This question already has an answer here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 1 year ago.
if ($stmt = $connection->prepare('INSERT INTO users (name, id, password, email, city, avatar, about, activation_code) VALUES (?, ?, ?, ?, ?, ?, ?, ?)')) {
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$uniqid = uniqid();
$stmt->bind_param('ssssssss', $_POST['name'], $_POST['id'], $password, $email, $_POST['city'], $_POST['avatar'], $_POST['about'], $uniqid);
$stmt->execute();
$stmt->store_result();
echo 'Account's created';
} else {
echo 'Error';
}
This part of code doesn't create user in myqsl db. But if I
This code:
$stmt->bind_param('ssssssss', $_POST['name'], $_POST['id'], $password, $email, $_POST['city'], $_POST['avatar'], $_POST['about'], $uniqid);
Replace with:
$stmt->bind_param('ssssssss', $_POST['name'], $_POST['id'], $email, $password, $_POST['city'], $_POST['avatar'], $_POST['about'], $uniqid);
It create user but in table in email there is password and in password - email.
How I can fix it???
You need to check out what the error reported by MySQL says.
Not having seen your table definition (you really should post that too), I can only guess that the password you use - the hash - being as it is a PK2DBF hash, is too long for the password field.
You probably reserved something like 64 chars for the email and, what do I know, 16 characters for the password. But the password hash is longer. So if you insert the password in the email column it fits, the other way it doesn't.
You should use something like VARCHAR(200) for the password column definition field.
check the sql datatypes of the email and password columns and their respective lengths, the hash generated is probably too long or the email column does not allow certain inputs.
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 3 years ago.
The problem I am facing is that I am not able to take the users id and send it through.
Here is the code.
if ($stmt = $con->prepare('INSERT INTO tblusers (user, password, token) VALUES (?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$token = password_hash($_POST['token'], CRYPT_BLOWFISH);
$password = password_hash($_POST['password'], CRYPT_BLOWFISH);
$stmt->bind_param('sss', $_POST['username'], $password, $token);
$stmt->execute();
$stmt = $con->('SELECT id from tblusers where user=?');
$user=$_POST['username'];
$stmt->bind_param('s' $user);
$stmt->execute();
$stmt -> bind_result($id);
$stmt = $con->prepare('INSERT INTO tblbtc (id) VALUES (?)');
$stmt->bind_param('i', $id);
$stmt->execute();
header('location: ../../home/index.php');
} else {
// Something is wrong with the sql statement, check to make sure accounts table exists with all 3 fields.
echo ('Could not prepare statement!');
}
}
$stmt->close();
}
Here is also a error message I get
Parse error: syntax error, unexpected '(', expecting identifier (T_STRING) or variable (T_VARIABLE)
This code down below works without the two extra added mysql statements.
if ($stmt = $con->prepare('INSERT INTO tblusers (user, password, token) VALUES (?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$token = password_hash($_POST['token'], CRYPT_BLOWFISH);
$password = password_hash($_POST['password'], CRYPT_BLOWFISH);
$stmt->bind_param('sss', $_POST['username'], $password, $token);
$stmt->execute();
header('location: ../../home/index.php');
} else {
// Something is wrong with the sql statement, check to make sure accounts table exists with all 3 fields.
echo ('Could not prepare statement!');
}
}
$stmt->close();
}
The expected results of this code it to create the user which works and then to take the users id and also create columns on the tblbtc with the userid/.
You can get the inserted user id using mysqli::inserted_id
see the code below
<?php
if ($stmt = $con->prepare('INSERT INTO tblusers (user, password, token) VALUES (?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$token = password_hash($_POST['token'], CRYPT_BLOWFISH);
$password = password_hash($_POST['password'], CRYPT_BLOWFISH);
$stmt->bind_param('sss', $_POST['username'], $password, $token);
$stmt->execute();
$user_id = $stmt->insert_id;
if($user_id)
{
$stmt = $con->prepare('INSERT INTO tblbtc (id) VALUES (?)');
$stmt->bind_param('i', $user_id);
$stmt->execute();
header('location: ../../home/index.php');
}
else{
echo ('Could not prepare statement!');
}
} else {
// Something is wrong with the sql statement, check to make sure accounts table exists with all 3 fields.
echo ('Could not prepare statement!');
}
$stmt->close();
Hi guys I set up a table on 000webhost. I set it up with a column for id, name, username, age and password. For some reason the username does not show up in the table when I run the code for the register and Im not sure what the error is. Here is the code for Register.php:
<?php
$con = mysqli_connect("*****", "****", "*****", "****");
$name = $_POST["name"];
$age = $_POST["age"];
$username = $_POST["username"];
$password = $_POST["password"];
$statement = mysqli_prepare($con, "INSERT INTO user (name, username, age, password) VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($statement, "siss", $name, $username, $age, $password);
mysqli_stmt_execute($statement);
$response = array();
$response["success"] = true;
echo json_encode($response);
?>
As I originally stated in comments:
You're trying to insert a string using the i parameter being an integer.
The order matters when binding.
You need to change your present parameters to ssis while making sure the age column is indeed an integer type.
Checking for errors on the query would have told you about it.
http://php.net/manual/en/mysqli.error.php
I also hope you're not storing plain text passwords. Use password_hash() if you plan on going live with this.
http://php.net/manual/en/function.password-hash.php
Sorry to be the bearer of bad news, but you will be hacked should this be the case.
Using a prepared statement without using a safe password hashing function won't guarantee your site from being compromised.
