0

I am getting a mysqli warning in my error report stating Warning: mysqli_stmt::bind_result() [mysqli-stmt.bind-result]: Number of bind variables doesn't match number of fields in prepared statement in ... on line 36 Does anyone know how I can bind the results correctly so that this warning can go away? I can't really see what the problem is but then saying this I am a beginner when it comes to using mysqli.

Below is the code:

<?php
  // PHP code
  session_start(); 

//connected to db

  // required variables (make them explciit no need for foreach loop)
  $teacherusername = (isset($_POST['teacherusername'])) ? $_POST['teacherusername'] : '';
  $teacherpassword = (isset($_POST['teacherpassword'])) ? $_POST['teacherpassword'] : '';
  $loggedIn = false;

  if (isset($_POST['submit'])) {

    $teacherpassword = md5(md5("j3Jf92".$teacherpassword."D203djS"));  

    // don't use $mysqli->prepare here
    $query = "SELECT * FROM Teacher WHERE TeacherUsername = ? AND TeacherPassword = ? LIMIT 1";
    // prepare query
    $stmt=$mysqli->prepare($query);
    // You only need to call bind_param once
    $stmt->bind_param("ss",$teacherusername,$teacherpassword);
    // execute query
    $stmt->execute(); 
    // get result and assign variables (prefix with db)
    $stmt->bind_result($dbTeacherForename,$dbTeacherSurname,$dbTeacherUsername,$dbTeacherPassword);

    while($stmt->fetch()) {
      if ($teacherusername == $dbTeacherUsername && $teacherpassword == $dbTeacherPassword) {
        $loggedIn = true;
      }
    }

    if ($loggedIn == true){
      // left your session code as is - but think wisely about using
      $_SESSION['teacherforename'] = $dbTeacherForename;
      $_SESSION['teachersurname'] = $dbTeacherSurname;
      header( 'Location: menu.php' ) ;
      die();
    }

       /* close statement */
    $stmt->close();

    /* close connection */
    $mysqli->close();
  }
?>
user1394925
  • 754
  • 9
  • 28
  • 51

2 Answers2

1

using the wildcard * is not recommend. probably there are more columns in the table than just the 4 you need?

I would go with 

SELECT TeacherForname, TeacherSurname, TeacherUsername, TeacherPassword FROM Teacher WHERE TeacherUsername = ? AND TeacherPassword = ? LIMIT 1
Leon Kramer
  • 486
  • 3
  • 13
0

The error is occurring because you're asking mysqli to bind x columns to y variables where x != y. How many columns are in the Teacher table?

Matt
  • 6,993
  • 4
  • 29
  • 50
  • There are 8 columns, but I have removed the wild card and just included the field names as Leon Kramer mentioned – user1394925 Aug 10 '12 at 14:24
  • @user1517628 That's why. You're trying to bind 8 columns to 4 variables, which is not allowed. Rookie mistake, no biggie. Did the secure passwords q/a help? – Matt Aug 10 '12 at 14:25
  • Can I ask you something on salting passwords, when reading the article you linked me to, if I still use md5 but be able to use this php code create `$salt = ""; for ($i = 0; $i < 40; $i++) { $salt .= substr( "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1); }` to randomly generate the salt each time. Could that make it more secure and if it does, how can I include the random salt generator to `$teacherpassword = md5(md5("".$teacherpassword.""));`. If you know? – user1394925 Aug 10 '12 at 14:26
  • @user1517628 Honestly, I just scanned the answers. I haven't implemented any of that yet (not working on anything requiring password storage at the moment). Sorry :-/ – Matt Aug 10 '12 at 14:27