0

I have a very simple login system for a web-app we use internally at my workplace. Doing some fixing, I'm trying to make the code less vulnerable by using msqli->prepare everywhere I can. For some reason, on the login code, this results in complete failure. Here's the old code:

$email = $_POST['email'];
$upass = $_POST['pass'];

$stmt = $sqlCon->query("SELECT * FROM users WHERE email='$email'");
$row = mysqli_fetch_array($stmt);
$stmt->close();

echo $row['password']; //this is just for debug!

This works great. It checks the users email against the table 'users' and returns the resulting array just perfect.

So, I tried to replace it with a prepare statement:

$email = $_POST['email'];
$upass = $_POST['pass'];

$sql = "SELECT * FROM users WHERE email='?'";
$stmt = $sqlCon->prepare($sql);
$stmt->bind_param('s', $email);
$stmt->execute();
$row = mysqli_fetch_array($stmt);
$stmt->close();

echo $row['password']; //this is just for debug!

I've tried the prepare statement with and without the '' around the ? and neither works. I get an error on mysqli_fetch_array() that it expects a myqsli_result and instead got an object... which seems to imply that the query returned nothing?

Obviously, I don't understand how something works, so any help would be great.

Random_Person
  • 435
  • 2
  • 7
  • 11
  • 1
    Remove quotes, it should be `$sql = "SELECT * FROM users WHERE email=?";` – Rajdeep Paul Jan 20 '16 at 19:19
  • 1
    http://php.net/manual/en/mysqli.error.php would have helped you here. As would R'ingTM http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php – Funk Forty Niner Jan 20 '16 at 19:20
  • Neither of your links do anything to help. There is no error generated, and the prepared statement document does nothing to help me. Adding or removing quotes also does nothing as I stated originally. They are, however, completely necessary in the ->query statement or it fails. I am here seeking an explanation as to why. – Random_Person Jan 20 '16 at 19:33
  • 1
    @Random_Person Well, here's the explanation. `mysqli_fetch_array()` expects parameter 1 to be mysqli_result but you're passing an object to it. Remove this line, `$row = mysqli_fetch_array($stmt);`. First the get the result set and then fetch a row from it. After `$stmt->execute();` do this: `$result = $stmt->get_result(); $row = $result->fetch_assoc();` – Rajdeep Paul Jan 20 '16 at 19:47
  • @RajdeepPaul - you are my hero. I would have NEVER figured that out. I read all the documents I could find.... and I had encountered that exact solution msyelf, but I had tried to just run $stmt->get_result() without it occurring to me to pass the result to another variable. This is me being an idiot. – Random_Person Jan 20 '16 at 20:01
  • @Random_Person Glad I could help. *Cheers!* :) – Rajdeep Paul Jan 20 '16 at 20:03
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 20 '16 at 21:51

0 Answers0