My php script for registrating using prepared statements isn't working and I can't figure out why.
Can somebody please check my code ? Thank you, and sorry for this post if it's duplicated but I can't figure it by myself
Code:
<?php
require_once 'connect.php';
$email = $_POST['email'];
$password = $_POST['password'];
$passwordR = $_POST['confpassword'];
if ($password == $passwordR) {
$password = hash('sha512', $password); // použi password_hash
$prep_stmt = "SELECT * FROM users WHERE email= ? ";
$stmt = connect()->prepare($prep_stmt);
if ($stmt) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
echo 0;
die();
} else {
if ($insert_stmt = connect()->prepare("INSERT INTO users (email, password) VALUES ( ? , ? )")) {
$insert_stmt->bind_param('ss', $email, $password);
$insert_stmt->execute();
if (!$insert_stmt) {
echo 2;
echo mysqli_stmt_sqlstate($insert_stmt);
die();
} else {
echo 1; //preslo to
die();
}
}
}
} else {
echo 3; //db error
die();
}
}
Related
Password_verfiy is not working at all even if i hardcode the values of the password and the hash itself. It is working in a similar program but that program is without prameterized queries
<?php
include 'db.php';
session_start();
$numrows=null;
$hpass=null;
if ($_SERVER['REQUEST_METHOD']=='POST') {
if (!empty($_POST['user']) && !empty($_POST['pass'])) {
$username = $_POST['user'];
$password = $_POST['pass'];
$query = $connection->prepare('Select password from users where username=?');
$query->bind_param("s", $username);
$query->execute();
$query->bind_result($hpass);
while ($query->fetch()) {
$numrows++;
}
$query->close();
//$query->fetch();
//$numofrows=$query->num_rows;
if ($numrows == 1) {
if (password_verify($password, $hpass)) {
$_SESSION['login_user'] = $username;
header("location:todo.php");
} else {
header("location:1.php");
}
} else {
header("location:2.php");
}
}
else {
header("location:not.php");
}
}
$password = $_GET['pass'];
$hpass = password_hash($password, PASSWORD_DEFAULT);
$query=$connection->prepare("insert into users (username,password) values (?,?)");
$query->bind_param('ss',$name,$hpass);
if ($query->execute()) {
$query->close();
header('location:index.php');
} else {
header('location:not.php');
}
Everthing seems to work except inserting data stmt.
I've added closing the connection and adding closing the statement.
$error = $user = $pass = "";
if (isset($_SESSION['user'])) destroySession();
if (isset($_POST['user']))
{
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
if ($user == "" || $pass == "")
$error = 'Not all fields were entered<br><br>';
else
{
$stmt = $connection->prepare('SELECT * FROM members WHERE user=?');
$stmt->bind_param('s', $user);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows)
$error = 'That username already exists<br><br>';
else
{
$hashedPwd = password_hash($pass, PASSWORD_DEFAULT);
$stmt = $connection->prepare("INSERT INTO members (user, pass) VALUES (?,?)");
$stmt->bind_param("ss", $user, $hashedPwd);
$stmt->execute;
$stmt->close();
die('<h4>Account created</h4>Please Log in.</div></body></html>');
}
}
}
$connection->close();
I can expect the code to recognize if a user exists. However, I can not expect the database to be updated with a new user.
Placing error_reporting(E_ALL); at the top of the page will show that there is problem with the $stmt->execute;
$stmt->execute; should be stmt->execute();
I'm creating a back end to my website and running into issues with the login user part.
The user registration into the database is made with the password_hash function using the code below:
UserReg.php :
<?php
require_once 'db.php';
$mysqli = new mysqli($host, $user, $password, $dbname);
if($mysqli -> connect_error) {
die($mysqli -> connect_erro);
}
$username = "userF";
$password = "somePass";
$token = password_hash("$password", PASSWORD_DEFAULT);
add_user($mysqli,$username, $token);
function add_user($mysqli,$username, $token) {
$query = $mysqli->prepare("INSERT INTO users(username, password) VALUES
(?,?)");
$query->bind_param('ss',$username, $token);
$query->execute();
$result = $query->get_result();
if(!$result) {
die($mysqli->error);
}
$query->close();
}
My login form skips to a blank page even when i insert my username and password. Doesn't even go to the login error message.
