$stmt = $mysqli->prepare("SELECT username, email, password, code FROM temp_users WHERE code = ?");
$stmt->bind_param('s', $code);
$stmt->execute();
$stmt->store_result();
//if SELECT statement returns 1, grab data.
if ($stmt->num_rows === 1) {
echo "Got Row";
$result = $stmt->get_result();
var_dump($result);
while ($row = $result->fetch_assoc()) {
$username = $row['username'];
$email = $row['email'];
$password = $row['password'];
}
This is really weird, the query must be going through because the script is echoing "Got Row", and I have no errors up to that point. But when I try to use $result->fetch_assoc() I get an error,and $result is spitting out false, so why is that? Please excuse how dumb this question may seem, I'm still learning how to use mysqli. :)
Your question is neither dumb nor weird. You are simply confused by store_result() and get_result().
Both of these functions fetch the whole record set from the database. Once the data is fetched you can't fetch it again. Therefore, you can't use both of these functions at the same time!
We can fix your code in two ways.
With store_result():
$stmt = $mysqli->prepare("SELECT username, email, password, code FROM temp_users WHERE code = ?");
$stmt->bind_param('s', $code);
$stmt->execute();
$stmt->store_result();
//if SELECT statement returns 1, grab data.
if ($stmt->num_rows === 1) {
echo "Got Row";
$stmt->bind_result($username, $email, $password);
while ($stmt->fetch()) {
// use the data here
var_dump($username);
}
}
with get_result():
$stmt = $mysqli->prepare("SELECT username, email, password, code FROM temp_users WHERE code = ?");
$stmt->bind_param('s', $code);
$stmt->execute();
$result = $stmt->get_result();
//if SELECT statement returns 1, grab data.
if ($result->num_rows === 1) { // <--- !!! We are using the result object here
echo "Got Row";
foreach ($result as $row) {
$username = $row['username'];
$email = $row['email'];
$password = $row['password'];
}
}
Related
I'm trying to select things from my database and echo them. For some reason the only thing I can echo is the email. The id and the username doesn't show up. I don't get any errors, they just don't appear.
$sql = "SELECT id, email, username FROM users WHERE email = ?";
if ($stmt = mysqli_prepare($link, $sql)) {
mysqli_stmt_bind_param($stmt, "s", $param_email);
$param_email = $email;
if (mysqli_stmt_execute($stmt)) {
mysqli_stmt_store_result($stmt);
if (mysqli_stmt_num_rows($stmt) == 1) {
mysqli_stmt_bind_result($stmt, $id, $email, $username);
$error = 0;
$to = $email;
echo "id:".$id;
echo $username;
echo $email;
} else {
//some stuff
}
} else {
$error = 1;
}
}
What Am I missing?
The reason why you cannot see any values fetched from the database is because you forgot to call fetch() after bind_result().
However, you are overcomplicating things. You do not need so many if statements and you should not use bind_result() if you have more than one column. This gets very messy. Use get_result() to fetch the results and then fetch the single row you need(assuming email is unique and your SELECT returns 0 or 1 records).
$stmt = $link->prepare("SELECT id, email, username FROM users WHERE email = ?");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result()->fetch_assoc();
if ($result) {
$error = 0;
$to = $result['email'];
echo "id:".$result['id'];
echo $result['username'];
echo $result['email'];
} else {
$error = 1;
}
There is no need for mysqli_stmt_num_rows. The data itself tells you if something was returned or not. This also protects you from a similar problem when using unbuffered queries. It is easy to accidentally omit mysqli_stmt_store_result().
Never check the return value of mysqli_stmt_execute() or mysqli_prepare(). This is a terrible and messy practice. Ensure you have error reporting switched on. See How to get the error message in MySQLi?
I'm trying to do an execution of a query and see if it goes well, but right now it doesn't enter the IF or ELSE.