Your bind statement has incorrect format specifiers. Change this line
mysqli_stmt_bind_param($statement, "siss", $name, $username, $age, $password);
To
mysqli_stmt_bind_param($statement, "ssis", $name, $username, $age, $password);
Those specifiers need to match the column and variable type. S for string and i for Int
I'm trying to insert data which a user has filled out (register form) I am having issue, with it not inserting the data, and at the same time giving me NO error or reason why, I have checked my logs and everything, nothing seems to be wrong. But my query isn't executed.
/* IN THIS FUNCTION WE REGISTER THE USER, WE CREATE A SALT, INSERT THAT SALT KEY INTO SALTS TABLE, THEN GET THE ID AND USE THAT ID IN PASSYSTEM TABLE WHERE WE STORE THE PASSWORD AND THE SALT ID THE MEMBER DATA IS STORED IN MEMBERS TABLE*/
$data = $_POST;
print_r($data);
$salt = $this->gen_salt();
$password = hash('sha512', $salt.$data['password'].$salt, FALSE);
print $password;
$membersql = "INSERT INTO member (`firstname`,`lastname`,`email`,`gender`) VALUES (:firstname, :lastname, :email, :gender)";
$memberquery = $db->prepare($membersql);
$memberquery->bindParam(':firstname', $data['firstname'], PDO::PARAM_STR);
$memberquery->bindParam(':lastname', $data['lastname'], PDO::PARAM_STR);
$memberquery->bindParam(':email', $data['email'], PDO::PARAM_STR);
$memberquery->bindParam(':gender', $data['gender'], PDO::PARAM_STR);
$memberquery->execute();
Looks like something is wrong with bindparam.
Try it like this:
$membersql = "INSERT INTO member (firstname,lastname,email,gender) VALUES (?, ?, ?, ?)";
$memberquery->execute(array($data['firstname'], $data['lastname'], $data['email'], $data['gender']));
This should work correctly.
This question already has answers here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(2 answers)
Closed 2 years ago.
I have seen numorous questions similar to this, however I still can't seem to resolve the problem, so sorry if this may be a duplicate.
Anyway here is the code:
$email = $_POST['emailAddress'];
$username = $_POST['userName'];
$dob = $_POST['dobYear'] . "-" . $_POST['dobMonth'] . "-" . $_POST['dobDay'];
$fname = $_POST['firstName'];
$sname = $_POST['lastName'];
$country = $_POST['country'];
$squestion = $_POST['secretQuestion'];
$sanswer = $_POST['secretAnswer'];
require('db_connect.php');
$insert_stmt = $mysqli->prepare("INSERT INTO users (username, email, password, salt, fname, sname, country, dob, squestion, sanswer) VALUES (:username, :email, :password, :salt, :fname, :sname, :country, :dob, :squestion, :sanswer)");
var_dump($mysqli->error);
$insert_stmt->bind_param(':username', $username); // error is here
$insert_stmt->bind_param(':email', $email);
$insert_stmt->bind_param(':password', $password);
$insert_stmt->bind_param(':salt', $random_salt);
$insert_stmt->bind_param(':fname', $fname);
$insert_stmt->bind_param(':sname', $sname);
$insert_stmt->bind_param(':country', $country);
$insert_stmt->bind_param(':dob', $dob);
$insert_stmt->bind_param(':squestion', $squestion);
$insert_stmt->bind_param(':sanswer', $sanswer);
$insert_stmt->execute();
And this is the output of var_dump:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':username, :email, :password, :salt, :fname, :sname, :country, :dob, :squestion,' at line 1"
I know that there must be a problem on the prepare line but, I am really not seeing it.
Here is the db_connect.php just in case anyone wants to see though, this file is working fine:
define("HOST", "localhost"); // The host you want to connect to.
define("USER", "sec_user"); // The database username.
define("PASSWORD", "eKcGZr59zAa2BEWU"); // The database password.
define("DATABASE", "secure_login"); // The database name.
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
Again, sorry if this is a duplicate or if I'm missing something blatent and obvious.
The class mysqli_stmt does not support named SQL-parameters. Also, the first parameter to mysql_stmt::bind_param() is not the name of the SQL-parameter (because the class mysqli_stmt does not support named SQL-parameters).
$insert_stmt = $mysqli->prepare("INSERT INTO users (username, email, password, salt, fname, sname, country, dob, squestion, sanswer) VALUES (?, ?,?, ?, ?, ?, ?, ?, ?, ?)");
change your bind accordingly
I have a a simple form to login using a username and password. I want to apply a whitelist to allow only certain characters. I dont know if anybody requires this but here is the code to retrieve the username and password:
$stmt = $conn2->prepare("SELECT username FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
Do I incorporate something like this:
preg_replace( "/[^a-zA-Z0-9_]/", "", $stringToFilter );
If so, where do I include it within my code? And what happens if a user tries to input something other than what is in the whitelist?
ADDED: Ok well what about if it is during registration and it is using INSERT to store username and password?
//insert data
$stmt = $conn2->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)");
//bind the parameters
$stmt->bind_param('sss', $username, $email, $password);
Add the filtering code before your INSERT during registration. Check that the string is not empty after filtering, so that a username of "!!*&%$#()*&#$" does not get inserted as a blank string.
$username_clean = preg_replace( "/[^a-zA-Z0-9_]/", "", $_POST['username'] );
if (!strlen($username_clean)){
die("username is blank!");
}
$stmt = $conn2->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)");
$stmt->bind_param('sss', $username_clean, $email_clean, $password_clean);