-5

This code is used to login using authentication , session management. error comes in 15th line of code which is fatal error: call to a member function bindParam() on non-object. i am not understanding that where is the mistake done by me. please help me. 

<?php

      // Sanitize incoming username and password
      $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
      $password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
        $pwd= md5($password);

      // Connect to the MySQL server
      $db = new mysqli("localhost", "root", "", "login");

      // Determine whether an account exists matching this username and password
      $stmt = $db->prepare("SELECT id FROM accounts WHERE username =$username and password                                                                 =$pwd");

      // Bind the input parameters to the prepared statement
      // the error comes in this line
      $stmt->bindParam('ss', $username, $pwd); 

      // Execute the query
      $stmt->execute();

      // Store the result so we `enter code here`can determine how many rows have been returned
      $stmt->store_result();

      if ($stmt->num_rows == 1) {

        // Bind the returned user ID to the $id variable
        $stmt->bind_result($id); 
        $stmt->fetch();

        // Update the account's last_login column
        $stmt = $db->prepare("UPDATE accounts SET last_login = NOW() WHERE id=$id");
        $stmt->bind_param('d', $id); 
        $stmt->execute();

        $_SESSION['username'] = $username;

        // Redirect the user to the home page
        header('Location: home.php');
      }

    ?>
Tom van der Woerdt
  • 29,532
  • 7
  • 72
  • 105
user3673256
  • 1
  • check your query,it is failed – ɹɐqʞɐ zoɹǝɟ May 25 '14 at 08:20
  • http://stackoverflow.com/questions/7941089/fatal-error-call-to-a-member-function-bindparam Oops didn't mean to hit enter after typing the URL. Same reason as this question. Your prepare is failing. – EPB May 25 '14 at 08:51

1 Answers1

-1
$stmt = $db->prepare("SELECT id FROM accounts WHERE username =$username and password=$pwd");
$stmt->bindParam('ss', $username, $pwd);

You're binding a parameter that does not exist. You're also trying to bind two parameters with a single call.

Docs for the relevant function

Sample (taken from php.net) :

<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>

[edit]

Looks like this was actually about mysqli. Relevant doc

Relevant sample:

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);
Tom van der Woerdt
  • 29,532
  • 7
  • 72
  • 105