I had it on mysqli procedural and all worked flawlessy now I'm trying to change it to object oriented and it won't enter inside if/else.
if(isset($_POST['submit']))
{
$email = $_POST["email"];
$password = md5($_POST["password"]);
$query = "SELECT * FROM Users WHERE Email=? AND Password=?";
$stmt = $conn->prepare($query);
$stmt->bind_param('ss', $email,$password);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows == 1)
{
?>
<script type="text/javascript">
alert("INSIDE");
</script>
<?php
$row = $result->fetch_assoc();
if(isset($_POST['remember']))
{
$_SESSION["remember"] = "1";
}
$_SESSION["username"] = $row['Username'];
$_SESSION['check'] = "1";
$_SESSION['ID'] = $id;
$_SESSION['permission'] = $row['Admin'];
header("Location: dashboard.php");
exit;
}
else
{
?>
<script type="text/javascript">
alert("Credentials Are Wrong!");
</script>
<?php
exit;
}
$stmt->close();
}
Thank you all.
You should be using
$stmt->bind_result($col1, $col2 ...);
and
$result = $stmt->fetch();
in order to access the data from the query, rather than
$conn->query($stmt);
(an example is provided at https://secure.php.net/manual/en/mysqli-stmt.fetch.php). Note that for this to work you will need to specify the column names you want to fetch from the database, rather than using * in your SQL query, and for each column data is fetched from in the query, you should have a variable for in the fetch() parameters, so for example, something as follows should work (note these may not match the names of your database columns):
$email = $_POST["email"];
$password = md5($_POST["password"]);
$stmt = $conn->prepare("SELECT ID, Name FROM Users WHERE Email=? AND Password=?");
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->bind_result($id, $name);
$stmt->fetch();
$stmt->close();
echo $id . ': ' . $name;
Updated Answer
You are very close. Use $result = $stmt->get_result(); instead of $result = $stmt->query; to check to see if the query returned a result or not.
$email = $_POST["email"];
$password = md5($_POST["password"]);
$query = "SELECT * FROM Users WHERE Email = ? AND Password = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows !== 0){
if(isset($_POST['remember'])){
$_SESSION["remember"] = "1";
}
$_SESSION['check'] = "1";
$_SESSION['ID'] = $row['ID'];
header("Location: dashboard.php");
exit();
}else{
echo
'<script type="text/javascript">
alert("Credentials Are Wrong!");
</script>';
exit();
}
$stmt->close();
As several have already stated in their comments do not use MD5 for password hashes. PHP has it's own built in functions for handling passwords. Please research Password_has() and Password_verify(). Spend the time to research and implement these now instead of later. It will save you time.
Making a login form and this is my first time using prepared statements. My issue is the num_rows keeps returning 0, despite entering the correct email and password that matches the email and password of my table. I tested that the connection works and the SQL statement works also, its just the num_rows is always 0.
PHP(without php tags and connection code):
$email = $_POST['email'];
$password = md5($_POST['password']);
if(!($stmt = $con->prepare("SELECT `email`, `password` FROM users WHERE `email` = ? AND `password` = ?")))
{
echo "Prepare failed: (" . $con->errno . ")" . $con->error;
}
else
{
echo " Query read \n";
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->store_result();
$num_of_rows = $stmt->num_rows;
$stmt->bind_result($email, $password);
echo $num_of_rows;
if($num_of_rows == 1) //To check if the row exists
{
echo "Exists";
if($stmt->fetch()) //fetching the contents of the row
{
echo "Exists";
$_SESSION['loggedin'] = true;
$_SESSION['message'] = "logged in";
$_SESSION['email'] = $email;
echo "Success!";
exit();
}
}
else
{
echo "Error";
}
}
Hopefully I've just forgotten something, but either way I am stumped.
Thanks in advance!
The value returned by num_rows may not be a valid count of rows returned until all of the rows are retrieved. That's the case for a mysqli_result. The documentation makes it appear that the num_rows function of a mysqli_stmt should be available immediately after a store_result.
Seems like the most reasonable explanation for the behavior is that the query did not return a row.
Documentation:
http://php.net/manual/en/mysqli-result.num-rows.php
http://php.net/manual/en/mysqli-stmt.num-rows.php
Why do we need to use num_rows at all? That just seems like a lot of unneeded clutter. We could just do the fetch. If it returns TRUE, we know there was at least one row returned. If it's FALSE, then zero rows were returned. No need to muck with num_rows.
