I can't fathom where I went wrong on this instruction. I keep getting the warning that number of elements does not match the bind value.
I'm trying to validate a field for country where users can select the country they are registering from but whenever I run a test on xampp I get the warning whilst the information aren't sent to the database.
I'm not sure if my code is liable to sql injections since I'm new to php and mysql. If i remove the country function the form works properly. I think the error is from the html form so I'd rather not uploaded it here.
Here's the php code.
<?php
// Include config file
require_once "db.php";
// Define variables and initialize with empty values
$username = $password = $confirm_password = $country = "";
$username_err = $password_err = $confirm_password_err = $country_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate username
if(empty(trim($_POST["username"]))){
$username_err = "Please enter a username.";
} else{
// Prepare a select statement
$sql = "SELECT id FROM users WHERE username = ?";
if($stmt = mysqli_prepare($db, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = trim($_POST["username"]);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
/* store result */
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) == 1){
$username_err = "This username is already taken.";
} else{
$username = trim($_POST["username"]);
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
// Close statement
mysqli_stmt_close($stmt);
}
}
// Validate password
if(empty(trim($_POST["password"]))){
$password_err = "Please enter a password.";
} elseif(strlen(trim($_POST["password"])) < 6){
$password_err = "Password must have atleast 6 characters.";
} else{
$password = trim($_POST["password"]);
}
// Validate confirm password
if(empty(trim($_POST["confirm_password"]))){
$confirm_password_err = "Please confirm password.";
} else{
$confirm_password = trim($_POST["confirm_password"]);
if(empty($password_err) && ($password != $confirm_password)){
$confirm_password_err = "Password did not match.";
}
}
// Validate Country
if(empty(trim($_POST["country"]))){
$country_err = "Please Choose a Country.";
}
else{
$country = trim($_POST["country"]);
}
// Check input errors before inserting in database
if(empty($username_err) && empty($password_err) && empty($confirm_password_err)){
// Prepare an insert statement
$sql = "INSERT INTO users (username, password, country) VALUES (?, ?, ?)";
if($stmt = mysqli_prepare($db, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "ss", $param_username, $param_password, $param_country);
// Set parameters
$param_country = $country;
$param_username = $username;
$param_password = password_hash($password, PASSWORD_DEFAULT); // Creates a password hash
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Redirect to login page
header("location: login.php");
} else{
echo "Something went wrong. Please try again later.";
}
// Close statement
mysqli_stmt_close($stmt);
}
}
// Close connection
mysqli_close($db);
}
?>.`
I can see a couple of things:
Your check for input errors does not check if "country_err" is empty.
Your mysqli_stmt_bind_param only defines types for 2 fields, "ss", but you are passing in 3 fields so it should be "sss"
Related
I'm using PHP to insert data into MySQL DB and all the data shows blank and gives no errors. I'm new to coding and trying to teach myself the basics.
<?php
// Include config file
require_once "config.php";
// Define variables and initialize with empty values
$user_name = $user_email = $user_password = $confirm_user_password = "";
$user_name_err = $user_email_err = $user_password_err = $confirm_user_password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate username
if(empty(trim($_POST["user_name"]))){
$user_name_err = "Please enter a user name";
} else{
// Prepare a select statement
$sql = "SELECT id FROM users WHERE user_name = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_user_name);
// Set parameters
$param_user_name = trim($_POST["user_name"]);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
/* store result */
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) == 1){
$user_name_err = "This username is already taken.";
} else{
$user_name = trim($_POST["user_name"]);
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Validate email
if(empty(trim($_POST["user_email"]))){
$user_email_err = "Please enter a email.";
} else{
// Prepare a select statement
$sql = "SELECT id FROM users WHERE user_email = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_user_email);
// Set parameters
$param_user_email = trim($_POST["user_email"]);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
/* store result */
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) == 1){
$user_email_err = "This useremail is already taken.";
} else{
$user_email = trim($_POST["user_email"]);
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Validate password
if(empty(trim($_POST["user_password"]))){
$user_password_err = "Please enter a password";
} elseif(strlen(trim($_POST["user_password"])) < 6){
$user_password_err = "Password must have atleast 6 characters.";
} else{
$user_password = trim($_POST["user_password"]);
}
// Validate confirm password
if(empty(trim($_POST["confirm_user_password"]))){
$confirm_user_password_err = "Please confirm user password.";
} else{
$confirm_user_password = trim($_POST["confirm_user_password"]);
if(empty($user_password_err) && ($user_password != $confirm_user_password)){
$confirm_user_password_err = "Password did not match.";
}
}
// Check input errors before inserting in database
if(empty($user_name_err) && empty($user_password_err) && empty($user_email_err) && empty($confirm_user_password_err)){
// Prepare an insert statement
$sql = "INSERT INTO users (user_name, user_email, user_password) VALUES (?, ?, ?)";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "sss", $param_user_name, $param_user_password, $param_user_email);
// Set parameters
$param_user_name = $user_name;
$param_user_password = password_hash($user_password, PASSWORD_DEFAULT); // Creates a password hash
$param_user_email = $user_email;
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Redirect to login page
header("location: logInPage.php");
} else{
echo "Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
?>
When I just insert the username and password into my sql database, everything is okay but I get FALSE value when I try to add user's full name and company. I am not sure whether the way I bind variables to the prepared statement as parameters is correct or not. Can anyone please help me have a look on my code ? Thanks in advance!