Login.php
<?php
include 'db.php';
$username = $_POST['user'];
$pwd = $_POST['password'];
$sql = "SELECT password FROM users WHERE username = ?";
$stmt = $mysqli->prepare($sql);
$stmt->execute();
$stmt->bind_result($pass);
while ($result = $stmt->num_rows()) {
if($stmt->password_verify($pwd, $result)) {
echo "Your username or password is incorrect";
} else {
header("Location: Menu.php");
}
}
What am i missing?
Appreciate your help.
I think you need to take a look at password_verify how it works.
$username = $_POST['user'];
$pwd = $_POST['password'];
$sql = "SELECT username, password FROM users WHERE username = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->bind_result($username, $password);
$stmt->store_result();
if ($stmt->num_rows == 1) { //To check if the row exists
if ($stmt->fetch()) { //fetching the contents of the row
if (password_verify($pwd, $password)) {
$_SESSION['username'] = $username;
echo 'Success!';
exit();
} else {
echo "INVALID PASSWORD!";
}
}
} else {
echo "INVALID USERNAME";
}
$stmt->close();
I've started a thread or two so far but nothing has got resolved. I'm not able to use the mysqlnd because i'm using a shared hosting account with godaddy.
All i need to do is check if my email address and/or username is in use; if they are in use throw and error, if not.. all is well.
Here is my code:
$input_errors = array();
if (!empty($_POST['username'])) {
$user = $_POST['username'];
} else {
$input_errors['username'] = "Must fill out username";
}
$email = filter_input(INPUT_POST, 'usermail', FILTER_VALIDATE_EMAIL);
if (false === $email) {
$input_errors['usermail'] = "Not a valid email address";
}
if(count($input_errors) > 0) {
print_r($input_errors); die();
}
$sql = "SELECT COUNT(*) as amount FROM people WHERE username = ?
OR email = ?";
if ($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param("ss", $user, $email);
$stmt->execute();
$results = $stmt->get_result();
$data = mysqli_fetch_assoc($results);
if ($data['amount'] > 0)
{
print "User already exists";
}
}
else {
$stmt = $mysqli->stmt_init();
if (!$stmt) {
echo "Init failed";
} else {
$cmd = "INSERT INTO people (username, email, sign_up_date) VALUES (?, ?, NOW() )";
if ($stmt->prepare($cmd)) {
$stmt->bind_param('ss', $user, $email );
$stmt->execute();
echo $stmt->affected_rows . " row(s) inserted";
$stmt->close();
} else {
echo "Prepare failed";
}
mysqli_close($mysqli);
}
}
bind_result() does not work.
Change your sql statement to the following:
$sql = "SELECT COUNT(*) as amount FROM people WHERE username = '".mysqli_real_escape_string($_POST['username'])."' OR email = '".mysqli_real_escape_string($email)."'";
this is so that I come from Denmark and use google translate because I'm bad at English so hope that it can be in level with, however, this is how my MySQLI code to go right down to the last words, and says there are errors . I've tried to write it right password and email in, but it can not be bothered to work at all in some way it keeps making mistakes, how can it be?
<?php
session_start();
include("include/database/db.php");
if($stmt = $mysqli->prepare("SELECT id, djnavn, hemmelig, rank FROM `brugere` WHERE `email` = ? AND `password` = ?"))
{
$stmt->bind_param('ss', $email, $password);
$email = $_POST['email'];
$password = sha1($_POST['password']);
$stmt->execute();
$stmt->bind_result($id, $djnavn, $hemmelig, $rank);
$stmt->fetch();
$count_res = $stmt->num_rows;
$stmt->close();
if($count_res > 0) {
$_SESSION["logged_in"] = true;
$_SESSION["user_id"] = $id;
$_SESSION["djnavn"] = $djnavn;
$_SESSION["hemmelig"] = $hemmelig;
$_SESSION["rank"] = $rank;
if($rank == 0)
{
echo "Your can not log in!";
}
if($rank == 1)
{
echo "Ok, members you can log in now!";
}
if($rank == 2)
{
echo "Ok, Admin you can log in now!";
}
}
else {
echo 'fail her: ' . $mysqli->error;
}
}
?>
Can you help me on it!!
First of all it's notification and it occurs because you don't define $email and $password before you use them.
$email = $_POST['email'];
$password = sha1($_POST['password']);
cut and paste them befor you bind params:
$stmt->bind_param('ss', $email, $password);