This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I am making a login form and I am quite confused with how to use bind parameters to select data.
My current code looks like this:
$stmt = $mysqli_conn->query('SELECT * FROM user WHERE email = ? AND password = ?');
$stmt->bind_param('ss', $emailclean, $passwordclean);
$stmt->execute();
$result = $stmt->get_result();
if ($row = $result->fetch_assoc()) {
$finalmessager['success'] = 'You are logged in';
$_SESSION['finalmessagelog']= $finalmessager;
$_SESSION['authenticateduser']= $emailclean;
header('location:../index.php');
unset($_SESSION['logErrors']);
}
I don't understand why this isn't working
i let you a little example:
<?php
$query = "SELECT * FROM user WHERE email = ? AND password = ?";
$stmt = $this->db->prepare($query);
$stmt ->bind_param("ss", $emailclean, $passwordclean); //both are strings
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($column1, $column2); //you have to assign every column
while($stmt->fetch())
{
if($column1 == 1){ //first column is id? just guessing
echo "its the id 1 yeah!";
}
echo "col1: $column1, col2: $column2 \n";
}
$stmt->close();
Related
This question already has answers here:
How can I with mysqli make a query with LIKE and get all results?
(2 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(2 answers)
Closed 3 years ago.
I'm attempting to use a SQL LIKE clause with mysqli prepared statements.
I have already tried other examples such as
$sysName = "{$_POST['ss']}%";
and
$sysName = $_POST['ss'] . '%';
if(isset($_POST['ss'])) {
$sysName = $_POST['ss'] . '%';
if(strlen($sysName) >0) {
$qry = mysqli_stmt_prepare($link, "SELECT * FROM tblSchools WHERE systemName LIKE ?");
mysqli_stmt_bind_param($qry,'s',$sysName);
mysqli_stmt_execute($qry);
$result = mysqli_stmt_get_result($qry);
}
}
If $_POST['ss'] is populated with the word sys and there exists a systemName in tblSchools called 'system' then the result set should include the row information that pertains to the 'system' row. No matter what I put in there though the result always comes back null. My connection to the database is successful. I have tested with mysqli_query and just straight strings successfully, but when I switched to prepared statements on the LIKE clause it doesn't work. I've been beating my head against this problem for almost a full day now.
EDIT: In response to first answer
Still doesn't work
$stmt = mysqli_stmt_init($link);
$sysName = "sys%";
if(strlen($sysName) >0) {
if(!mysqli_stmt_prepare($stmt, "SELECT * FROM tblSchools WHERE systemName LIKE ?")) {
echo "1";
exit;
} else {
if(mysqli_stmt_bind_param($stmt,'s',$sysName)) echo "2";
if(mysqli_stmt_execute($stmt)) echo "3";
$result = mysqli_stmt_fetch($stmt);
$row = mysqli_fetch_array($result);
var_dump($row);
echo "Hey";
}
}
Prints 2 and 3 not 1
Try this:
$link = \mysqli_connect("127.0.0.1", "user", "password", "dbname");
if (!$link) {
$error = \mysqli_connect_error();
$errno = \mysqli_connect_errno();
print "$errno: $error\n";
exit();
}
$query = "SELECT * FROM tblSchools WHERE systemName LIKE ?";
$stmt = \mysqli_stmt_init($link);
if (!\mysqli_stmt_prepare($stmt, $query)) {
print "Failed to prepare statement\n";
exit;
} else {
$sysName = 'sys%';
\mysqli_stmt_bind_param($stmt, "s", $sysName);
\mysqli_stmt_execute($stmt);
$result = \mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_array($result);
var_dump($row);
}
it works for me
This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 4 years ago.
I wanted to make this query with a prepare statement, but somehow it doesnt fetch any data. The username I type in the form is in the database, I guess the problem must be somewhere in the prepare stmt.
if(isset($_POST['login'])){
$typed_username = mysqli_real_escape_string($connection, $_POST['login_username']);
$typed_password = $_POST['login_password'];
$column = "username";
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE ? = ?");
mysqli_stmt_bind_param($stmt, "ss", $column, $typed_username);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_password);
if(mysqli_stmt_num_rows($stmt) < 1){
echo "no results";
}
if(password_verify($typed_password, $user_password)){
echo "login yeah!";
}
}
I get "no results" no matter what I try.
Although I've added a comment on how to solve this, I guess for your learning purpose I should add the solution here.
This becomes a very simple solution if $column = "username"; never changes.
If this is the case; you must change your prepare from this:
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE ? = ?");
to this:
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE username = ?");
Following that change, you no longer need to bind $column (mysql says binding a column is pointless anyway because it won't accept it.)
