The most simple DB query fails to execute

The most simple DB query fails to execute - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: The most simple DB query fails to execute (/showthread.php?tid=32358)

The most simple DB query fails to execute - El Forum - 07-21-2010

[eluser]smilie[/eluser]
Hi all,

I am banging my head for a couple of hours over this and I just can not see the solution Sad

Following code:

Code:
$this->load->database('db1');

$query = "SELECT user_id,user_name,user_lastname,user_username FROM user WHERE user_username = '".$username."' AND user_password = '".$password."'";

$do = $this->db->query($query);

print_r($do);

As simple as it can be, query returns no results at all:

Code:
CI_DB_mysql_result Object ( [conn_id] => Resource id #30 [result_id] => Resource id #38 [result_array] => Array ( ) [result_object] => Array ( ) [current_row] => 0 [num_rows] => 0 [row_data] => )

Query itself is OK, when I print query and paste it in PHPMyAdmin it gives results back.

I have 2 databases configured in database.php (config); each has its own and unique group. In the code above I am initiating group 'db1'.

But I am really stuck why this code does not return anything. I have also tried with Active Record Class - but no results Sad

What the $@$% am I doing wrong here? Sad

Thanks!
Smilie

The most simple DB query fails to execute - El Forum - 07-21-2010

[eluser]smilie[/eluser]
Zomg, somebody shoot me Sad

Had wrong database name all the time in the config...

Please - do ignore this ridiculous post here...

@admins - feel free to delete this thread.

The most simple DB query fails to execute - El Forum - 07-21-2010

[eluser]KingSkippus[/eluser]
Don't worry about it, we've all banged our heads over something like that before.

I will suggest, however, that this would be safer (correcting the name of the table, of course):

Code:
$query = "SELECT user_id,user_name,user_lastname,user_username '.

    'FROM user WHERE user_username = ? AND user_password = ?';

$do = $this->db->query($query, array($username, $password));

And the security-conscious part of me is also bristling, wondering if you are storing passwords in cleartext in the database. If so, I highly suggest encrypting them in some way. For example, when you store the password, store it using hash('sha256', $password) instead of just $password, and use the following query instead of the above one:

Code:
$query = "SELECT user_id,user_name,user_lastname,user_username '.

    'FROM user WHERE user_username = ? AND user_password = ?';

$do = $this->db->query($query, array($username, hash('sha256', $password)));

It's really easy and your users will probably appreciate you taking that extra little step to protect them in case your database gets compromised.

This is especially important if you are using a database server other than localhost; anyone with a sniffer on any switch or router between your web server and database server would be able to yank passwords right off the wire. Also, if you want to be even a little more security-conscious, salt the password so that if someone compromises your server and obtains your database, they can't use so-called "rainbow tables" to discover a big chunk of passwords. To do that, store, for example, a random sixteen-character string as a field called "salt," store passwords as hash('sha256', $salt.$password) instead of just $password, and use the following query:

Code:
$query = "SELECT user_id,user_name,user_lastname,user_username '.

    'FROM user WHERE user_username = ? AND user_password = ?';

$do = $this->db->query($query, array($username, hash('sha256', $salt.$password));

The most simple DB query fails to execute - El Forum - 07-21-2010

[eluser]smilie[/eluser]
Hi KingSkippus,

Ah well, it was a 'simple' mistake indeed :-)

Regarding your tips;
I store passwords always as MD5. Pure to keep overview of the code, I always prepare all variables before using them in query's / functions.

$password is therefore already gone through MD5.

I am still learning CI's form validations / preparation to see if and what of those I could effectively use.

Nevertheless - thank you for a good tip!

Regards,
Smilie