This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 4 years ago.
I wanted to make this query with a prepare statement, but somehow it doesnt fetch any data. The username I type in the form is in the database, I guess the problem must be somewhere in the prepare stmt.
if(isset($_POST['login'])){
$typed_username = mysqli_real_escape_string($connection, $_POST['login_username']);
$typed_password = $_POST['login_password'];
$column = "username";
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE ? = ?");
mysqli_stmt_bind_param($stmt, "ss", $column, $typed_username);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_password);
if(mysqli_stmt_num_rows($stmt) < 1){
echo "no results";
}
if(password_verify($typed_password, $user_password)){
echo "login yeah!";
}
}
I get "no results" no matter what I try.
Although I've added a comment on how to solve this, I guess for your learning purpose I should add the solution here.
This becomes a very simple solution if $column = "username"; never changes.
If this is the case; you must change your prepare from this:
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE ? = ?");
to this:
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE username = ?");
Following that change, you no longer need to bind $column (mysql says binding a column is pointless anyway because it won't accept it.)
So your bind_param changes from:
mysqli_stmt_bind_param($stmt, "ss", $column, $typed_username);
to this (you no longer need to myqsli_real_escape_string so you can throw the $_POST directly into the query:
mysqli_stmt_bind_param($stmt, "s", $_POST['login_username']);
Therefore, your overall code now looks like:
if(isset($_POST['login'])){
$typed_password = $_POST['login_password'];
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, "s", $_POST['login_username']);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_password);
//you where missing fetch
mysqli_stmt_fetch($stmt);
//store the result
mysqli_stmt_store_result($stmt);
//now we can use mysqli_stmt_num_rows
if(mysqli_stmt_num_rows($stmt) < 1){
echo "no results";
}
//added an else here as I said in the comments
else if(password_verify($typed_password, $user_password)){
echo "login yeah!";
}
}
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I am making a login form and I am quite confused with how to use bind parameters to select data.
My current code looks like this:
$stmt = $mysqli_conn->query('SELECT * FROM user WHERE email = ? AND password = ?');
$stmt->bind_param('ss', $emailclean, $passwordclean);
$stmt->execute();
$result = $stmt->get_result();
if ($row = $result->fetch_assoc()) {
$finalmessager['success'] = 'You are logged in';
$_SESSION['finalmessagelog']= $finalmessager;
$_SESSION['authenticateduser']= $emailclean;
header('location:../index.php');
unset($_SESSION['logErrors']);
}
I don't understand why this isn't working
i let you a little example:
<?php
$query = "SELECT * FROM user WHERE email = ? AND password = ?";
$stmt = $this->db->prepare($query);
$stmt ->bind_param("ss", $emailclean, $passwordclean); //both are strings
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($column1, $column2); //you have to assign every column
while($stmt->fetch())
{
if($column1 == 1){ //first column is id? just guessing
echo "its the id 1 yeah!";
}
echo "col1: $column1, col2: $column2 \n";
}
$stmt->close();
This question already has an answer here:
Why does mysqli num_rows always return 0?
(1 answer)
Closed 1 year ago.
I am still new in the PHP and MySQL. I just started to learn MySQLi before few days and I met this problem.
This page is named login.php. The problem is that the query return 0 num rows.
When I run the query in phpmyadmin it show this message and 1 row.
Showing rows 0 - 0 (1 total, Query took 0.0010 sec)
Image:
Here is my code:
<?php
session_start();
require 'config.php';
$username = $_POST['username'];
$password = $_POST['password'];
$salt = 'qwerty';
$pass_prepare = md5($salt).sha1($password);
if ($_SERVER['REQUEST_METHOD'] != "POST") {
header('Location: index.php');
}
if (isset($username) && isset($pass_prepare)) {
$stmt = mysqli_prepare($db_con, "SELECT user_id, username, password, rank, last_activity FROM imes_users WHERE username=? AND password=? LIMIT 1");
mysqli_stmt_bind_param($stmt, "ss", $username, $pass_prepare);
mysqli_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_id, $username1, $password1, $rank, $last_activity);
mysqli_stmt_fetch($stmt);
echo mysqli_num_rows($stmt);
} else {
echo 'error';
}
Could you help me to fix this issue?
$sql = mysqli_query($connection, $query);
$count = $sql->num_rows; // $count contains now your value
You are using prepared statements, so the syntax is slightly different. You want to use mysqli_stmt_num_rows instead of mysqli_num_rows.
$stmt = mysqli_prepare($db_con, "SELECT user_id, username, password, rank, last_activity FROM imes_users WHERE username=? AND password=? LIMIT 1");
mysqli_stmt_bind_param($stmt, "ss", $username, $pass_prepare);
mysqli_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_id, $username1, $password1, $rank, $last_activity);
mysqli_stmt_fetch($stmt);
echo mysqli_stmt_num_rows($stmt);
This question already has answers here:
PHP MYSQLI number of rows doesnt work no errors
(3 answers)
Closed 6 years ago.
I don't understand why $amountOfUsers is showing as 0?
This used to work before I moved to the bind_param function... I was only using query() instad of prepare. But this is a lot safer, I just have trouble understand why this doesn't work, and how to fix it.
