Code:
$stmt->bind_param("s", md5($input['user'] . $config['salt']));
PHP Error Message:
Only variables should be passed by reference
I've been working on this project but I am stuck now. I am new to PHP. What to do?
Asked
Active
Viewed 6,962 times
1
Dharman
- 30,962
- 25
- 85
- 135
Phaby Amardy
- 81
- 2
- 5
-
7Please don't paste screenshots of code. Instead, paste the code itself. When line numbers matter, simply point out the bad line. – Charles Dec 10 '12 at 04:24
-
http://php.net/language.references.pass – hakre Dec 10 '12 at 06:17
2 Answers
12
Thanks for using MySQLi prepared statements! They're a pain, but it's worth it.
bind_param takes values by reference. It does this by looking at the variable you're passing and pointing at the innards directly.
In your call, you're returning the string result of a function call - md5 in this case. Because there's no variable involved, there are no innards to point to. PHP is whining about not being able to pass the data by reference as a result.
You will need to stick the result of the function call into a variable, then pass that variable into the bind instead.
BIG FAT WARNING! md5 is not a secure hash any longer, and should not be used to store passwords. When you get the chance, you should update to a better hash format, such as bcrypt, PBKDF2, scrypt, etc.
-
Thank you @charles. The error now has gone away, but I am still not about to log into the system, even though my password and username are correct. When i click submit, it suppose to direct me to the members page (line 54). Instead, It displayed the error message in line 60 . $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows > 0) { //set session variable $_SESSION['username'] = $input['user']; header("Location: members.php");//line 54 } else { //username/password incorrect $error['alert'] = "Username or password incorrect!";//line60 – – Phaby Amardy Dec 10 '12 at 16:46
-
MD5 was designed as a Message Digest and was never intended to store passwords. – Dour High Arch Jun 09 '20 at 02:03
5
Every parameter (but the first) of the bind_param method must be a variable and not as in your case, a function return value. Only variables can be passed by reference.
With this in mind, you can easily change the code to get rid of the error message:
$input['hash'] = md5($input['pass'] . $config['salt']);
$stmt->bind_param("ss", $input['user'], $input['hash']);
hakre
- 193,403
- 52
- 435
- 836
-
Thank you @hakre. The error now has gone away, but I am still not about to log into the system, even though my password and username are correct. When i click submit, it suppose to direct me to the members page (line 54). Instead, It displayed the error message in line 60 . $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows > 0) { //set session variable $_SESSION['username'] = $input['user']; header("Location: members.php");//line 54 } else { //username/password incorrect $error['alert'] = "Username or password incorrect!";//line60 – Phaby Amardy Dec 10 '12 at 16:46
-
If you are sure that username and password are correct, then it's obvious that their processing must contain the problem. See here for some general infos http://php.net/manual/en/faq.passwords.php Also please improve your question here and make your actual / follow-up problem clear. You already had some comments yesterday and I did some partial edits on my own, but please continue where I stopped. – hakre Dec 10 '12 at 16:48