0

Trying to just set up something to verify that username = password via num_rows = 1.

Trying to use prepared statements, that I have never used before and i'm missing something. Where does the var in bind_results('s',$variable) come from??

Also, its just not working for me.

<?php

require ($_SERVER['DOCUMENT_ROOT'].'/db-connect.php');

$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$user = $_POST['username'];
//$user = $mysqli->real_escape_string($user);//
$password = $_POST['password'];
//$password = $mysqli->real_escape_string($password);//

if ($stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ? AND password = ?")) {

    $stmt->bind_result('ss', $username);

    $stmt->execute();
    $result = $stmt->num_rows;

    echo $result;

    $stmt->close();
}

$mysqli->close();

?>
Don't Panic
  • 41,125
  • 10
  • 61
  • 80
Matthew Ediger
  • 313
  • 2
  • 14
  • Hi! don't use hardcoded string in the bind_result function. Use always variables. In your case: $sString="ss"; $stmt->bind_result($sString, $username); – Idir Ouhab Meskine Apr 13 '16 at 21:15
  • Okay, thanks, will do that. Any other suggestions to make this work? – Matthew Ediger Apr 13 '16 at 21:23
  • You can check this link, you have many answers to your question http://stackoverflow.com/questions/18753262/example-of-how-to-use-bind-result-vs-get-result – Idir Ouhab Meskine Apr 13 '16 at 21:27
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Apr 13 '16 at 21:31
  • @JayBlanchard at least no mysql deprecation/removal or SQL injection warnings needed for this one. :) – Don't Panic Apr 13 '16 at 21:37

1 Answers1

0

I see three problems with this:

$stmt->bind_result('ss', $username);

First, bind_result PHP documentation:

"Binds columns in the result set to variables."

I think you're looking for bind_param. PHP documentation:

"Bind variables for the parameter markers in the SQL statement that was passed to mysqli_prepare()."

Second, your statement has two parameter markers (?), your bind statement indicates two strings (ss), but you provide only one variable ($username).

Third, $username is not what you're getting from $_POST['username']. You've assigned that to $user. $username is for your database connection.

I think it should work for you with this line instead:

$stmt->bind_param('ss', $user, $password);
Don't Panic
  • 41,125
  • 10
  • 61
  • 80
  • Thanks, I was thinking that the bind function was binding something to a new variable that's why I had a different one there! Confused with the prepared statements. – Matthew Ediger Apr 13 '16 at 21:40
  • I would suggest walking through some of the examples in the PHP documentation I linked. They can be helpful to see how it works when you're getting started. Although, to be totally honest what I would _really_ suggest is to use pdo rather than mysqli, because I think it makes it easier to work with prepared statements. Just my opinion, though. – Don't Panic Apr 13 '16 at 21:43