How to find rowCount in pdo prepare in php

Question

I am learning PDO prepare statement in php.

I have some error.

public function check_user_validation($user_email,$user_password)
{
    $salt1 = "5g;;";
    $salt2 = "466UU$%jjh";
    $user_password = hash("sha512",$salt1.$user_password.$salt2);
    $result = $this->con->prepare("select id from user_table where user_email=:user_email&& user_password=:user_password");
    $result->execute([
        ':user_email' => '$user_email',
        ':user_password' => '$user_password',       
    ]);
    $result = $result->rowCount();
    if($result > 0)
    {
        $_SESSION['user_email'] = $user_email;
        header("Location:dashboard.php");
    }
    else
    {
        return FALSE;
    }
}

BUt it returns false. Id and password bot are true. I think rowCount() giving it 0 value.

Please have a read of [How to use password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) — Nigel Ren, Sep 22 '18 at 06:41
rowCount() is not for SELECT statement, read http://php.net/manual/en/pdostatement.rowcount.php Try to use PDOStatement::fetch — Vitalijs G., Sep 22 '18 at 06:41
There is no `return` statement in the _good_ case. And if you _think_ `rowCount()` is giving 0, why don't you verify this before asking? — Adrian W, Sep 22 '18 at 06:49
**Never store plain text passwords!** Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so _changes_ the password and causes unnecessary additional coding. — GrumpyCrouton, Sep 24 '18 at 16:08
You're trying to increase security for yourself by using `prepare()`, but ignore your responsibility of security to your users by storing their passwords in plaintext — GrumpyCrouton, Sep 24 '18 at 16:11

score 1 · Answer 1 · answered Sep 22 '18 at 06:38

1

$result->execute([
    ':user_email' => $user_email,
    ':user_password' => $user_password,       
]);

You need to remove single quote in order to pass variables, $user_email and $user_password.

answered Sep 22 '18 at 06:38

Hoon

109
4

Nick · Accepted Answer · 2018-09-22T06:42:00.647

1

PDO::rowCount is not guaranteed to work for SELECT statements. It would be better just to try and fetch the data from the query instead. You also have a problem in that you have enclosed your bound parameters in single quotes, which will mean the values in the query are $user_email instead of e.g. me@example.com.

$result = $this->con->prepare("select id from user_table where user_email=:user_email&& user_password=:user_password");
$result->execute([
    ':user_email' => $user_email,
    ':user_password' => $user_password,       
]);
if ($result->fetchColumn() !== false)
{
    $_SESSION['user_email'] = $user_email;
    header("Location:dashboard.php");
}
else
{
    return FALSE;
}

edited Sep 22 '18 at 06:42

answered Sep 22 '18 at 06:38

Nick

138,499
22
57
95

@NigelRen I know the feeling. But in fact the other answer is the real solution. – Nick Sep 22 '18 at 06:40
@NigelRen spooky, I was just dong that! :) – Nick Sep 22 '18 at 06:42

How to find rowCount in pdo prepare in php

2 Answers2