-2

I am very new in PDO , I am trying to understand how to make prepared statements, but I cant see what I am doing wrong here is my message

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: parameter was not defined' in C:\xampp\htdocs\Final\include\addbloguser.php:66 Stack trace: #0 C:\xampp\htdocs\Final\include\addbloguser.php(66): PDOStatement->execute() #1 C:\xampp\htdocs\Final\blogcp.php(49): require('C:\xampp\htdocs...') #2 {main} thrown in C:\xampp\htdocs\Final\include\addbloguser.php on line 66

And Here is the code. I am very sure I did a lot of mistakes, if you have time can you explain to me what I did wrong and how to fix it ? 

<?php


try {


require SITE_ROOT .  '\include\db_connect.php';

}
catch(PDOException $e)
{ 
echo $e->getMessage();
}


$name = $_POST['fname']; 
$lname = $_POST['lname'];
$username = $_POST['username']; 
$state = "basic"; 
$email = $_POST['email'];   
$password = $_POST['pass']; 
$password1 = $_POST['rpass'];



//verifications

//password 

if (empty($name) || empty($username) || empty($email) || empty($password) || empty($password1)){
    $error = "Complete all fields";
}
if ($password != $password1){
    $error = "Passwords don't match";
}

if (strlen($password) <= 6){
    $error = "Choose a password longer than 6 character";
}


if(!isset($error)){
//no error
$sthandler = $conn->prepare("SELECT username FROM blogusers WHERE username = :username");
$sthandler->bindParam(':username', $username);
$sthandler->execute();

if($sthandler->rowCount() > 0){
    echo "exists! cannot insert";
} else {
    //Securly insert into database
    $sql = 'INSERT INTO blogusers (name , lname ,username, state , email, password) VALUES (:name,:lnane:,:username,:state,:email,:password)';    
    $stmt = $conn->prepare($sql);
    $stmt->bindParam(':name',$name);
    $stmt->bindParam(':lname',$lname);
    $stmt->bindParam(':username',$username);
    $stmt->bindParam(':state',$state);
    $stmt->bindParam(':email',$email);
    $stmt->bindParam(':password',$password);
   $name = $_POST['fname']; 
$lname = $_POST['lname'];
$username = $_POST['username']; 
$state = "basic"; 
$email = $_POST['email'];   
$password = $_POST['pass']; 
    $stmt->execute();
    }
}else{
    echo "error occured: ".$error;
    exit();
}

?>
Satanshaves
  • 21
  • 8
  • it's 2 typos in one => `:lnane:` (for one thing) and closing as such – Funk Forty Niner May 04 '16 at 13:05
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 04 '16 at 13:08
  • Allow users to use the [passwords / phrases](https://xkcd.com/936/) they desire. [Don't limit passwords.](http://jayblanchard.net/security_fail_passwords.html) – Jay Blanchard May 04 '16 at 13:08

1 Answers1

1

Your insert is using :lnane:, and you're binding :lname.

$sql = 'INSERT INTO blogusers (name , lname ,username, state , email, password) 
   VALUES (:name,:lnane:,:username,:state,:email,:password)';

The corrected line would look like this:

    $sql = 'INSERT INTO blogusers (name , lname ,username, state , email, password) 
   VALUES (:name,:lname,:username,:state,:email,:password)';
aynber
  • 22,380
  • 8
  • 50
  • 63