If we are going to use store_result, its a good pattern to follow that with a free_result once we're done with the resultset
Also, do not use MD5 for password hash. And there's no need to return the password hash from the database, we can omit that from the SELECT list.
https://security.stackexchange.com/questions/19906/is-md5-considered-insecure
as mentioned ditch out, my_num_rows, and store_result, below works for me.
$email = $_POST['email'];
$password = $_POST['password'];
$arr = array();
$stmt = $db->prepare("SELECT email, password FROM users where email = :email
and password = :password");
$stmt->bindParam(":email", $password);
$stmt->bindParam(":password", $password);
$stmt->execute();
$arr = $stmt->fetchAll();
if(!$arr) exit('No rows');
print_r($arr);
$stmt = null;
You also want to fetch the results, like this:
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->store_result();
$stmt->fetch();
$num_of_rows = $stmt->num_rows;
$stmt->bind_result($email, $password);
echo $num_of_rows;
I have managed to write a php script that checks if a username already exists in the database and only adds a new user if it does not already exist.
This is my php script:
<?php
require "init.php";
if(isset($_POST['username']) && isset($_POST['forename']) && isset($_POST['surname']) && isset($_POST['password'])){
$username = $_POST['username'];
$forename = $_POST['forename'];
$username = $_POST['surname'];
$password = $_POST['password'];
$stmt = "SELECT username FROM users WHERE username = ?";
$result = $dbcon -> prepare($stmt);
$result->bind_param('s', $username);
$result->execute();
$result->bind_result($username);
if($result->fetch()){
echo "Can't add new user as it already exists!";
}
else{
$stmt_two = "INSERT INTO users (username, forename, surname, password)
VALUES(?, ?, ?, ?)";
$result_two = $dbcon -> prepare($stmt_two);
$result_two->bind_param('ssss', $username, $forename, $surname, $password);
$result_two->execute();
$result_two->close();
echo json_encode("Success");
}
}
?>
I believe the records are not being inserted or being inserted intermittently due to the fact that I have more than one prepared statement. If I just do the INSERT INTO statement on its' own with the SELECT FROM statement - the records are added almost instantly.
Why is this and what is wrong with my code?
Thanks
Just as I have said in the comments, don't over complicate and just check the number of rows found. No need to fetch anything. You're just checking if that user exists anyway.
$stmt = "SELECT username FROM users WHERE username = ?";
$result = $dbcon->prepare($stmt);
$result->bind_param('s', $username);
$result->execute();
$result->store_result();
if($result->num_rows() > 0) { // if it exists
} else {
// make your insertions
}
And another note:
isset can take multiple arguments:
if(isset($_POST['username'], $_POST['forename'], $_POST['surname'], $_POST['password'])) {
// and so on
}
Edit: Another flavor (using COUNT() of MySQL):
$stmt = "SELECT COUNT(username) FROM users WHERE username = ?";
$result = $dbcon->prepare($stmt);
$result->bind_param('s', $username);
$result->execute();
$result->bind_result($count);
$result->fetch();
if($count > 0) { // exists
} else {
// do something else
}
I actually have this PHP code, which i use to obtain my database info..
function searchUserEmail($username, $raw_email){
//Prepare Statements
$query = "SELECT * FROM users WHERE username = ?";
$query2 = "SELECT * FROM users WHERE email = ?";
//Sanitize Input
$user = $this->conn->real_escape_string($username);
$email = $this->conn->real_escape_string($raw_email);
if($stmt = $this->conn->prepare($query)){
$stmt->bind_param('s', $user);
$stmt->execute();
if($stmt->num_rows > 0){
$stmt->close();
return true;
}
}
if($stmt = $this->conn->prepare($query2)){
$stmt->bind_param('s', $email);
$stmt->execute();
if($stmt->num_rows > 0){
$stmt->close();
return true;
}
}
return false;
}
I've tried this alot of times, ran it through a statement checker, still it doesn't work. Is there anything i'm missing???
Somehow it always returns a false (Even though its suppose to return true)
mysql_select_db($dataname,$conn);