Is there a correct way of using $stmt->close(); - php

I have numerous statements on my website and I was wondering when and how you use $stmt->close(); correctly. Would it open vulnerabilities by leaving it open?
In this example, would the correct place to close the statement be line 23?
// First, check if the email and code exists
if (isset($_GET['email'], $_GET['code'])) {
if ($stmt = $con->prepare('SELECT * FROM accounts WHERE email = ? AND activation_code = ?')) {
$stmt->bind_param('ss', $_GET['email'], $_GET['code']);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 0) {
// Account exists with the requested email and code
if ($stmt = $con->prepare('UPDATE accounts SET activation_code = ? WHERE email = ? AND activation_code = ?')) {
// Set the new activation code to 'activated', this is how we can check if the user has activated their account
$newcode = 'activated';
$stmt->bind_param('sss', $newcode, $_GET['email'], $_GET['code']);
$stmt->execute();
header('Location: messages.php?message=activated');
exit;
}
} else {
header('Location: messages.php?message=activated-error');
exit;
}
}
}
There are two statements here, would I close both? Or do I just close them both at the bottom? Also, as I am using header('Location:') does the $stmt->close(); actually get executed?


You do not need to use $stmt->close(); at all. You almost never need to close anything manually in PHP. PHP will close it for you once it is no longer needed. If you structure your code properly, PHP will close everything for you when it is most optimal.
Using header('Location:') doesn't affect mysqli objects. When you exit the code, the whole script stops and that is when PHP will close everything if it hasn't been closed yet.
You really should use some encapsulation. Don't use mysqli methods directly. Create some function or class which will abstract from this interface and it will be easier for you to use it. If you do it properly, then you do not need to worry at all about closing the objects.

Related

Why does the user input not append to my SQL database?

I'm developing a login/register form for my client. Right now I am working on the registration part of the form however I seem to have encountered an issue.
I am trying to append the user's input to a database if it does not currently exist. I'm developing this functionality using PHP version 7. However, the code does not seem to append the data to the database even when telling me it has done so successfully.
Here is code:
<?php
if($_SERVER["REQUEST_METHOD"] == "POST") {
//define variables and set values to null
$email = $code = "";
//set variable values to HTML input
$email = $_POST['email'];
$code = $_POST['code'];
//check if email exists
$stmt = $conn->prepare("SELECT userEmail FROM userDetails WHERE userEmail=?");
$stmt->bind_param("s", $prepemail);
//set parameters and execute
$prepemail = $email;
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
echo "email exists";
return false;
} else {
//$stmt->close(); removed as per #Akintunde-Rotimi's suggestion
//insert email into database
$stmt = $conn->prepare("INSERT INTO userDetails (userEmail) VALUES (?)");
$stmt->bind_param("s", $newemail);
//set parameters and execute
$newemail = $email;
$stmt->execute();
echo "New records created successfully";
}
}
?>
The code successfully connects to the database and even tells me if the user already exists. It just doesn't add the user's email to the database and I can't seem to figure out why.
I have researched methods on how to insert the data into the database using prepared statements as I have done here. I've used W3Schools as a reference but still no luck.

The code doesn't seem to have any obvious spelling errors, so have you tried to catch errors? Replace
$stmt->execute();
with
if(!$stmt->execute()) {
trigger_error("there was an error....".$conn->error, E_USER_WARNING);
}
You can also check how many rows are affected, -1 meaning there was an error.
printf("%d Zeile eingefügt.\n", $stmt->affected_rows);
Also, enabling more errors to be shown (at least for development)
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// ...

Why is my sql prepared statement not giving correct responses?

I'm trying to create a login account system for my website and when a user registers, I check if there is already an account in the database. I created a function called 'check_user_exists' and here is the code for that
function check_account_exists($username, $conn){
if($stmt = $conn->prepare("SELECT * FROM users WHERE username=?")){
$stmt->bind_param('s', $username);
$stmt->execute();
echo $stmt->num_rows;
if($stmt->num_rows == 1){
return true;
}else{
return false;
}
}else{
//couldn't prepare statement
return false;
}
}
However when I go run this it returns false every time even when I know that a value in the database already exists. I haven't had any MySQL errors before this but I checked the error log and it doesn't show any errors. I added echo stmt->num_rows; but it always outputs 0. What is the matter?

