So I'm trying to make public profiles. So i'm getting the result from the database and shooting it back. Here's my code
$username = $con->prepare("SELECT username FROM users WHERE email=:email");
$username->bindValue(':email', $email, PDO::PARAM_STR);
$username->execute();
$userurl = $_GET['username'];
For some reason I'm not getting anything back. No errors either. Any help would be great. So basically what I want to do is get example.com/profile?username=joe
$stmt = $con->prepare("SELECT username FROM users WHERE email=:email");
$stmt->bindValue(':email', $email, PDO::PARAM_STR);
$stmt->execute();
$row = $stmt->fetch();
$username = $row['username'];
$userurl = "example.com/profile?username=$username";
header("Location: $userurl") ;
You executed the query but never fetched the data, $_GET doesn't do what you think, it is meant to get a query string value.
As the #Rangad and #David pointed out in the comment below, you should generate the query string using http_build_query:
...
$stmt->execute();
$row = $stmt->fetch();
header('Location: example.com/profile?'.http_build_query($row)) ;
Related
I have a sql statement to update confirm code and code in the database. I'm using bind param to bind the variables. It worked fine for my select and insert sql statements. However, it keeps giving me this error:
Fatal error: Uncaught Error: Call to a member function bind_param() on boolean
when I tried to execute the update query. I tried to search on every forums possible but found no answers and I hope someone could maybe spot my mistake. I'm having issues with $query1. Both code and confirmcode are varchar and not integer.
$username = $_GET['username'];
$code = $_GET['code'];
$confirmcode = "1";
$updatecode ="0";
$query=$con->prepare("SELECT username, code FROM customer_detail WHERE username ='$username'");
$query->execute();
$query->bind_result($checkusername, $checkcode);
$query->fetch();
$query1=$con->prepare("UPDATE customer_detail SET code=?, confirmcode=? WHERE username = ?"); //error
$query1->bind_param('sss',$username, $updatecode, $confirmcode); //error
$query1->execute();
The problem is that MySQLi can't run multiple queries at once, because it uses ubuffered queries. You'll need to close the first statement before you can run another. Add the following line after $query->fetch();.
$query->close();
This being said, your first query isn't guarded against SQL injection, because you use the variable directly in the query. Adding proper placeholders for your query, the final code would look like this
$query = $con->prepare("SELECT username, code FROM customer_detail WHERE username =?");
$query->bind_param('s', $username);
$query->execute();
$query->bind_result($checkusername, $checkcode);
$query->fetch();
$query->close();
$query1 = $con->prepare("UPDATE customer_detail SET code=?, confirmcode=? WHERE username = ?");
$query1->bind_param('sss',$username, $updatecode, $confirmcode);
$query1->execute();
$query1->close();
Try below code. Basically, you need to bind the params in the same order in which the placeholders (?) appear in the sql.
$query=$con->prepare("SELECT username, code FROM customer_detail WHERE username = ?");
$query->bind_param('s', $username);
$query->execute();
$query->bind_result($checkusername, $checkcode);
$query->fetch();
$query1=$con->prepare("UPDATE customer_detail SET code=?, confirmcode=? WHERE username = ?");
$query1->bind_param('sss', $updatecode, $confirmcode, $username);
$query1->execute();
Have you tried tis?
$query1->bind_param('iis', $updatecode, $confirmcode, $username);
I can't seem to work out how to retrieve number of rows from the database using my query, whenever I run the query It just returns zero even though it's in my database
$username = $_POST['username'];
$hash = password_verify($password, $passwordcheck);
if($stmt = $conn -> prepare("SELECT username, email, password FROM users WHERE (username = ? OR email = ?) AND password = ?"))
{
$stmt -> bind_param("sss", $username, $username, $hash);
$stmt -> execute();
$stmt -> bind_result($checkedUsername, $checkedEmail, $checkedPassword);
$stmt -> fetch();
$numberofrows = $stmt->num_rows;
$stmt -> close();
}
echo '# rows: '.$numberofrows;
Can anyone give me any hints? Can't see to wrap my head around it, thanks.
Btw, the $hash has already been queried prior to this statement.
Posting this as a community wiki:
add $stmt->store_result(); after your execute()
As I assume you have used password_hash() on the password you store in the database. Then you should not be using it in a search criteria. Re-hashing the same string will not generate the same hash using password_hash() as it will use a different SALT each time its run Thats why its the recommended hashing tool.
So you need to do something like this
$username = $_POST['username'];
$stmt = $conn->prepare("SELECT username, email, password
FROM users WHERE (username = ? OR email = ?)")
if($stmt) {
$stmt->bind_param("ss", $username, $username);
$stmt->execute();
// As per #fred-ii- comment
$stmt->store_result();
$stmt->bind_result($checkedUsername, $checkedEmail, $checkedPassword);
$stmt->fetch();
echo '# rows: ' . $stmt->num_rows;
if ( password_verify($_POST['password'], $checkedPassword) ) {
// password is correct
} else {
// password is NOT correct
}
$stmt -> close();
}
The problem is, I have a statement like this one below and i use it in server side of my android app
$statement = mysqli_prepare($con, "SELECT * FROM accounts WHERE email = ? OR username = ?");
mysqli_stmt_bind_param($statement, "ss", $email, $username);
$result = mysqli_stmt_execute($statement);
$rows = mysqli_stmt_fetch($result);
And I want to know how many rows are back from it so I can know if there is already data in the database with the same username and email or not, but it doesn't work.
How to solve this problem? And thanks in advance.
And I want to know how many rows are back
Nope, you don't. That's a false goal.
