-5

www.example.com/login.php?Email=test@gmail.comAND?Password=something50

I have a mysql operation which requires 2 parameters(Email and Password)

$sql = "SELECT * FROM User WHERE ID='".$email."'AND'".$pass."'";

so how do I put those parameters in the link above because it works when I have 1 parameter but than I don't know how to add the second one.

u_mulder
  • 51,564
  • 5
  • 39
  • 54
Viraj Patel
  • 50
  • 1
  • 9
  • Using `&` sign. – u_mulder Apr 09 '18 at 12:46
  • with GET arrays; where are those? – Funk Forty Niner Apr 09 '18 at 12:46
  • 2
    You need to go back to basics here. Firstly, *never* send sensitive data over GET, i.e. as query string arguments. Secondly, your SQL is open to injection attacks, so look into [prepared statements](http://php.net/manual/en/mysqli.prepare.php). – Mitya Apr 09 '18 at 12:46
  • 1
    You should also look here https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – FMK Apr 09 '18 at 12:46
  • 2
    `?Password=something50` gotta love plain text passwords over an (possible) HTTP protocol, huh? – Funk Forty Niner Apr 09 '18 at 12:47
  • @FunkFortyNiner - come on, he's new to this. Help him out rather than resort to sarcasm. It's easy to mock the inexperienced. – Mitya Apr 09 '18 at 12:49
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 09 '18 at 12:58
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 09 '18 at 12:58
  • Where are you seeing sarcasm @Utkanos? Can you get that from plain text? – Jay Blanchard Apr 09 '18 at 12:59
  • Be very careful when building a request like this because you're open to SQL Injection – B3none Apr 09 '18 at 13:07

1 Answers1

0

First, you have to fix your query string, the ? starts the string and each additional argument is prefixed with &:

www.example.com/login.php?Email=test@gmail.com&Password=something50

Now all of the variables will be available in the $_GET array

$_GET['Email']; // is equal to "test@gmail.com"
$_GET['Password']; // is equal to "something50"

You should never concatenate variables in a SQL statement, you should use prepared statements to prevent SQL injection attacks. Here is a MySQLi example where you use the $_GET variable in one of your bound parameters:

$sql = $mysqli->prepare("SELECT * FROM User WHERE ID = ?");
$sql->bind_param('s', $_GET['Email']); // here we use the $_GET variable

Since you should never store plain text passwords you should use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. Also, passing credentials in the query string is easily hackable and should not be done.

Jay Blanchard
  • 32,731
  • 15
  • 70
  • 112