database
        $now = time();
        $ip = $_SERVER['REMOTE_ADDR'];
        $mysqli->query("INSERT INTO login_attempts (user_id, email, time, ip) VALUES ('$user_id','$email', '$now', '$ip')");
        return false;
    }
}

and here's the Database.php that I include to use... ***edit*** just supply your db info in place of the constants I use.

Code: Select all

<?php

/*
 * Database class only one connection is allowed.
 */

class Database extends PDO{

    private $connection;
    private static $instance;

    public static function getInstance() {
        if (!self::$instance) {
            
            self::$instance = new self("mysql:host=" . DBHOST . ";dbname=" . DB,DBUSER,DBPASS);
        }
        return self::$instance;
    }



    /*
     * empty clone magic method to prevent duplication
     *
     */

    private function __clone() {

    }

}

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Mon Apr 22, 2013 10:07 am

For a single use query like a login, a prepared statement is not the way to go, it offers no advantage but suffers from greater overhead and slower performance. For usage on PDO::prepare() check out http://php.net/manual/en/pdo.prepare.php There are examples and documentation there.

Post Reply