When working with a database, you should always request the exact data you need, instead of doing some calculations on the client side.
So in your case you need the user info - so select that info. Means this very user info you can use to tell whether your query returned anything or not.
$statement = mysqli_prepare($con, "SELECT * FROM accounts WHERE email = ? OR username = ?");
mysqli_stmt_bind_param($statement, "ss", $email, $username);
mysqli_stmt_execute($statement);
$result = mysqli_get_result($statement);
$user = mysqli_fetch_assoc($result);
//now you have the very $user variable to tell whether anything was found
if ($user) {
//user exists
}
All you are missing is to use the num_rows function with the resulting mysqli object:
$statement = mysqli_prepare($con,
"SELECT * FROM accounts WHERE email = ? OR username = ?");
mysqli_stmt_bind_param($statement, "ss", $email, $username);
$result = mysqli_stmt_execute($statement);
$numbRows = $result->num_rows;
//printing the result:
echo "number of rows = {$numbRows}<br>";
So I'm checking to see if a user already liked a post. Here's what I'm doing
$id = 65;
//Get likes count
$stmt = $con->prepare("SELECT * FROM likes WHERE liked_post_id = :liked_post_id");
$stmt->bindValue(':liked_post_id', $id, PDO::PARAM_STR);
$stmt->execute();
$return = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>
<pre>
<?php
print_r($return);
?>
</pre>
<?php
//Get user IP
$ip = $_SERVER['SERVER_ADDR'];
//Check if user liked post
$result = $con->prepare("SELECT * FROM likes WHERE liked_post_user = :username");
$result->bindParam(':username', $_SESSION['user']);
$result->execute();
$reprint = $result->fetch(PDO::FETCH_ASSOC);
echo $reprint['liked_post_user'];
$return_cnt = count($reprint);
if($return_cnt < 1){
//Insert like
$query = $con->prepare("INSERT INTO likes (liked_post_id, liked_post_user, liked_post_ip) VALUES (:usr_id, :user, :ip)");
$query->bindValue(':usr_id', $id, PDO::PARAM_STR);
$query->bindValue(':user', $_SESSION['user']);
$query->bindValue(':ip', $ip, PDO::PARAM_STR);
$query->execute();
}
The problem is $query never gets ran. Even though I have no record of the username in the DB. So I'd expect it to run once, and insert $query into the DB, once. But it isn't. I'm not getting any errors either. Any ideas?
First of all you can simply count $reprint. To answer your second issue, you need to select the post, or else it'll simply check all the posts. So do
$result = $con->prepare("SELECT * FROM likes WHERE liked_post_user = :username AND liked_post_id = :post_id");
$result->bindParam(':username', $_SESSION['user']);
$result->bindParam(':post_id', $_GET['id']);
$result->execute();
$reprint = $result->fetch(PDO::FETCH_ASSOC);
Note that if no user is logged in it'll still input an empty value. So make sure to figure a way around that.
The second query should look for a specific liked_post_id. It's currently looking for any posts that the user liked, not just this one.
//Check if user liked post
$result = $con->prepare("SELECT * FROM likes WHERE liked_post_user = :username AND liked_post_id = :id");
$result->bindParam(':username', $_SESSION['user']);
$result->bindParam(':id', $id);
$result->execute();
$reprint = $result->fetch(PDO::FETCH_ASSOC);
And then you should test whether the query found anything by testing whether $reprint is an array or false:
if ($reprint) {
echo $reprint['liked_post_user'];
} else {
//Insert like
$query = $con->prepare("INSERT INTO likes (liked_post_id, liked_post_user, liked_post_ip) VALUES (:usr_id, :user, :ip)");
$query->bindValue(':usr_id', $id, PDO::PARAM_STR);
$query->bindValue(':user', $_SESSION['user']);
$query->bindValue(':ip', $ip, PDO::PARAM_STR);
$query->execute();
}
trying to convert all my old mysql_* operations into new and, from what i've heard, improved PDO, but this query wont seem to run successfully, I am trying to select all from the table PEOPLE where the username = $username (which has previously been declared $username = $_SESSION['username'];)
$query = "SELECT * FROM people WHERE username=?";
$stmt = $conn->prepare($query);
$stmt->bindParam(1, $username);
$stmt->execute();
$num_rows = $stmt->fetchColumn();
if ($num_rows == 1) {
// ...
}
THE WORKING CODE IS:
$query = "SELECT * FROM people
WHERE username=?";
$stmt = $conn->prepare($query);
$stmt->bindParam(1, $username);
$stmt->execute();
$num_rows = $stmt->fetchColumn();
$user = $stmt->fetchObject();
if ($user) {
//do something
}
$stmt->fetchColumn does not fetch the number of rows; in this case it will fetch the first column from the first row of the result set. Since that will not be equal to 1 generally your test will fail.
In this case there is also no real need to count the number of returned rows because you are expecting either one or zero (if the username does not exist). So you can simply do:
$stmt->execute();
$user = $stmt->fetchObject();
if (!$user) {
// not found
}
else {
echo "User $user->username found!";
}
The if(!$user) test works because if there is no row to fetch $user will be false (see the documentation for fetchObject).
$query = "SELECT * FROM people WHERE username = :username";
$stmt = $conn->prepare($query);
$stmt->bindParam(':username', $username);
$stmt->execute();
while ($row = $stmt->fetchObject()) {
// do stuff
}
Use PDOStatement::rowCount as the num_rows and PDOStatement::fetch(PDO::FETCH_ASSOC) as fetch_assoc equivalent.
You want
if ($stmt->num_rows == 1) {
instead.