Ok turns out I need to use $stmt->store_result(); after $stmt->execute(); That was preventing correct responses.

prevent sql injection in mysqli [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Can I mix MySQL APIs in PHP?
(4 answers)
Closed 3 years ago.
I am very new to mysqli earlier i am writing queries in mysql but mysqli is more advanced so, i am first time using it.
Below is my php code.
function clean($str) {
$str = #trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
$email = clean($_POST['email']);
$password = clean($_POST['password']);
//$password =md5($password);
if(empty($res['errors'])) {
$result = $mysqli->query("SELECT uid FROM users where email='$email' and password = '$password'");
if($result->num_rows == 1){
$res['success'] = true;
}
else{
array_push($res['errors'], 'Invalid login details');
$res['success'] = false;
}
}else{
$res['success'] = false;
}
echo json_encode($res);
}
clean function is not working as expected because sql queries return false if i enter username and password correct.
So, it seems like this is not valid in mysqli case.
I checked this link PHP MySQLI Prevent SQL Injection and got to know that we have to prepare query.
I can see there is an example but i am not able to understand how to prepare/bind if i have to use two or more form data.
Thanks for your time.
Updated code
$result = $mysqli->prepare("SELECT uid FROM users where email=:email and password = :password");
$result->execute([
':email' => $email,
':password' => $password]);
//$result->execute();
if($result->num_rows == 1){
//if(mysqli_num_rows($result) === 1) {
$res['success'] = true;
}
else{
array_push($res['errors'], 'Invalid login details');
$res['success'] = false;
}

As already stated in comments, you need to be consistent with your API choice. You can't mix APIs in PHP.
You started out with mysqli_*, so I'll continue with that. You had some mysql_* and PDO in there, and it might not be a bad idea to use PDO over mysqli_* - but if your server supports mysqli_*, there is nothing wrong with using that. See Choosing an API and decide for yourself (just stay away from mysql_*, it's outdated).
Using mysqli_*, you connect to the database like this (you didn't show your connection).
$mysqli = new mysqli("host", "username", "password", "database");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (".$mysqli->connect_errno.") ".$mysqli->connect_error;
}
$mysqli->set_charset("utf8");
As for preventing SQL injection in it self, all you need is to use prepared statements. You can still clean or sanitize your data if there are some kind of values you don't want sitting in your tables - but that's kind of another discussion.
You also need to know if your passwords are hashed in the database. They really should be, and you should be using password_hash($password, $algorithm) and password_verify($password, $hash) if you're on PHP5.5 and above (if not, look into something like password_compat).
You need to be consistent with your hashes too, you can't insert it with md5 and selecting it with no hash. It all needs to be the same. Because if you are selecting an md5 hash, and comparing it to an unhashed string, they will be different, and the query fails.
I'm showing you an example of using password_verify(), so that means that the password stored in the database will also need to be stored with password_hash() (or your query fails).
if ($stmt = $mysqli->prepare("SELECT uid, password FROM users where email=?")) {
$stmt->bind_param("s", $_POST['email']); // Bind variable to the placeholder
$stmt->execute(); // Execute query
$stmt->bind_result($userID, $password); // Set the selected columns into the variables
$stmt->fetch(); // ...and fetch it
if ($stmt->num_rows) {
if (password_verify($_POST['password'], $password)) {
// Password was correct and matched the email!
} else {
// Password was incorrect...
}
} else {
// Accountname not found
}
}
This is just a basic example, but it will get you started. Never trust user input, use prepared statements.

You can bind more variables like so:
$stmt = $mysqli->prepare("SELECT uid FROM users where email= ? and password = ?");
$stmt->bind_param('ss', $email, $password);
/* execute prepared statement */
$stmt->execute();
As you can see, you can expand on the bind_param() function. You can also add different type of variables:
i corresponding variable has type integer
d corresponding variable has type double
s corresponding variable has type string
b corresponding variable is a blob and will be sent in packets
From: http://php.net/manual/en/mysqli-stmt.bind-param.php

First of all, I suggest you learn PDO instead of MySQLi, just because it supports more drivers.
Second, you use mysql_real_escape_string, as you might see, that is a MySQL function, not a MySQLi function.
So where you have:
$result = $mysqli->query("SELECT uid FROM users where email='$email' and password = '$password'");
You should do something like:
<?php
$stmt = $dbConnection->prepare("SELECT uid FROM users where email = :email AND password = :password");
try{
$stmt->execute([
':email' => $email,
':password' => $password
]);
}
catch(Exception $e){
echo $e->getMessage(); //Remove when putting online
}
if($stmt->num_rows){
$res['success'] = true;
}
?>

