Help with PDO from old fashioned mysql_fetch_array

Siggles

Hi,

I used to have this which worked fine (snipped slightly to get rid of the junk)...

 function confirmUserPass($username, $password){
 $q = "SELECT password, userlevel FROM ".TBL_USERS." WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
$dbarray = mysql_fetch_array($result);
	  if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
      }
      else{
         return 2; //Indicates password failure
      }
}

and am now trying this...

$stmt = $this->connection->prepare("SELECT password, userlevel FROM ".TBL_USERS." WHERE username = '$username'");
$stmt->execute();
$stmt->setFetchMode(PDO::FETCH_ASSOC);
$dbarray = $stmt->fetch(); 
....
$dbarray['password'] = stripslashes($dbarray['password']);
if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
      }
      else{
         return 2; //Indicates password failure
      }

This doesnt work, Ive looked over the net, where am I going wrong?

Thank you

johanafm

First off, to gain protection from SQL injection through prepared statements, you need to use bound paramters

$stmt = $this->connection->prepare("SELECT password, userlevel FROM ".TBL_USERS." WHERE username = :username");
# username and :username as array key will both work
$stmt->execute(array('username' => $username);

Next up, you should always check for success / failure (which you should have done in your old solution as well)

$stmt->setFetchMode(PDO::FETCH_ASSOC);
if (!$stmt->execute())
{
	printf('<pre>&#37;s</pre>', print_r($stmt->errorInfo(),1));
}
elseif ($arr = $stmt->fetch())
{
	printf('<pre>%s</pre>', print_r($arr,1));
}

The only thing I see that is different is strip_slashes, which means that if the password contains any slashes, it will not pass your ifcheck.

Have you tried to output the contents of $dbarray?