For user registration, I want to make sure the username and emails aren't already in use. I have already connected to $mysqli somewhere else in the code.
$usr = $mysqli->real_escape_string($_POST['susername']);
$eml = $mysqli->real_escape_string($_POST['semail']);
$stmt = $mysqli->prepare("SELECT userid FROM users WHERE username=? || email=?");
$stmt->bind_param("is", $usr, $eml);
$stmt->execute();
$stmt->bind_result($count);
$stmt->close();
However, count contains nothing. How can I check if something already exists in the DB?
Change,
stmt = $mysqli->prepare("SELECT userid FROM users WHERE username=? || email=?");
To
stmt = $mysqli->prepare("SELECT count(userid) FROM users WHERE username=? || email=?");
Then you should fetch the value using fetch()
Is your username an integer? You can try the following code,
$stmt->bind_param("ss", $usr, $eml); //ss
Related
I have a sql statement to update confirm code and code in the database. I'm using bind param to bind the variables. It worked fine for my select and insert sql statements. However, it keeps giving me this error:
Fatal error: Uncaught Error: Call to a member function bind_param() on boolean
when I tried to execute the update query. I tried to search on every forums possible but found no answers and I hope someone could maybe spot my mistake. I'm having issues with $query1. Both code and confirmcode are varchar and not integer.
$username = $_GET['username'];
$code = $_GET['code'];
$confirmcode = "1";
$updatecode ="0";
$query=$con->prepare("SELECT username, code FROM customer_detail WHERE username ='$username'");
$query->execute();
$query->bind_result($checkusername, $checkcode);
$query->fetch();
$query1=$con->prepare("UPDATE customer_detail SET code=?, confirmcode=? WHERE username = ?"); //error
$query1->bind_param('sss',$username, $updatecode, $confirmcode); //error
$query1->execute();
The problem is that MySQLi can't run multiple queries at once, because it uses ubuffered queries. You'll need to close the first statement before you can run another. Add the following line after $query->fetch();.
$query->close();
This being said, your first query isn't guarded against SQL injection, because you use the variable directly in the query. Adding proper placeholders for your query, the final code would look like this
$query = $con->prepare("SELECT username, code FROM customer_detail WHERE username =?");
$query->bind_param('s', $username);
$query->execute();
$query->bind_result($checkusername, $checkcode);
$query->fetch();
$query->close();
$query1 = $con->prepare("UPDATE customer_detail SET code=?, confirmcode=? WHERE username = ?");
$query1->bind_param('sss',$username, $updatecode, $confirmcode);
$query1->execute();
$query1->close();
Try below code. Basically, you need to bind the params in the same order in which the placeholders (?) appear in the sql.
$query=$con->prepare("SELECT username, code FROM customer_detail WHERE username = ?");
$query->bind_param('s', $username);
$query->execute();
$query->bind_result($checkusername, $checkcode);
$query->fetch();
$query1=$con->prepare("UPDATE customer_detail SET code=?, confirmcode=? WHERE username = ?");
$query1->bind_param('sss', $updatecode, $confirmcode, $username);
$query1->execute();
Have you tried tis?
$query1->bind_param('iis', $updatecode, $confirmcode, $username);
I can't seem to work out how to retrieve number of rows from the database using my query, whenever I run the query It just returns zero even though it's in my database
$username = $_POST['username'];
$hash = password_verify($password, $passwordcheck);
if($stmt = $conn -> prepare("SELECT username, email, password FROM users WHERE (username = ? OR email = ?) AND password = ?"))
{
$stmt -> bind_param("sss", $username, $username, $hash);
$stmt -> execute();
$stmt -> bind_result($checkedUsername, $checkedEmail, $checkedPassword);
$stmt -> fetch();
$numberofrows = $stmt->num_rows;
$stmt -> close();
}
echo '# rows: '.$numberofrows;
Can anyone give me any hints? Can't see to wrap my head around it, thanks.
Btw, the $hash has already been queried prior to this statement.
Posting this as a community wiki:
add $stmt->store_result(); after your execute()
As I assume you have used password_hash() on the password you store in the database. Then you should not be using it in a search criteria. Re-hashing the same string will not generate the same hash using password_hash() as it will use a different SALT each time its run Thats why its the recommended hashing tool.
So you need to do something like this
$username = $_POST['username'];
$stmt = $conn->prepare("SELECT username, email, password
FROM users WHERE (username = ? OR email = ?)")
if($stmt) {
$stmt->bind_param("ss", $username, $username);
$stmt->execute();
// As per #fred-ii- comment
$stmt->store_result();
$stmt->bind_result($checkedUsername, $checkedEmail, $checkedPassword);
$stmt->fetch();
echo '# rows: ' . $stmt->num_rows;
if ( password_verify($_POST['password'], $checkedPassword) ) {
// password is correct
} else {
// password is NOT correct
}
$stmt -> close();
}
The problem is, I have a statement like this one below and i use it in server side of my android app
$statement = mysqli_prepare($con, "SELECT * FROM accounts WHERE email = ? OR username = ?");
mysqli_stmt_bind_param($statement, "ss", $email, $username);
$result = mysqli_stmt_execute($statement);
$rows = mysqli_stmt_fetch($result);
And I want to know how many rows are back from it so I can know if there is already data in the database with the same username and email or not, but it doesn't work.
