How to get select query working sqli - php

I want to perform a select query on my users table with sqli in php.
For security reasons (sql injection) i want to do it using parameter(s).
Also i want to store the result in a php variable.
This is my code:
the $conn variable is filled in correctly.
$login = $_POST['username'];
//Check if username is available
/*Line44*/ $stmt = $conn->prepare("SELECT login FROM users WHERE login = ?");
/*Line45*/ $stmt->bind_param('s', $login);
$result = $stmt->execute();
if ($result->num_rows > 0)
{
echo "This username is in use.";
}
else
{
//Add account to database
$stmt = $conn->prepare("INSERT INTO users (login, password, email, gender) VALUES (?, ?, ?, ?)");
$stmt->bind_param('ssss', $login, $md5pass, $email, $gender);
$stmt->execute();
$stmt->close();
echo "<font color=\"#254117;\">Your account is succesfully geregistered! <br />U can now login!</font>";
}
I get this error:
Warning: mysqli::prepare() [mysqli.prepare]: Couldn't fetch mysqli in
C:\xampp\htdocs\cammerta\registreer.php on line 44
Fatal error: Call to a member function bind_param() on a non-object in
C:\xampp\htdocs\cammerta\registreer.php on line 45
I hope someone can provide an solution and explain to me what i did wrong.
Thanks in advance!

$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);
$stmt->execute();
Plus
1.Please run query in phpmyadmin or any program
2.Maybe you not set variables. $login, $md5pass, $email, $gender

$stmt = $conn->prepare statement may be return false.Please use given code for getting error in query.
if ($stmt = $conn->prepare('your query')) {
$stmt->bind_param(...);
}
else {
printf("Error=: %s\n", $conn->error);
}

Related

I am trying to send three mysql prepared statements in the same section [duplicate]

This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 3 years ago.
The problem I am facing is that I am not able to take the users id and send it through.
Here is the code.
if ($stmt = $con->prepare('INSERT INTO tblusers (user, password, token) VALUES (?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$token = password_hash($_POST['token'], CRYPT_BLOWFISH);
$password = password_hash($_POST['password'], CRYPT_BLOWFISH);
$stmt->bind_param('sss', $_POST['username'], $password, $token);
$stmt->execute();
$stmt = $con->('SELECT id from tblusers where user=?');
$user=$_POST['username'];
$stmt->bind_param('s' $user);
$stmt->execute();
$stmt -> bind_result($id);
$stmt = $con->prepare('INSERT INTO tblbtc (id) VALUES (?)');
$stmt->bind_param('i', $id);
$stmt->execute();
header('location: ../../home/index.php');
} else {
// Something is wrong with the sql statement, check to make sure accounts table exists with all 3 fields.
echo ('Could not prepare statement!');
}
}
$stmt->close();
}
Here is also a error message I get
Parse error: syntax error, unexpected '(', expecting identifier (T_STRING) or variable (T_VARIABLE)
This code down below works without the two extra added mysql statements.
if ($stmt = $con->prepare('INSERT INTO tblusers (user, password, token) VALUES (?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$token = password_hash($_POST['token'], CRYPT_BLOWFISH);
$password = password_hash($_POST['password'], CRYPT_BLOWFISH);
$stmt->bind_param('sss', $_POST['username'], $password, $token);
$stmt->execute();
header('location: ../../home/index.php');
} else {
// Something is wrong with the sql statement, check to make sure accounts table exists with all 3 fields.
echo ('Could not prepare statement!');
}
}
$stmt->close();
}
The expected results of this code it to create the user which works and then to take the users id and also create columns on the tblbtc with the userid/.
You can get the inserted user id using mysqli::inserted_id
see the code below
<?php
if ($stmt = $con->prepare('INSERT INTO tblusers (user, password, token) VALUES (?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$token = password_hash($_POST['token'], CRYPT_BLOWFISH);
$password = password_hash($_POST['password'], CRYPT_BLOWFISH);
$stmt->bind_param('sss', $_POST['username'], $password, $token);
$stmt->execute();
$user_id = $stmt->insert_id;
if($user_id)
{
$stmt = $con->prepare('INSERT INTO tblbtc (id) VALUES (?)');
$stmt->bind_param('i', $user_id);
$stmt->execute();
header('location: ../../home/index.php');
}
else{
echo ('Could not prepare statement!');
}
} else {
// Something is wrong with the sql statement, check to make sure accounts table exists with all 3 fields.
echo ('Could not prepare statement!');
}
$stmt->close();

How to fix "mysqli_stmt::bind_param():" on modification to mysql databas

I am creating a user registration system, and I am at the point where I start modifying the database i get the error
"Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in /opt/lampp/htdocs/Projectss/01_sarah/index.php on line 41
"
I have tried using every single method in php documentation concerning adding data to the database
here is some code
$hash_password = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (first_name,last_name,email,password) VALUES('$first_name','$last_name','$email','$hash_password')";
$stmt = $conn->prepare($query);
if (!$stmt) {
echo mysqli_error($conn);
}
$stmt->bind_param('ssss', $query);
$stmt->execute(); // execute prepared statement
$conn->close(); // close connection
}
The expected result should is to not receive any warning after saving the information to the database
You're passing complete query in the bindParam and also passing the values in the query instead of this you need to pass the parameters in the bindParam like this..
$hash_password = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (first_name,last_name,email,password) VALUES(?, ?, ?, ?)";
$stmt = $conn->prepare($query);
$stmt->bind_param('ssss', $first_name, $last_name, $email, $hash_password);
$stmt->execute(); // execute prepared statement
$conn->close(); // close connection

