-1

I am working on a login system for a project using MVC programming and ran into this error. Here is the code, the problem line is #31

This login system is a tutorial, I have been working through it exactly as is. I've read there are some version issues with PHP 5? Not sure, hopefully somebody could assist me.

Problem line: 

$stmt->bind_param("ss", $user, md5($pass . $this->salt));

Code:

<?php

/*
    Authorization Class
    deal with auth tasks
*/

class Auth
{
private $salt = 'j4H9?s0d';

/*
    Constructor
*/
function __construct()
{
}

/*
    Functions

*/
function validateLogin($user, $pass)
{
    // access db
    global $Database;

    // create query
    if ($stmt = $Database->prepare("SELECT * FROM users WHERE username = ? AND password = ?"))
    {
        $stmt->bind_param("ss", $user, md5($pass . $this->salt));
        $stmt->execute;
        $stmt->store_result();

        // check for num rows
        if ($stmt->num_rows > 0)
        {
            // success
            $stmt->close();
            return TRUE;
        }
        else
        {
            // failure
            $stmt->close();
            return FALSE;
        }
    }
    else
    {
        die("ERROR: Could not prepare MySQLi statement.");
    }
}

function checkLoginStatus()
{
    if (isset($_SESSION['loggedin']))
    {
        return TRUE;
    }
    else
    {
        return FALSE;
    }
}

function logout()
{
    session_destroy();
    session_start();
}
}
tereško
  • 58,060
  • 25
  • 98
  • 150
user3010455
  • 55
  • 2
  • 2
    possible duplicate of [Strict Standards: Only variables should be passed by reference](http://stackoverflow.com/questions/2354609/strict-standards-only-variables-should-be-passed-by-reference) – Oswald Jan 20 '14 at 20:15
  • Please don't use MD5 for hashing passwords. PHP 5.5+ has [password API](http://uk.php.net/manual/en/book.password.php) for that and if that's not an option, you can use `crypt()` with blowfish algorithm as a fallback. Also, **dont use global variable** for propagating DB connection. Instead you should use something like this: http://stackoverflow.com/a/11369679/727208 (the approch can be easily addopted to work with MySQLi). And if that code of yours comes from some tutorial - find a different tutorial, ASAP. – tereško Jan 20 '14 at 20:49

4 Answers4

1

bind_param's params are references to variables. You can't use md5() there. You need to save it to a variable first.

$userPass = md5($pass . $this->salt);
$stmt->bind_param("ss", $user, $userPass);
gen_Eric
  • 223,194
  • 41
  • 299
  • 337
0

The problem is that the 3rd parameter is the result of a function call:

md5($pass . $this->salt)

You need to save that value to a variable before passing it to bind_param so that it can be passed by reference.

Example:

$password = md5($pass . $this->salt);  
$stmt->bind_param("ss", $user, $password);

Also, don't use md5 to hash passwords.

Michael Moussa
  • 4,207
  • 5
  • 35
  • 53
0

Add parenthesis:

$stmt->bind_param("ss", $user, (md5($pass . $this->salt)));
revo
  • 47,783
  • 14
  • 74
  • 117
0

This was likely fixed in PHP 5.4 as part of Function Array Dereferencing (FAD) (revision 300266).

Alternatively as workaround try adding extra brackets, e.g.

$stmt->bind_param("ss", $user, (md5($pass . $this->salt)));

which would dereference the method/function return, see: (<5.6) Occasionally significant parentheses.

kenorb
  • 155,785
  • 88
  • 678
  • 743