You're presently mixing MySQL APIs/functions with mysql_real_escape_string(), then num_rows and then a PDO binding method where email=:email and password = :password which seems to have been taken from another answer given for your question.
Those different functions do NOT intermix.
You must use the same one from connection to querying.
Consult: Can I mix MySQL APIs in PHP?
It looks like you're wanting to setup a login script. I suggest you use the following and pulled from one of ircmaxell's answers:
Pulled from https://stackoverflow.com/a/29778421/
Just use a library. Seriously. They exist for a reason.
PHP 5.5+: use password_hash()
PHP 5.3.7+: use password-compat (a compatibility pack for above)
All others: use phpass
Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.
$dbh = new PDO(...);
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);
And on login:
$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
if (password_verify($_POST['password'], $users[0]->password) {
// valid login
} else {
// invalid password
}
} else {
// invalid username
}
It's safer and uses a safe password hashing method, rather than what you seem to want to use is MD5 $password =md5($password); and is no longer considered safe to use now.
References:
PDO connection http://php.net/manual/en/pdo.connections.php
PDO error handling http://php.net/manual/en/pdo.error-handling.php
To check if a user exists, you can see one of my answers https://stackoverflow.com/a/22253579/1415724
http://php.net/manual/en/mysqli.error.php
http://php.net/manual/en/function.error-reporting.php
Sidenote: If you do go that route, remember to read the manuals and that your password column is long enough to hold the hash. Minimum length is 60, but they recommend 255.
It is also unclear if your HTML form does have name attributes for the POST arrays, so make sure the form is using a POST method.
http://php.net/manual/en/tutorial.forms.php
I believe I have given you enough information to get started.
What you must NOT do, is to use the above with your present code and simply patching it. You need to start over.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Displaying errors should only be done in staging, and never production.

Warning: mysqli_stmt::close(): Couldn't fetch mysqli_stmt in X on line Y

I'm pretty new to php coding and managed to resolve a lot of problems myself, but there is 1 I can't get my head around.
$prep_stmt = "SELECT id FROM members WHERE Email = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
// check existing Email
if ($stmt) {
$stmt->bind_param('s', $Email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this Email address already exists
$error_msg .= '<p class="error">A user with this Email address already exists.</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error Line 39</p>';
$stmt->close();
}
My guess is that the code can't get to the 2nd $stmt->close(); in the above code (the one after the if inside the if).
How can I resolve this problem? Is that $stmt->close(); really needed?

Why you don't just remove the first one (in the second if statement)? Also remove the close() in your else statement because you checked if $stmt is a legal object. Basically what you say is: $stmt isn't a legal object, close it. But close what?
This will work in both situations:
$prep_stmt = "SELECT id FROM members WHERE Email = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
// check existing Email
if ($stmt) {
$stmt->bind_param('s', $Email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this Email address already exists
$error_msg .= '<p class="error">A user with this Email address already exists.</p>';
//Remove this one: $stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error Line 39</p>';
//This one can be removed because $stmt isn't a legal object: $stmt->close();
}

Just remove the if statements and the close() method calls. Why have you added that to your code?
Th reason why you are getting this error is because you try to close a statement when its creation failed. You can't close an object which was never created. If prepare() call fails and you have your error reporting silenced this function will return false instead of an object.
If you enable proper error reporting there should be no if statements. See How to get the error message in MySQLi?
Here is how your code should look like:
$prep_stmt = "SELECT id FROM members WHERE Email = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
// check existing Email
$stmt->bind_param('s', $Email);
$stmt->execute();
$result = $stmt->get_result();
if ($result->fetch_assoc()) {
// A user with this Email address already exists
$error_msg .= '<p class="error">A user with this Email address already exists.</p>';
}
Try to avoid store_result() as much as possible. When you enable error reporting then there's no reason for any if statements. Otherwise, you would need to wrap each line in such statement, because any of these calls could fail: prepare(), bind_param(), execute(), ...
There's no need to close the statement if you fetch all the results. When you call get_result() you fetch everything from MySQL.
Keep it simple and don't add unnecessary code.

You should put store_result() after execute like bellow:
$stmt->execute();
$stmt->store_result();
if you make a method and pass query, it doesn't work

Debug mySQLi prepared statement -> email not found

i try to implement a register form and try to check via php and jQuery if a user already registered with a certain email.
here is my piece of code:
if(endsWith($email, 'domain.tld'))
{
$result = $database->prepare("SELECT id FROM users WHERE email LIKE ?");
$result->bind_param('s', $email);
//echo $email;
$result->execute();
//echo $result->execute();
//echo $result->num_rows;
//exit();
if($result->num_rows == 0)
{
echo'ok';
}
else {
echo 'duplicate';
}
$result->close();
}
else {
echo 'validation failed';
}
I used the commented echos and exit() to debug my code. The problem is that the database holds the user user#domain.tld and the script shows me in the echo "user#domain.tld10". So the statement ist executed successful but no rows are returned. If i execute the statement
SELECT id FROM users WHERE email LIKE "user#domain.tld"
i get the id (in this case 11) returned.
My question is, how can i debug this php script better and the biggest question is, why is my scipt not working properly?
Thank you so much in advance!

Use before num_rows
$result->store_result();
The use of mysqli_stmt_num_rows() depends on whether or not you used
mysqli_stmt_store_result() to buffer the entire result set in the
statement handle.
Docs

Categories