-3

Warning: mysqli_stmt_bind_param(): Number of variables doesn't match number of parameters in prepared statement in C:\xampp\htdocs\Latihan\login.php on line 33

<?php  require_once 'connect.php';

$username = $password = "";
$username_err = $password_err = "";

if($_SERVER["REQUEST_METHOD"] == "POST"){

    // Check if username is empty
    if(empty(trim($_POST["username"]))){
        $username_err = 'Please enter username.';
    } else{
        $username = trim($_POST["username"]);
    }

    // Check if password is empty
    if(empty(trim($_POST['password']))){
        $password_err = 'Please enter your password.';
    } else{
        $password = trim($_POST['password']);
    }

    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT username,password FROM users WHERE username = '".$_POST['username']."'";

        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
33.            mysqli_stmt_bind_param($stmt, "s", $param_username);

            // Set parameters
            $param_username = $username;
            //$param_password = password_hash($password, PASSWORD_DEFAULT); 

            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Store result
                mysqli_stmt_store_result($stmt);

                // Check if username exists, if yes then verify password
                if(mysqli_stmt_num_rows($stmt) == 1){                    
                    // Bind result variables
                    mysqli_stmt_bind_result($stmt, $username, $hashed_password);
                    if(mysqli_stmt_fetch($stmt)){
                        if(password_verify($password, $hashed_password)){
                            /* Password is correct, so start a new session and
                            save the username to the session */
                            session_start();
                            $_SESSION['username'] = $username;      
                            header("location: welcome.php");
                        } else{
                            // Display an error message if password is not valid
                            $password_err = 'The password you entered was not valid.';
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $username_err = 'No account found with that username.';
                }
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }
        }

        // Close statement
        //mysqli_stmt_close($stmt);
    }

    // Close connection
    mysqli_close($link);
}
?>
Barmar
  • 741,623
  • 53
  • 500
  • 612
zains1234
  • 1
  • 2
  • Maybe you have mistaken this website for pastebin? – marekful Jan 06 '18 at 01:08
  • Read the comments to [this question](https://stackoverflow.com/questions/48123286/mysql-update-query-with-prepared-statement-is-giving-error), as the problem is the same. – FirstOne Jan 06 '18 at 01:16

1 Answers1

1

When you use mysqli_stmt_bind_param(), you need to have ? placeholders in the query that will be replaced with the parameters. This is done instead of concatenating the variable directly into the query string.

The error means that the number of parameters in your mysqli_stmt_bind_param() call doesn't match the number of ? in the SQL.

So take the variable out of $sql and put ? there.

$sql = "SELECT username,password FROM users WHERE username = ?";
Barmar
  • 741,623
  • 53
  • 500
  • 612
  • What are the odds of two [question](https://stackoverflow.com/questions/48123286/mysql-update-query-with-prepared-statement-is-giving-error)s with the same specific problem to pop in such short period of time? – FirstOne Jan 06 '18 at 01:15
  • @FirstOne Upvote my answer so I can link it as a dupe. – Barmar Jan 06 '18 at 01:17
  • 1
    If you want to post an answer there, I'll upvote it and make this the dupe. – Barmar Jan 06 '18 at 01:27
  • @FirstOne the difference with Barmar's and the answer I gave for the other question you linked, is that I made mine a community wiki. I feel that questions like that should be given wiki answers. They're typos, so there shouldn't be any rep gain/loss, but an answer nonetheless would be good to have, sure. – Funk Forty Niner Jan 06 '18 at 01:33
  • wait a minute; you placed an answer yet you dupe it after, what gives? any special reason? maybe you're thinking canonical? – Funk Forty Niner Jan 06 '18 at 01:35
  • Actually, typos have an specific flag, but it's fine. Don't think too much about it @FunkFortyNiner – FirstOne Jan 06 '18 at 01:35
  • @FirstOne The other answer didn't exist when I posted mine. Just trying to link related questions together. – Barmar Jan 06 '18 at 01:37
  • I don't consider this a typo, it's a conceptual problem. – Barmar Jan 06 '18 at 01:38
  • Although in these cases it's probably just a case of starting to convert from variables to prepared statements, and not completing the process. – Barmar Jan 06 '18 at 01:39