I could get normal mysqli queries to work but I recently tried to use prepared statements to prevent sql injections. Everything seems to work fine except, after selecting rows from database, i'm unable to perform an update action. (See the comments in the code to understand my problem better).
$username=$_POST["username"];
$password=md5($_POST["password"]);
$remember=$_POST["remember"];
$stmt = $conn->stmt_init();
$sql = 'SELECT `uid` FROM `users` WHERE `username` = ? AND `password` = ?';
if($stmt->prepare($sql)){
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->bind_result($uid);
$stmt->store_result();
if($stmt->num_rows == 1){
if($stmt->fetch()){
$last_log=time();
$log_hash=md5($last_log);
/*
Everything works till here, but the following update query not executing i.e., else is always executed
*/
$sql = "UPDATE `users` SET `log_hash` = '$log_hash' AND `last_log` = '$last_log' WHERE `uid` = '$uid'";
if(mysqli_query($conn,$sql)){
if($remember=="true"){
setcookie("hash", $log_hash,time()+60*60*24*7);
setcookie("uid", $uid,time()+60*60*24*7);
}
else
{
setcookie("hash", $log_hash);
setcookie("uid", $uid);
}
$response["msg"]="Login Successful";
$response["code"]="LOGIN_SUC";
}
else
{
$response["msg"]="Unable To Login";
$response["code"]="LOGIN_ERR_3";
}
}
}
else
{
$response["msg"]="Invalid Credentials";
$response["code"]="LOGIN_ERR_2";
}
}
else
{
$response["msg"]="Unable to Handle Database";
$response["code"]="LOGIN_ERR_1";
}
Never mind, the problem was in the update statement. AND is not required!
