I have a Slim API and I need to make a function that will validate a username/password. I'm using a POST and I would like to inject the username inside the credentials inside the sql. I know how to do it if I use GET, but I'm using POST. How can I do that:
function authenticate($req, $resp, $args) {
$credentials = json_decode($req->getBody());
$sql = "SELECT * FROM ict_users WHERE usr_username = 'Insert the username here'";
try {
$db = DB_Connection();
$stmt = $db->query($sql);
$password = $stmt->fetchAll(PDO::FETCH_OBJ);
$db = null;
} catch(PDOException $e) {
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
//check if the two password fits (use the password var)
//create a session_key
//Store the session_key in the DB
//return the session_key
}
I call this function in a AngularJS service with:
$http.post(appConfig.apiURL + '/authenticate', credentials)
I figured it out:
function authenticate($req, $resp, $args) {
$credentials = json_decode($req->getBody());
$sql = "SELECT usr_password FROM ict_users WHERE usr_username='".$credentials->username."'";
try {
$db = DB_Connection();
$stmt = $db->query($sql);
$password = $stmt->fetchAll(PDO::FETCH_OBJ);
$db = null;
if(empty($password)){
echo '{"error":"login_failed"}';
}
else {
if (password_verify($credentials->password, $password[0]->usr_password)) {
echo '{"error":"login_success"}';
}
else {
echo '{"error":"login_failed"}';
}
}
}
catch(PDOException $e) {
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
}
function authenticate($req, $resp, $args) {
$credentials = json_decode($req->getBody());
$sql = "SELECT * FROM ict_users WHERE usr_username = ?";
try {
$db = DB_Connection();
$stmt = $db->prepare($sql);
$stmt->execute([$credentials['username']);
$password = $stmt->fetchAll(PDO::FETCH_OBJ);
$db = null;
} catch(PDOException $e) {
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
//check if the two password fits (use the password var)
//create a session_key
//Store the session_key in the DB
//return the session_key
}
Something like this.