Prepared Statement not working- Blank page

Question

I have this code

$con = new mysqli('####', '####',   '####', '####');
if(mysqli_connect_errno()){
echo 'Connection Failed:' . mysqli_connect_errno();
exit();
}

//Variables

$user = $_POST['username'];
$zone = $_POST['password'];
$pass = strtoupper(hash("whirlpool", $zone));

//Prepare
if($stmt = $con -> prepare("SELECT * FROM `accounts` WHERE Username=? AND Key=?")){






$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
$stmt -> bind_results($result);
$stmt -> fetch();
if($result) {

    $_SESSION['username'] = $user;
    $url = 'home.php';
    echo '<META HTTP-EQUIV=Refresh CONTENT="1; URL='.$url.'">';
} else {

    echo 'Login Failed';
}

}
?>

I am new to Prepared statements and I cannot get it to work. Upon trying to log in I just get a blank white page with no error. I know I am connected to the db because if I remove the prepared statement and do it the unsecured way everything logs in just fine.

Please note. I have just been looking up tutorials on prepared statements so I can learn to code more securely. I am in no way a pro with this. Any tips would be greatly appreciated.

Blank white page often means that errors are not displaying. Have a look at this: http://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display , then come back and show us the errors you get (or maybe they will help you to find the issue without our help :) ). — , Mar 11 '15 at 13:44
`Key` is a reserved word, you need escape that in the query using backticks. — Abhik Chakraborty, Mar 11 '15 at 13:44
@Abhik Key is what I have the field labeled in the db instead of password. — Kevin1990, Mar 11 '15 at 13:48
Isn't it `bind_result()` instead of `bind_results()`? (Without 's') I never used `mysqli_` functions so I'm not sure, but I can't find it with the ending 's' in PHP doc. — , Mar 11 '15 at 13:50
@caCtus You are correct. I just changed that. Still the same problem though. I also went to the page you referenced me. I added those line to my file and also made sure display_errors was set to "On" in my php.ini. Oddly, still the same issue — Kevin1990, Mar 11 '15 at 13:52
@caCtus this is now the error I receive Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement in C:\xampp\htdocs\newsystem\loginadd.php on line 75 Login Failed — Kevin1990, Mar 11 '15 at 13:58
@Kevin1990 That's because you select `*` (all fields). You should be more specific about the fields you want to get (For example `SELECT id FROM ...`) Have a look at [examples](http://php.net/manual/en/mysqli-stmt.bind-result.php): 2 fields are selected, 2 parameters for `bind_result()`. (Posted as an answer as you asked, thank you for suggesting. :) ) — , Mar 11 '15 at 14:01

score 1 · Accepted Answer · answered Mar 11 '15 at 14:02

1

Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement in C:\xampp\htdocs\newsystem\loginadd.php

That's because you select * (all fields). You should be more specific about the fields you want to get (for example SELECT id FROM ...).
Have a look at examples on PHP doc: 2 fields are selected, 2 parameters for bind_result().

answered Mar 11 '15 at 14:02

Thank you so much for solving my issue. I appreciate it. – Kevin1990 Mar 11 '15 at 14:03

score 0 · Answer 2 · edited May 23 '17 at 12:28

0

According to @AbrikChakraborty comment you just need add backticks to your field name:

if($stmt = $con -> prepare("SELECT * FROM `accounts` WHERE Username=? AND `Key`=?")){

and according to @caCtus comment:

$stmt -> bind_result($result);

and if you really want to bind unknown number of fields returned you can check this answer or just use PDO.

edited May 23 '17 at 12:28

Community

1
1

answered Mar 11 '15 at 13:50

Alex

16,739
1
28
51

2

Ahhh ok. I added the backticks and now I am receiving this error. Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement in C:\xampp\htdocs\newsystem\loginadd.php on line 75 Login Failed – Kevin1990 Mar 11 '15 at 13:54
This seems just like a summary of comments? So where is the answer? – Rizier123 Mar 11 '15 at 13:54
@Kevin1990 That's because you select `*` (all fields). You should be more specific about the fields you want to get (For example `SELECT id FROM ...`) – Mar 11 '15 at 13:58
@caCtus Please post that as a answer so I can mark resolved. Selecting ID instead of * has worked. Thank you so much sir. – Kevin1990 Mar 11 '15 at 13:59
@Kevin1990 check here if you really need bind many columns http://stackoverflow.com/a/2925411/4421474 – Alex Mar 11 '15 at 14:01

score -1 · Answer 3 · answered Mar 11 '15 at 13:53

-1

Verify the actual query, if it fetches the result. I doubt the query itself returns empty result.

"SELECT * FROM `accounts` WHERE Username=$user AND Key=$pass"

answered Mar 11 '15 at 13:53

Vallabha Vamaravelli

1,153
1
9
15

OP said `if I remove the prepared statement and do it the unsecured way everything logs in just fine`. – Mar 11 '15 at 13:54
I would like to do it with prepared statements though for security purposes – Kevin1990 Mar 11 '15 at 13:57

Prepared Statement not working- Blank page

3 Answers3