0

Been following this tutorial to learn how to create an API for android. Checked my DB_Functions.php file and everything is connecting and running correctly (90% sure). To make sure the post is working correctly I am using a chrome add-on called Postman. This other question I found online was having a similar problem to mine. This is what I inputted/received.
postman response Here is the code 

<?php

/* 
Function tests

require_once 'include/DB_Functions.php';
$db = new DB_Functions();

$insert = $db->storeUser("InsertTest", "[email protected]", "apple");
print_r($insert);

$user = $db->getUserByEmailAndPassword("[email protected]", "apple");
print_r($user);

$exist = $db->isUserExisted("[email protected]");
echo $exist; */

/**
* File to handle all API requests
* Accepts GET and POST
* 
* Each request will be identified by TAG
* Response will be JSON data

/**
* check for POST request 
*/

if (isset($_POST['tag']) && $_POST['tag'] != '') {
$tag = $_POST['tag'];

require_once 'include/DB_Functions.php';
$db = new DB_Functions();
$response = array("tag" => $tag, "error" => FALSE);

// check for tag type
if ($tag == 'login') {
    // Request type is check Login
    $email = $_POST['email'];
    $password = $_POST['password'];

    // check for user
    $user = $db->getUserByEmailAndPassword($email, $password);
    if ($user != false) {
        // user found
        $response["error"] = FALSE;
        $response["uid"] = $user["unique_id"];
        $response["user"]["name"] = $user["name"];
        $response["user"]["email"] = $user["email"];
        $response["user"]["created_at"] = $user["created_at"];
        $response["user"]["updated_at"] = $user["updated_at"];
        echo json_encode($response);
    } else {
        // user not found
        // echo json with error = 1
        $response["error"] = TRUE;
        $response["error_msg"] = "Incorrect email or password!";
        echo json_encode($response);
    }
} else if ($tag == 'register') {
    // Request type is Register new user
    $name = $_POST['name'];
    $email = $_POST['email'];
    $password = $_POST['password'];

    // check if user is already existed
    if ($db->isUserExisted($email)) {
        // user is already existed - error response
        $response["error"] = TRUE;
        $response["error_msg"] = "User already existed";
        echo json_encode($response);
    } else {
        // store user
        $user = $db->storeUser($name, $email, $password);
        if ($user) {
            // user stored successfully
            $response["error"] = FALSE;
            $response["uid"] = $user["unique_id"];
            $response["user"]["name"] = $user["name"];
            $response["user"]["email"] = $user["email"];
            $response["user"]["created_at"] = $user["created_at"];
            $response["user"]["updated_at"] = $user["updated_at"];
            echo json_encode($response);
        } else {
            // user failed to store
            $response["error"] = TRUE;
            $response["error_msg"] = "Error occured in Registartion";
            echo json_encode($response);
        }
    }
} else {
    // user failed to store
    $response["error"] = TRUE;
    $response["error_msg"] = "Unknown 'tag' value. It should be either      'login' or 'register'";
    echo json_encode($response);
}
} else {
$response["error"] = TRUE;
$response["error_msg"] = "Required parameter 'tag' is missing!";
echo json_encode($response);
} 
?>

And the DB_Functions.php code 

<?php

class DB_Functions{

private $db;
public $connection;

function __construct(){
    require_once ('DB_Connect.php');
    $this->db = new DB_Connect();
    $this->connection = $this->db->connect();
}

function __destruct(){

}

public function storeUser($name, $email, $password){
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"];
    $salt = $hash["salt"];
    $sql = "INSERT INTO users(unique_id, name, email, encrypted_password, salt, created_at) 
    VALUES ('$uuid', '$name', '$email', '$encrypted_password', '$salt', NOW())";
    $result = $this->connection->query($sql);

    if($result){
        $uid = mysqli_insert_id($this->connection);
        $sql = "SELECT * FROM users WHERE uid = '" . $uid . "';";
        $result = $this->connection->query($sql);
        return mysqli_fetch_array($result); 
    }else{
        return false;
    }
}

public function getUserByEmailAndPassword($email, $password){
    $sql = "SELECT * FROM users WHERE email = '" . $email . "';";
    $result = $this->connection->query($sql);
    $no_of_rows = mysqli_num_rows($result);

    if($no_of_rows > 0){
        $result = mysqli_fetch_array($result);
        $salt = $result['salt'];
        $encrypted_password = $result['encrypted_password'];
        $hash = $this->checkhashSSHA($salt, $password);

        if($encrypted_password == $hash){
            return $result;
        }
    }else{
        return false;
    }
}

public function isUserExisted($email){
    $sql = "SELECT * FROM users WHERE email = '" . $email . "';";
    $result = $this->connection->query($sql);
    $no_of_rows = mysqli_num_rows($result);

    if($no_of_rows > 0){
        return true;
    }else{
        return false;
    }
}

public function hashSSHA($password){
    $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

public function checkhashSSHA($salt, $password){
    $hash = base64_encode(sha1($password . $salt, true) . $salt);
    return $hash;
}

}
?>

Does anyone know why the Post isn't working?

Improve this question
4
  • WARNING: When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation or concatenation to accomplish this because you will create severe SQL injection bugs. NEVER put $_POST data directly into a query. Commented Jun 30, 2015 at 17:32
  • Also your screenshot is completely illegible. What are we supposed to take away from that? Commented Jun 30, 2015 at 17:32
  • You really should use PHP's built-in functions to handle password security. Commented Jul 14, 2015 at 16:12
  • Oh I won't be using this. I haven't yet but eventually I'll change it all to PDO. Commented Jul 14, 2015 at 16:33

1 Answer 1

Reset to default
1

you're not doing a real post. It may be using the http POST verb, but you're stuffing your data into the request as headers, which is flat-out wrong. A POST request looks like

header1: value1
header2: value2
...
headerN: valueN

field1=value1&field2=value2&etc....

Since you're not sending a body with your POST, there is NO data for PHP to pick apart and load into $_POST.

And on top of that, you are wide open for sql injection attacks.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I've kinda always took the POST data for granted. Never had to know the exact functioning/format the browser used. Do you have any recommendations on where I can learn more about how to do this properly? Thanks for the feedback

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.