So your bind_param changes from:
mysqli_stmt_bind_param($stmt, "ss", $column, $typed_username);
to this (you no longer need to myqsli_real_escape_string so you can throw the $_POST directly into the query:
mysqli_stmt_bind_param($stmt, "s", $_POST['login_username']);
Therefore, your overall code now looks like:
if(isset($_POST['login'])){
$typed_password = $_POST['login_password'];
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, "s", $_POST['login_username']);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_password);
//you where missing fetch
mysqli_stmt_fetch($stmt);
//store the result
mysqli_stmt_store_result($stmt);
//now we can use mysqli_stmt_num_rows
if(mysqli_stmt_num_rows($stmt) < 1){
echo "no results";
}
//added an else here as I said in the comments
else if(password_verify($typed_password, $user_password)){
echo "login yeah!";
}
}
This question already has answers here:
return one value from database with mysql php pdo
(3 answers)
Closed 6 years ago.
I am trying to echo or print the last value of column usercode using PHP PDO. I tried to do this by using name column and SESSION var which will be the last values as references, but it doesn't work.
$name = $_SESSION['name'];
$query = $db->prepare("SELECT usercode from users where name = $name ");
$query->execute();
$result = $query->setFetchMode(PDO::FETCH_ASSOC);
echo $result;
Here you go:
$name = $_SESSION['name'];
$query = $db->prepare("SELECT usercode from users where name=:name");
$query = $db->bindParam(':name', $name);
$query->execute();
$row = $query->fetch();
echo $row['usercode'];
bindParam is used when you just want to bind a variable reference to a parameter in the query.
This question already has answers here:
How do I escape reserved words used as column names? MySQL/Create Table
(4 answers)
Closed 2 years ago.
I am making a prepared statement in PHP and my code is fine until I add in 'id' and 'key' to my parameters. They are definitely in the table that I am requesting too. What is wrong? Thanks in advance!
ERROR: Call to a member function bind_param() on boolean
if($_POST['userx']){
echo '<div id="div2"><div id="font2">Dashboard</div>';
$queryA = "SELECT name,profo,password,id,key FROM collegestudents WHERE email = ?";
$stmt = $connection->prepare($queryA);
$stmt->bind_param('s',$_POST['userx']);
$stmt->bind_result($name1,$profo,$password1,$key,$id);
$stmt->execute();
$stmt->fetch();
$stmt->close();
Key is a reserved keyword in mysql.
It's a good habit to enclose field names and table names in backticks in queries but also to check for errors.
$queryA = "SELECT `name`,`profo`,`password`,`id`,`key` FROM `collegestudents` WHERE `email` = ?";
$stmt = $connection->prepare($queryA);
if ($stmt) {
$stmt->bind_param('s',$_POST['userx']);
...
}
else {
echo "MySQL ERROR: " . $connection->error;
}
$stmt = $connection->prepare($queryA);
returns boolean(false)
make sure your query is correct
you can do a simple check like this
$stmt = $connection->prepare($queryA);
if (!$stmt) {
echo "failed to run";
} else {
$stmt->bind_param('s',$_POST['userx']);
$stmt->bind_result($name1,$profo,$password1,$key,$id);
$stmt->execute();
$stmt->fetch();
}
Edit:
if you are using PDO you were doing it wrong it should be like this
$stmt = $conn->prepare("SELECT name,profo,password,id,key FROM
collegestudents WHERE email = :email");
$stmt->bindParam(':email', $email);
Change your database connection file with
<?php $con = new PDO('mysql:host=127.0.0.1;dbname=yourdatabasename;','username',''); ?>
Then change below line
$queryA = "SELECT name,profo,password,id,key FROM collegestudents WHERE email = ?";
$stmt = $connection->prepare($queryA);
$stmt->bind_param('s',$_POST['userx']);
$stmt->bind_result($name1,$profo,$password1,$key,$id);
$stmt->execute();
with
$queryA = "SELECT name,profo,password,id,key FROM collegestudents WHERE email = :v";
$stmt = $connection->prepare($queryA);
$stmt->execute( array('v' => $_POST['userx']) );
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 6 years ago.
I'm developing a php site right now. I was making the login page and when i checked if the login code works, it printed the whole prepare line.
output:
prepare("select * from login_details where user = ? && pass= ?;");
$stmt>bindValue(1, $name); $stmt->bindValue(2, $pass); $stmt->execute;
$row = $stmt->fetchall(PDO::FETCH_ASSOC); while ($row) { echo "
Failed
"; } ?
and my code was,
<body>
<?php
include 'connect.php';
if(isset($_POST['username']) && isset($_POST['pass'])){
$name=htmlentities($_POST['username']);
$pass=htmlentities($_POST['pass']);
}
$stmt= $dbh->prepare("select * from login_details where user = ? && pass= ?;");
$stmt->bindValue(1, $name);
$stmt->bindValue(2, $pass);
$stmt->execute;
$row = $stmt->fetchall(PDO::FETCH_ASSOC);
while ($row) {
echo "<h2>Failed</h2>";
}
?></body>
("select * from login_details where user = ? and pass=? ");
It's and and not &&. You should not add a terminating semicolon to the statement.