0

I am developing a simple login script by using PHP and SQL Server 2012 in which I want to validate username , password and my company code ..username and password are stored in same table but company code value is stored inside another table. My company code has some value which is CDSL and I only want those users to login who is writing CDSL in company code field likewise I also want only those users to login whose username and password is stored inside user_master table and in company code I want users to write CDSL but that value is stored inside another table which is company_master in company_master different company codes with company full name is stored in which I only want to take my company code which is CDSL I am sharing few lines of my code too

$uname = $_POST['user']; 
$upassword = $_POST['pass']; 
$company_code =$_POST['pos'];

$res = sqlsrv_query($conn,"select* from user_master where
UM_USERNAME='$uname'and um_pwd='$upassword' ");

UM_USERNAME is a column in which USERNAMES are stored and um_pwd is an column where users passwords are stored but inside this SQL statement I also want to include my company code which is stored inside company_master table and row name is CM_CODE where I wish to select value which is

$sql = "SELECT * FROM company_master where CM_CODE = 'CDSL'";

How can I merge above 2 SQL statements and for company code how can I give value $company_code inside CM_CODE I have already given CM_CODE= 'CDSL'

Dale K
  • 25,246
  • 15
  • 42
  • 71
Priya Tiwari
  • 39
  • 5
  • 1
    Not what you asked, but you appear to be storing passwords in plain text. This is really not a good idea - use `password_hash()` to store, and `password_verify()` to verify, which will mean removing the password check from your query. – droopsnoot Jul 13 '22 at 07:14
  • If your company code is _always_ CDSL, surely you can just verify that in the PHP without needing a query? If you want to just check that they've entered a valid company code, i.e. just one that exists in your company_master table, just check that first, and then check to see that the username and password is valid - I can't see that it benefits much to merge those into a single query. It would do, if your user_master table linked each user to a specific company code - you could check that they've typed the correct one in. Or leave it off the form and retrieve it from the table. – droopsnoot Jul 13 '22 at 07:23
  • Due to Rainbow Table attacks using `password_hash()` isn't much improvement over plaintext passwords. If you absolutely must store passwords in the database the best practice is to salt-and-hash passwords, ensuring that each user gets a unique salt so that Rainbow Table attacks are ineffective. – AlwaysLearning Jul 13 '22 at 07:25
  • @AlwaysLearning inside my database password i have casted my password as . cast(um_pwd as varchar(max)) i know i need to put sqlsrv_real_escape_string before post but it is giving me undefined error thats why I didn't putted it inside my code – Priya Tiwari Jul 13 '22 at 07:29
  • @droopsnoot I thought about the same and inside POST company code i even gave CDSL AS VALUE BUT When i tested my code by using some other value instead of cdsl it didn't gave me any kind of error message – Priya Tiwari Jul 13 '22 at 07:31
  • @PriyaTiwari still you didn't explain why can't you just add a condition if ($company_code === 'CDSL') – Your Common Sense Jul 13 '22 at 07:48
  • @AlwaysLearning you need to make yourself familiar with password_hash() before making such claims. What makes you think it doesn't follow that "best practice" you described? – Your Common Sense Jul 13 '22 at 07:57
  • @YourCommonSense my manager told me to fetch everything from database instead of just hard coding it in php – Priya Tiwari Jul 13 '22 at 08:44
  • **Then** they have to tell you how company_master is related to user_master – Your Common Sense Jul 13 '22 at 08:56
  • @YourCommonSense i have used this if($Company_code==='CDSL'){ echo "valid company code"; } else{ echo "Invalid company code"; } – Priya Tiwari Jul 13 '22 at 08:58
  • Congratulations. – Your Common Sense Jul 13 '22 at 08:59
  • @YourCommonSense I HAVE sorted this company code thing out.. in user_master usernames , password of our and outside organization folks .. those who have access to application made by us are stored while inside company_master everything related to company's details has been stored – Priya Tiwari Jul 13 '22 at 09:00
  • @YourCommonSense can you suggest me any way to make my code secure .. I mean what shall i use before post to make it secure ? – Priya Tiwari Jul 13 '22 at 09:08
  • You need to use prepared statement. here is an example: https://stackoverflow.com/questions/50177094/how-to-use-sqlsrv-prepare-function – Your Common Sense Jul 13 '22 at 09:45

1 Answers1

-1

You can output from several tables using one selection. Like this code:

SELECT * FROM user_master ,company_master
WHERE user_master.UM_USERNAME='$uname'and user_master.um_pwd='$upassword' AND company_master.CM_CODE = '$company_code'

But it's better to work more on improving the code you wrote. Like the security matters that are written in the comments.

Mostafa NZ
  • 382
  • 1
  • 6
  • thanku ..I really appreciate it but i also want it to stored inside $company_code how do i acheive it basically IN CM_CODE I WANT to store $company_code how do i acheive this? – Priya Tiwari Jul 13 '22 at 08:50
  • I don't understand your problem. Use the same method as you used for the username and password. I edited the code – Mostafa NZ Jul 13 '22 at 08:56
  • I wrote in the description: **But it's better to work more on improving the code you wrote. Like the security matters that are written in the comments.** AND The output of this code is correct. It is better for you to run the code once before anything. – Mostafa NZ Jul 13 '22 at 09:00
  • Nope, the output of this code is not correct. – Your Common Sense Jul 13 '22 at 09:12
  • Why is it not true? – Mostafa NZ Jul 13 '22 at 09:14
  • @YourCommonSense [Select from multiple tables without a join](https://stackoverflow.com/a/12095198/19446442) – Mostafa NZ Jul 13 '22 at 09:36