We Keep Coding

PHP Notice: Only variables should be passed by reference in Error [duplicate]

I'm practicing building a PHP registration form script for a website. I have done this code, but when I click the submit button I get the notice: Only variables should be passed by reference in line 13, and I'm stuck on what to do here. Any help is greatly appreciated, again I'm not a PHP expert.
<?php
require 'database.php';
if(!empty($_POST['email']) && !empty($_POST['username']) && !empty($_POST['password'])):
//Enter the new user into the database
$sql = "INSERT INTO users (email, username, password) VALUES (:email, :username, :password)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':username', $_POST['username']);
$stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT));
if($stmt->execute() ):
die('Success');
else:
die('Fail');
endif;
endif;
?>
here

change this
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':username', $_POST['username']);
$stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT));
to this
$email = $_POST['email'];
$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password',$password);
the error message is clear though you need to assign those values into variables then pass them

$result->bindParam(':id', $id, PDO::PARAM_INT);
if string, you need write:
$stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);

How can I check if a user exists with PDO?

My PDO query is not working for some reason, the page itself doesn't seem to have any error, I've been trying to fix this for like 2 months and nothing worked, I got this "final" code which not seems to have any errors and it's still not working.
<?php
require 'database.php';
$message = '';
if (!empty($_POST['username']) && !empty($_POST['email']) && !empty($_POST['phone']) && !empty($_POST['password'])) {
$sql = "INSERT INTO users (username, email, phone, password) VALUES (:username, :email, :phone, :password)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':username', $_POST['username']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':phone', $_POST['phone']);
$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
$stmt->bindParam(':password', $password);
$query = $con->prepare("SELECT username FROM users WHERE username = :username");
$query->bindParam(':username', $_POST['username']);
$query->execute();
if($query->rowCount() > 0){
?> Este usuario ya existe <?php
}
else {
if($stmt->execute()) {
header('Location: login.php');
}
else {
echo "Ocurrió un error";
}
}
}
?>

I suppose that it's because you have used a inapropriate variable.
in initialisation of $stmt you used $conn and in $query you used $con
make sure to the rigth varaible

Php Login not working with password_verify (Android)

I'm having some troubles with my Login file due to the password_verify implementation. The file was working fine without the password_verify() validation.
Below my Login file:
<?php
include 'config.inc.php';
// Innitialize Variable
$result='';
$username = $_POST['username'];
$userpassword = $_POST['password'];
// Query database for row exist or not
$sql = 'SELECT password FROM user WHERE email = :username';
$stmt = $connection->prepare($sql);
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':userpassword', $userpassword, PDO::PARAM_STR);
$stmt->execute();
// $row = mysqli_fetch_array($stmt);
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
if (password_verify($userpassword, $row['password'])) {
$result="true";
} else {
$result="false";
}
// send result back to android
echo $result;
?>
Here is also my Register file (which is working well) for reference:
<?php
include 'config.inc.php';
// Check whether username or password is set from android
if(isset($_POST['user']) && isset($_POST['email']) && isset($_POST['password']))
{
// Innitialize Variable
$result='';
$user = $_POST['user'];
$email = $_POST['email'];
$password = $_POST['password'];
// Encryption of password
$options = [
'cost' => 12,
];
$password = password_hash($password, PASSWORD_BCRYPT, $options);
// Query database for row exist or not
$sql = 'INSERT INTO user VALUES (NULL, :user, :email, :password, 0, 1, 1)';
$stmt = $connection->prepare($sql);
$stmt->bindParam(':user', $user, PDO::PARAM_STR);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->execute();
if($stmt->rowCount())
{
$result="true";
}
elseif(!$stmt->rowCount())
{
$result="false";
}
// send result back to android
echo $result;
}
?>
Thanks for your support!
Oliver

Registration PHP Code error

I am facing an error while completing my registration system. My database connection is working properly.
Registration PHP Code:
require 'db.php';
$message = '';
if(!empty($_POST['full_name']) && !empty($_POST['email']) && !empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['confirm_password'])):
// Enter the new user in the database
$sql = "INSERT INTO users (full_name, email, username, password) VALUES (:email, :password)";
$stmt = $con->prepare($sql);
$stmt->bindParam(':email', $_POST['full_name']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':email', $_POST['username']);
$stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT));
if( $stmt->execute() ):
header('Location: index.php');
$message = 'Successfully created new user';
else:
$message = 'Sorry there must have been an issue creating your account';
endif;
endif;

You are binding parameters for values which you have not included in the query,
change,
$sql = "INSERT INTO users (full_name, email, username, password) VALUES (:email, :password)";
to,
$sql = "INSERT INTO users (full_name, email, username, password) VALUES (:full_name, :email, :username, :password)";
and change,
$stmt->bindParam(':email', $_POST['full_name']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':email', $_POST['username']);
$stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT));
to,
$stmt->bindParam(':full_name', $_POST['full_name']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':username', $_POST['username']);
$stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT));
Now you are actually passing the correct values to the query.
Take note of the following:
Ensure you are validating/sanitizing your user input.
Ensure that you use exit with header to prevent errors.
You are setting the value of $message but not outputting it.

Basic php/db password encryption

've set up two simple php files for a login/register feature on my android app.
I would like to know a simple way to get it to save/write an encrypted password to the mysql database. at the moment its only writing plain text for password.
Code for register.php is :
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$statement = mysqli_prepare($con, "INSERT INTO User (username, email, password) VALUES (?, ?, ?)" );
mysqli_stmt_bind_param($statement, "sss", $username, $email, $password);
mysqli_stmt_execute($statement);
mysqli_stmt_close($statement);
mysqli_close($con);
and code for login stuff is:
$password = $_POST["password"];
$username = $_POST["username"];
$statement = mysqli_prepare($con, "SELECT * FROM User WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($statement, "ss", $username, $password);
mysqli_stmt_execute($statement);
mysqli_stmt_store_result($statement);
mysqli_stmt_bind_result($statement, $userID, $username, $email, $password);
$user = array();
while(mysqli_stmt_fetch($statement)) {
$user[username] = $username;
$user[email] = $email;
$user[password] = $password;
}
echo json_encode($user);
mysqli_stmt_close($statement);
mysqli_close($con);
very simple question i know but just learning myself. thanks
EDIT:
Based on Jamesking56's link/ response i've come out with this, but now its not writing to db at all:
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$statement = mysqli_prepare($con, "INSERT INTO User (username, email, password) VALUES (?, ?, ?)" );
mysqli_stmt_bind_param($statement, "sss", $username, $email, $passwordHash);
mysqli_stmt_execute($statement);
mysqli_stmt_close($statement);
mysqli_close($con);

If you are using PHP 5.5 or newer, there are some built-in functions for password hashing called password_hash() and password_verify().
Never use MD5 or SHA1 on its own for password hashing as they can be reversed by using rainbow tables.
You should use a hashing mechanism with a secret that you define which gives you hashes which are unique to your application. The 'secret' you create should never be shared through VCS.
A good article about this can be found here: http://www.phptherightway.com/#password_hashing
For anyone using PHP versions lower than 5.5 you can use crypt():
http://php.net/manual/en/function.crypt.php
PHP 5.4 will be unsupported as of 14th September 2015 so please consider upgrading to 5.5.