PHP stmt prepare fails after multiple queries

Warning: mysqli_stmt_bind_param() expects parameter 1 to be mysqli_stmt, boolean given in on line 64
I've found multiple other posts with this problem, but the solutions I've tried haven't made a difference.
Things like stmt_close() or stmt_free() didn't make a difference.
So here is my actual code snippet:
1st prepare and execute:
// Connect to database
$mysqliID = mysqli_connect($mysqliHost, $mysqliUsername, $mysqliPassword);
if (!$mysqliID) throw new Exception("");
if (!mysqli_select_db($mysqliID, $mysqliDB)) throw new Exception("");
// Check if the username or email address aren't already accupied.
$stmt = mysqli_prepare($mysqliID, "SELECT id FROM Account WHERE username=? OR email=?");
mysqli_stmt_bind_param($stmt, "ss", $username, $email);
if (!mysqli_stmt_execute($stmt)) throw new Exception("");
$duplicates = 0;
mysqli_stmt_bind_result($stmt, $duplicateid);
while (mysqli_stmt_fetch($stmt))
{
die ("error:-gebruikersnaam of email al in gebruik.");
}
2nd prepare and execute:
// Save account with salted and hashed password.
include "PasswordHash.php";
$hashResult = create_hash($password);
$hashResultSplitted = explode(":", $hashResult);
$salt = $hashResultSplitted[2];
$hash = $hashResultSplitted[3];
$verified = 0;
$stmt = mysqli_prepare($mysqliID, "INSERT INTO Account (username, hash, salt, email, verified) VALUES (?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, "ssssi", $username, $hash, $salt, $email, $verified);
if (!mysqli_stmt_execute($stmt)) throw new Exception("");
3rd and last prepare and execute:
// Save verification token.
$token = bin2hex(random_bytes(16));
$expirationtime = time() + (15 * 60);
$accountid = mysqli_insert_id($mysqliID);
$stmt = mysqli_prepare($mysqliID, "INSERT INTO Verifications (token, expirationtime, accountid) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sii", $token, $expirationtime, $accountid);
if (!mysqli_stmt_execute($stmt)) throw new Exception("");
So in the 3rd and last block of code, I get the warning at the mysqli_prepare, but the previous two were successfully done.
Solution:
Turned out the table named Verifications should have been Verification. Found by just good reading and looking after I've had some sleep.

Mysqli prepared statements register

Okay I have one question. I need to check if the user already exists but the question is now what I need to type in the if() I can't fetch because I have closed but if I didn't close i got an error because there can't run 2 statements. So I think if there are someone who can help me? I have the rest code but I only give the code here.
Here is my code:
$result = $mysqli->prepare("SELECT username FROM user WHERE username=?");
$result->bind_param("s", $username);
$result->execute();
$result->bind_result($username);
$result->close();
if (){
$register = $mysqli->prepare("INSERT INTO user
(username, password, email, rr, rank)
VALUES (?, ?, ?, ?, ?)");
$register->bind_param("sssii", $username, $kode, $email, $rr, $rank);
$register->execute();
$register->close();
} else {
echo "User already exists!";
}
UPDATED: more logical statement
$result = $mysqli->prepare("SELECT username FROM user WHERE username=?");
$result->bind_param("s", $username);
$result->execute();
$found = $result->fetch();
$result->close();
if ($found){
echo "User already exists!";
} else {
$register = $mysqli->prepare("INSERT INTO user
(username, password, email, rr, rank)
VALUES (?, ?, ?, ?, ?)");
$register->bind_param("sssii", $username, $kode, $email, $rr, $rank);
$register->execute();
$register->close();
}

Fatal error: Call to a member function bindParam() on a non-object

This code is used to login using authentication , session management. error comes in 15th line of code which is fatal error: call to a member function bindParam() on non-object. i am not understanding that where is the mistake done by me. please help me.
<?php
// Sanitize incoming username and password
$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
$pwd= md5($password);
// Connect to the MySQL server
$db = new mysqli("localhost", "root", "", "login");
// Determine whether an account exists matching this username and password
$stmt = $db->prepare("SELECT id FROM accounts WHERE username =$username and password =$pwd");
// Bind the input parameters to the prepared statement
// the error comes in this line
$stmt->bindParam('ss', $username, $pwd);
// Execute the query
$stmt->execute();
// Store the result so we `enter code here`can determine how many rows have been returned
$stmt->store_result();
if ($stmt->num_rows == 1) {
// Bind the returned user ID to the $id variable
$stmt->bind_result($id);
$stmt->fetch();
// Update the account's last_login column
$stmt = $db->prepare("UPDATE accounts SET last_login = NOW() WHERE id=$id");
$stmt->bind_param('d', $id);
$stmt->execute();
$_SESSION['username'] = $username;
// Redirect the user to the home page
header('Location: home.php');
}
?>
$stmt = $db->prepare("SELECT id FROM accounts WHERE username =$username and password=$pwd");
$stmt->bindParam('ss', $username, $pwd);
You're binding a parameter that does not exist. You're also trying to bind two parameters with a single call.
Docs for the relevant function
Sample (taken from php.net) :
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>
[edit]
Looks like this was actually about mysqli. Relevant doc
Relevant sample:
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

Categories