<?php
// Include config file
require_once "config.php";
// Define variables and initialize with empty values
$username = $full_name = $company = $password = $confirm_password = "";
$username_err = $full_name_err = $company_err =$password_err = $confirm_password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate username
if(empty(trim($_POST["username"]))){
$username_err = "Please enter a username.";
} else{
// Prepare a select statement
$sql = "SELECT id FROM users WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = trim($_POST["username"]);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
/* store result */
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) == 1){
$username_err = "This username is already taken.";
} else{
$username = trim($_POST["username"]);
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Validate full name
if(empty(trim($_POST["full_name"]))){
$full_name_err = "Please enter your full name.";
} else{
// Prepare a select statement
$sql = "SELECT id FROM users WHERE full_name = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_full_name);
// Set parameters
$param_full_name = trim($_POST["full_name"]);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
/* store result */
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) == 1){
$full_name_err = "The name is already taken.";
} else{
$full_name = trim($_POST["full_name"]);
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Validate company
if(empty(trim($_POST["company"]))){
$company_err = "Please enter your company.";
} else{ $company = trim($_POST["company"]);}
// Validate password
if(empty(trim($_POST["password"]))){
$password_err = "Please enter a password.";
} elseif(strlen(trim($_POST["password"])) < 2){
$password_err = "Password must have atleast 6 characters.";
} else{
$password = trim($_POST["password"]);
}
// Validate confirm password
if(empty(trim($_POST["confirm_password"]))){
$confirm_password_err = "Please confirm password.";
} else{
$confirm_password = trim($_POST["confirm_password"]);
if(empty($password_err) && ($password != $confirm_password)){
$confirm_password_err = "Password did not match.";
}
}
// Check input errors before inserting in database
if(empty($username_err) && empty($password_err) && empty($confirm_password_err)&& empty($full_name_err)&& empty($company_err)){
// Prepare an insert statement
$sql = "INSERT INTO users (username,full_name, company, password) VALUES (?,?,?,?)";
if($stmt = mysqli_prepare($link, $sql)){
// Set parameters
$param_username = $username;
$param_full_name = $full_name;
$param_company = $company;
$param_password = password_hash($password, PASSWORD_DEFAULT); // Creates a password hash
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "ssss", $param_username,$param_full_name,$param_company, $param_password);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Redirect to login page
header("location: login.php");
} else{
echo "Something went wrong. Please try again later.";
}
// Close statement
mysqli_stmt_close($stmt);
}
}
// Close connection
mysqli_close($link);
}
?>
I am creating a code that the user will redirect depends on their user type
I've tried if,else statement but there's some errors
"mysqli_stmt_bind_param(): Number of elements in type definition string doesn't match number of bind variables"
<?php
// Initialize the session
session_start();
// Include config file
require_once "config.php";
// Check if the user is already logged in, if yes then redirect him to
welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
if($_SESSION["userType"] == "administrator"){
header("location: index.php");
exit;
}else($_SESSION["userType"] == "user"){
header("location: userpage.php");
exit;
}
}
// Define variables and initialize with empty values
$username = $password = $userType = "";
$username_err = $password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if username is empty
if(empty(trim($_POST["username"]))){
$username_err = "Please enter username.";
} else{
$username = trim($_POST["username"]);
}
// Check if password is empty
if(empty(trim($_POST["password"]))){
$password_err = "Please enter your password.";
} else{
$password = trim($_POST["password"]);
}
// Validate credentials
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT * FROM users WHERE username = ? and userType = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "ss", $param_username);
// Set parameters
$param_username = $username;
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result variables
mysqli_stmt_bind_result($stmt, $id, $username,
$hashed_password, $userType);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)){
// Password is correct, so start a new session
session_start();
// Store data in session variables
$_SESSION["loggedin"] = true;
$_SESSION["id"] = $id;
$_SESSION["username"] = $username;
$_SESSION["userType"] = $userType;
} else{
// Display an error message if password is not valid
$password_err = "The password you entered was incorrect.";
}
}
}else{
// Display an error message if username doesn't exist
$username_err = "No account found with that username.";
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
?>
I'd like to see how to redirect the users depending on their user types.