How to solve this problem? And thanks in advance.
And I want to know how many rows are back
Nope, you don't. That's a false goal.
When working with a database, you should always request the exact data you need, instead of doing some calculations on the client side.
So in your case you need the user info - so select that info. Means this very user info you can use to tell whether your query returned anything or not.
$statement = mysqli_prepare($con, "SELECT * FROM accounts WHERE email = ? OR username = ?");
mysqli_stmt_bind_param($statement, "ss", $email, $username);
mysqli_stmt_execute($statement);
$result = mysqli_get_result($statement);
$user = mysqli_fetch_assoc($result);
//now you have the very $user variable to tell whether anything was found
if ($user) {
//user exists
}
All you are missing is to use the num_rows function with the resulting mysqli object:
$statement = mysqli_prepare($con,
"SELECT * FROM accounts WHERE email = ? OR username = ?");
mysqli_stmt_bind_param($statement, "ss", $email, $username);
$result = mysqli_stmt_execute($statement);
$numbRows = $result->num_rows;
//printing the result:
echo "number of rows = {$numbRows}<br>";
I am trying to run a prepared statement inside a prepared statement but got no success. Here is my code:
if ($stmt = $mysqli->prepare("SELECT author_id FROM posts")) {
$stmt->execute();
$stmt->bind_result($author_id);
while ($stmt->fetch()) {
if ($stmt2 = $mysqli->prepare("SELECT username FROM users WHERE id=? LIMIT 1")) {
$stmt2->bind_param("s", $author_id);
$stmt2->execute();
$stmt2->bind_result($username);
$stmt2->fetch();
$stmt2->close();
//showing username
echo $username;
}
}
$stmt->close();
}
I am getting author id from a table and then from author id I'm trying to get author's name from another table.
Can you please tell me any way to do this or any modification in this script can get it done.
Sometimes PHP section of this site makes my eyes aching. Not only question lacks very basic knowledge in every aspect of programming, but also answers promote terrible practices.
You have to report errors to make yourself aware of the certain reason. Either usual way, via $conn->error or by setting mysqli in exception mode.
After reading the error message, you can google for a solution - store_result()
For such a dataset, NO loop needed ever, as you have to use JOIN instead:
And so whole code become
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$sql = "SELECT username FROM posts p, users u WHERE u.id=author_id";
$res = $mysqli->query($sql);
while ($row = mysqli_fetch_row()) {
echo $row[0];
}
Use another mysqli object for inner loop.
$mysqli = new mysqli(host, user, password, dbname);
$mysqli2 = new mysqli(host, user, password, dbname);
if ($stmt = $mysqli->prepare("SELECT author_id FROM posts")) {
$stmt->execute();
$stmt->bind_result($author_id);
while ($stmt->fetch()) {
if ($stmt2 = $mysqli2->prepare("SELECT username FROM users WHERE id=? LIMIT 1")) {
$stmt2->bind_param("s", $author_id);
$stmt2->execute();
$stmt2->bind_result($username);
$stmt2->fetch();
$stmt2->close();
//showing username
echo $username;
}
}
$stmt->close();
I'm trying to get the data from table row from information via cookie.
Here's what I have so far:
$cookie_id = #$_COOKIE['id'];
$cookie_pass = #$_COOKIE['password'];
if ($_COOKIE['id']) {
if ($stmt = mysqli_prepare($mysqli, "SELECT id, password FROM `members` WHERE id=? AND password=?")) {
mysqli_stmt_bind_param($stmt, "ss", $cookie_id, $cookie_pass);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $cookie_id, $cookie_pass);
$logged = mysqli_stmt_fetch($stmt);
printf("USER ID: %s\n", $cookie_id);
// prints "1"
echo "Hello, " . $logged['username'] . "!";
}
}
And that yields: USER ID: 1 Hello, ! at the very top of the page.
What am I doing wrong? I am trying to get it so I can get the username from the table row I am trying to locate. How do I get the $logged['username'] (or any data from the row), based on the password and ID, to show up?
and adding error_reporting(E_ALL); does not show any additional errors.
You are just selecting password and id from table so when you are will fetch the data you will not get username
The general syntax is
SELECT col1,col2, .... coln FROM `members` WHERE id=? AND password=?
either you have to use * for specify the columns you want to select
your process should be something like this :
if ($stmt = mysqli_prepare($mysqli, "SELECT id, password , username FROM `members` WHERE id=? AND password=?")) {
mysqli_stmt_bind_param($stmt, "ss", $cookie_id, $cookie_pass);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $cookie_id, $cookie_pass, $username);
printf("Hello %s", $username);
}
You can refer documentation
You're trying to print the username field but the select portion of your query is only retrieving the id and password fields. Unlike mysqli_get_result() or similar functions, mysqli_stmt_fetch() only returns a boolean for success or failure, the output is passed to the variables assigned to it in the mysqli_stmt_bind_result() function. Adding $username as a third parameter to that function and adding username to the end of your select query will populate the $username variable with the user's username after the call to fetch().
To clarify, your query should be:
SELECT id, password,username FROM `members` WHERE id=? AND password=?
and the call to bind should be:
mysqli_stmt_bind_result($stmt, $cookie_id, $cookie_pass, $username);