$stmt = $mysqli->prepare("SELECT id, expire, status, username FROM username WHERE username= ?");
$stmt->bind_param('s', $username);
$stmt->execute();
//Counting results. 0 = Invalid, 1 = Valid
$amountOfUsers = $stmt->num_rows;
The error I am getting is: $amountOfUsers isn't counting the number of results properly.
$stmt = $mysqli->prepare("SELECT id, expire, status, username FROM username WHERE username= ?");
$stmt->bind_param('s', $username);
$stmt->execute();
// Store the result (so you can get the properties, like num_rows)
$stmt->store_result();
// Get the number of rows
$amountOfRows = $stmt->num_rows;
// Bind the result to variables
$stmt->bind_result($id, $expire, $status, $db_username);
// Process the variables
while($stmt->fetch()) {
printf("%d %s %s %s\n", $id, $expire, $status, $db_username);
}
Sometimes things don't go according to plan. Checking result codes and errors available in your library is usually more efficient for troubleshooting than asking strangers, but hopefully this stranger can help... choose one of these patterns:
A:
$result = $stmt->execute();
if (!$result) { /* handle errors */ }
B:
$stmt->execute();
if ($stmt->errno != 0) { /* handle errors */ }
C (for development troubleshooting only, not code you would leave around):
$stmt->execute();
print_r($stmt->error_list);
More info here and associated pages:
http://www.php.net/manual/en/mysqli-stmt.errno.php
I would never in my life understand why php users are so inclined to the number of rows returned.
Especially if used only as a flag... if any data returned!
Why not to take the very returned data and see?
$sql ="SELECT id, expire, status, username FROM username WHERE username= ?s";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('s', $username);
$stmt->execute();
$res = $stmt->get_result();
$row = $res->fetch_assoc();
if ($row)
{
// do whatever
}
I would never understand an inclination to long and windy codes as well.
Why not to get yourself an abstraction library and get everything in one single line?
$sql = "SELECT id, expire, status, username FROM username WHERE username= ?";
if ($row = $db->getRow($sql))
{
// do whatever
}
This question already has answers here:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result [duplicate]
(6 answers)
Closed 9 years ago.
The code:
$stmt = mysqli_prepare($link, "SELECT * FROM adm_users WHERE users_username = ? AND users_password = ?");
mysqli_stmt_bind_param($stmt, 'ss', $user_adm_name, $user_adm_password);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
mysqli_stmt_fetch($stmt);
$adm_check_log = mysqli_num_rows($stmt);
mysqli_stmt_close($stmt);
Return:
Warning: mysqli_num_rows(): supplied argument is not a valid MySQL
result
Why? Can someone explain for me?
You should check the return values of your functions!
(As a programmer do this in every situation when you encounter an error)
Seems that something is going wrong with the query. So change the code to something like:
$result = mysqli_query(...);
if(!$result) {
die(mysqli_error($link);
}
Do the same with all of the mysqli functions that you are using.
That simply means that the value for $stmt that is being passed in here:
$adm_check_log = mysqli_num_rows($stmt);
isn't of the correct type. Usually it indicates that you either didn't return anything from your query or there was an error with it.
Try outputting it to see what you get:
var_dump($stmt);
Replace what you have with this. What error is reported?
if($stmt = mysqli_prepare($link, "SELECT * FROM adm_users WHERE users_username = ? AND users_password = ?")) {
$stmt->bind_param("ss", $user_adm_name, $user_adm_password);
$stmt->execute();
printf("Error: %d.\n", $stmt->error);
$stmt->bind_result($foo);
$stmt->fetch();
var_dump($foo);
$stmt->close();
}
I have searched thru a lot of questions that have been posted by other people and I still can't find what's wrong with my code. There isn't much I could find out there similar to mine and mostly I found is in OO method.
I have tried this:
$query = "SELECT * FROM userinfo WHERE (username = '?')";
if($stmt = mysqli_prepare($mysqli, $query))
{
mysqli_stmt_bind_param($stmt, "s", $login_username);
mysqli_stmt_execute($stmt);
}
AND:
$query = "SELECT re_password FROM userinfo WHERE (username = '?')";
if($stmt = mysqli_prepare($mysqli, $query))
{
mysqli_stmt_bind_param($stmt, "s", $login_username);
mysqli_stmt_execute($stmt);
}
And I still getting this message : mysqli_stmt_bind_param() [function.mysqli-stmt-bind-param]: Number of variables doesn't match number of parameters in prepared statement
I seriously need some big help. I used to do in mySQL and I don't know or rather have no idea on preparing statement way of doing. Now I'm learning mySQLi by myself and learning how to code by using preparing statement at the same time. No matter how I look at the manual I still don't understand.
Also, is there any preference or advantages/disadvantages to code in OO or in procedural method?
Thanks guys!
Try replacing the '?' with ?:
$query = "SELECT * FROM userinfo WHERE username = ?";
if($stmt = mysqli_prepare($mysqli, $query))
{
mysqli_stmt_bind_param($stmt, "s", $login_username);
mysqli_stmt_execute($stmt);
}