You missed one argument on mysqli_stmt_bind_param()
So your code should be:
mysqli_stmt_bind_result($stmt, 'ss', $param_username, $user_type);
See https://www.php.net/manual/en/mysqli-stmt.bind-param.php
Why do I seem to receive my echo statement "error" when submitting this form?
I got this code from https://www.tutorialrepublic.com/php-tutorial/php-mysql-login-system.php for register.php.
It was working fine for my users up till yesterday and can't seem to find why?
I thought maybe it was my config.php but it does print the error message if a username is already in use so it doesn't seem to be config.php. I messaged the website that I got the code from and they couldn't help me.
<?php
// Include config file
require_once "config.php";
// Define variables and initialize with empty values
$username = $password = $confirm_password = "";
$username_err = $password_err = $confirm_password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate username
if(empty(trim($_POST["username"]))){
$username_err = "Please enter a username.";
} else{
// Prepare a select statement
$sql = "SELECT id FROM sign_in_account WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = trim($_POST["username"]);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
/* store result */
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt) == 1){
$username_err = "This username is already taken.";
} else{
$username = trim($_POST["username"]);
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Validate password
if(empty(trim($_POST["password"]))){
$password_err = "Please enter a password.";
} elseif(strlen(trim($_POST["password"])) < 6){
$password_err = "Password must have atleast 6 characters.";
} else{
$password = trim($_POST["password"]);
}
// Validate confirm password
if(empty(trim($_POST["confirm_password"]))){
$confirm_password_err = "Please confirm password.";
} else{
$confirm_password = trim($_POST["confirm_password"]);
if(empty($password_err) && ($password != $confirm_password)){
$confirm_password_err = "Password did not match.";
}
}
// Check input errors before inserting in database
if(empty($username_err) && empty($password_err) && empty($confirm_password_err)){
// Prepare an insert statement
$sql = "INSERT INTO sign_in_account (username, password) VALUES (?, ?)";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "ss", $param_username, $param_password);
// Set parameters
$param_username = $username;
$param_password = password_hash($password, PASSWORD_DEFAULT); // Creates a password hash
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Redirect to login page
header("location: login.php");
} else{
echo "Something went wrong. Please try again later. error: 1";//Error 1 = form submission
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
?>
The output should go to my login.php page on successful result submission but prints my echo statement "echo "Something went wrong. Please try again later. error: 1";"
This question already has an answer here:
Mysql update query with prepared statement is giving error
(1 answer)
Closed 5 years ago.
Warning: mysqli_stmt_bind_param(): Number of variables doesn't match number of parameters in prepared statement in C:\xampp\htdocs\Latihan\login.php on line 33
<?php require_once 'connect.php';
$username = $password = "";
$username_err = $password_err = "";
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if username is empty
if(empty(trim($_POST["username"]))){
$username_err = 'Please enter username.';
} else{
$username = trim($_POST["username"]);
}
// Check if password is empty
if(empty(trim($_POST['password']))){
$password_err = 'Please enter your password.';
} else{
$password = trim($_POST['password']);
}
// Validate credentials
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT username,password FROM users WHERE username = '".$_POST['username']."'";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
33. mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = $username;
//$param_password = password_hash($password, PASSWORD_DEFAULT);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result variables
mysqli_stmt_bind_result($stmt, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)){
/* Password is correct, so start a new session and
save the username to the session */
session_start();
$_SESSION['username'] = $username;
header("location: welcome.php");
} else{
// Display an error message if password is not valid
$password_err = 'The password you entered was not valid.';
}
}
} else{
// Display an error message if username doesn't exist
$username_err = 'No account found with that username.';
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
//mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
?>
When you use mysqli_stmt_bind_param(), you need to have ? placeholders in the query that will be replaced with the parameters. This is done instead of concatenating the variable directly into the query string.
The error means that the number of parameters in your mysqli_stmt_bind_param() call doesn't match the number of ? in the SQL.
So take the variable out of $sql and put ? there.
$sql = "SELECT username,password FROM users WHERE username = ?";