-1

Can somebody help me fix my code? I am trying to access a database of password hashes and use them to validate the user login, but I get a couple of errors.

<?php
$servername="localhost";
$username = "*****";
$password = "*******";
$dbname = "*****";
$conn = new mysqli($servername,$username,$password,$dbname);
if($conn->connect_error){
    die("Connection to database failed: ".$conn->connect_error);
}
$uname=mysqli_real_escape_string($conn, $_POST['entered_username']);
$pw=mysqli_real_escape_string($conn, $_POST['entered_password']);

$stmt=$conn->prepare("SELECT username,password,password_hash FROM users WHERE username=?");
$stmt->bind_param('s',$uname);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($result);
$stmt->fetch();

if(!$stmt){
echo $conn->connect_error();}
if($stmt){
echo 'Connection successful';}

$found=FALSE;

while($row=mysqli_fetch_assoc($stmt))
{
    if($password_verify($pw,$row['password_hash'])) {
        $found=TRUE;
    }
}


if($found){
    echo "You have successfully logged in as ".$uname."!";
}
else {
    echo "Login as ".$uname." failed!";
}
$stmt->close();
$conn->close();
?>

What I get as output:

Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement in /****/login3.php on line 27
Connection successful
Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, object given in /****/login3.php on line 37
Login as admin failed!

xFioraMstr18
  • 117
  • 6

3 Answers3

1

Thanks guys! It works now! I changed the bind_result statement and got rid of the fetch statement. Apparently, $stmt is of type mysqli_stmt, not mysqli_result and the mysqli_stmt class doesn't have a method fetch_assoc() defined for it.

$stmt=$conn->prepare("SELECT username,password_hash FROM users WHERE username=?");
$stmt->bind_param('s',$uname);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user,$password_hash);

$found=FALSE;

while($stmt->fetch())
{
    if(password_verify($pw,$password_hash)) {
        $found=TRUE;
    }
}
Community
  • 1
  • 1
xFioraMstr18
  • 117
  • 6
0

You are mixing it up. Try with - 

$stmt=$conn->prepare("SELECT username,password,password_hash FROM users WHERE username=?");
$stmt->bind_param('s',$uname);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($result);


if(!$stmt){
echo $conn->connect_error();}
if($stmt){
echo 'Connection successful';}

$found=FALSE;

while($row=$stmt->fetch_assoc();)
{
    if($password_verify($pw,$row['password_hash'])) {
        $found=TRUE;
    }
}
Sougata Bose
  • 31,517
  • 8
  • 49
  • 87
0

you have to bind the columns, as it has to match number of fields requiring:

check this out:

<?php
$servername="localhost";
$username = "*****";
$password = "*******";
$dbname = "*****";
$conn = new mysqli($servername,$username,$password,$dbname);
if($conn->connect_error){
    die("Connection to database failed: ".$conn->connect_error);
}
$uname=mysqli_real_escape_string($conn, $_POST['entered_username']);
$pw=mysqli_real_escape_string($conn, $_POST['entered_password']);

$stmt=$conn->prepare("SELECT username,password,password_hash FROM users WHERE username=?");
$stmt->bind_param('s',$uname);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($username,$password,$password_hash);
$stmt->fetch();

if(!$stmt){
echo $conn->connect_error();}
if($stmt){
echo 'Connection successful';}

$found=FALSE;

while($row=mysqli_fetch_assoc($stmt))
{
    if($password_verify($pw,$password_hash)) {
        $found=TRUE;
    }
}


if($found){
    echo "You have successfully logged in as ".$uname."!";
}
else {
    echo "Login as ".$uname." failed!";
}
$stmt->close();
$conn->close();
?>
Afsar
  • 3,104
  • 2
  • 25
  • 35