-3

This a script I am making that checks if logged in, if so redirects, if not created a profile page and redirects to TOS. I have a working code using a basic INSERT that works (On Top). Then one that I cannot get to work using prepared statements below.

<?php
    session_start();
    require ('../../../mysql_connect/mysqli_connect_accounts.php');
    require ('../steamauth/steamauth.php');
    require ('../steamauth/userInfo.php');
    $steamid=$_SESSION['steamid'];
    
    $query = "SELECT * FROM `".$steamid."`";
    
    $response = @mysqli_query($dbc, $query);
    
if($response){
        header("Location: http://theskindealer.com/index.php");
    } else {    
        $create = "CREATE TABLE `".$steamid."` (
        steamid VARCHAR(30), 
        fullname VARCHAR(30),
        tradeurl VARCHAR(30),
        email VARCHAR(50),
        age INT(3),
        tos INT(1),
        access INT(1),
        first INT(1),
        balance DECIMAL(9,2)
        )";
        if ($dbc->query($create) === TRUE) {
            $insert = "INSERT INTO `".$steamid."` (steamid, first, access, tos, balance, age, email, tradeurl, fullname) VALUES ($steamid, 1, 0, 0, 0.00, 0, 0, 0, 0)";

            if ($dbc->query($insert) === TRUE) {
                header("Location: http://theskindealer.com/tos/accept.php");
            } else {
                header("Location: http://theskindealer.com/pages/errorlogin.php");
            }
        } else {
            header("Location: http://theskindealer.com/pages/errorlogin.php");
        }
}
$dbc->close();
    
mysqli_close($dbc);
    
?>

Then... this code either redirects to index all the time even after wiping db, and doesn't save data. Or white screens and doesn't save data.

<?php
    session_start();
    require ('../../../mysql_connect/mysqli_connect_accounts.php');
    require ('../steamauth/steamauth.php');
    require ('../steamauth/userInfo.php');
    $steamid=$_SESSION['steamid'];
    
    $query = "SELECT * FROM `".$steamid."`";
    
    $response = @mysqli_query($dbc, $query);
    
if($response){
        header("Location: http://theskindealer.com/index.php");
    } else {    
        $create = "CREATE TABLE `".$steamid."` (
        steamid VARCHAR(30), 
        fullname VARCHAR(30),
        tradeurl VARCHAR(30),
        email VARCHAR(50),
        age INT(3),
        tos INT(1),
        access INT(1),
        freeze INT(1),
        balance DECIMAL(9,2)
        )";
        if ($dbc->query($create) === TRUE) {
            $insert = "INSERT INTO `".$steamid."` (steamid, freeze, access, tos, balance, age, email, tradeurl, fullname) VALUES (:steamid, :freeze, :access, :tos, :balance, :age, :email, :tradeurl, :fullname)";
            $stmt = $dbc->prepare($insert);
            $stmt->bind_param(':steamid', $steam64);
            $stmt->bind_param(':freeze', $freeze);
            $stmt->bind_param(':access', $access);
            $stmt->bind_param(':tos', $tos);
            $stmt->bind_param(':balance', $balance);
            $stmt->bind_param(':age', $age);
            $stmt->bind_param(':email', $email);
            $stmt->bind_param(':tradeurl', $tradeurl);
            $stmt->bind_param(':fullname', $fullname);
            
            $steam64 = $steamid;
            $freeze = 0;
            $access = 0;
            $tos = 0;
            $balance = 0.00;
            $age = 0;
            $email = "null";
            $tradeurl = "null";
            $fullname = "null";
            
            $stmt->execute();
        
            header("Location: http://theskindealer.com/tos/accept.php");

        } else {
            header("Location: http://theskindealer.com/pages/errorlogin.php");
        }
}
$stmt->close();
$dbc->close();
mysqli_close($dbc);
    
?>
mkrieger1
  • 19,194
  • 5
  • 54
  • 65
Cody
  • 27
  • 4
  • Stop hiding errors with the `@` and Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any mysqli_ errors to generate an Exception that you can see on the browser as well as normal PHP errors. – RiggsFolly Oct 10 '18 at 23:08
  • Also read the [PHP MYSQLI_ manual](http://php.net/manual/en/book.mysqli.php) so you get the syntax of a parameterised query correct. – RiggsFolly Oct 10 '18 at 23:09

1 Answers1

2

When using mysqli_stmt::bind_param the first argument is the data type bind_param('s', $variable) https://php.net/manual/en/mysqli-stmt.bind-param.php

In addition MySQLi does not support named parameters unlike PDO

You would need to change your code to work with MySQLi, adjust the data types as needed.

//...

$insert = "INSERT INTO `".$steamid."` (steamid, freeze, access, tos, balance, age, email, tradeurl, fullname) 
           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)";
$stmt = $dbc->prepare($insert);
$stmt->bind_param('sssssssss', 
    $steam64, 
    $freeze, 
    $access, 
    $tos, 
    $balance, 
    $age, 
    $email, 
    $tradeurl, 
    $fullname
);

//...

Tips/Suggestions:

I commend you for using the strict comparison operator === TRUE, it is a good practice to adopt.

Closing database connections

You only need to call one type of mysqli::close as they perform the same function, mysqli_close($dbc); is unneeded.

$dbc->close();
///mysqli_close($dbc);

Include Statements

You do not need to wrap include paths in parenthesis. It is just extra overhead the lexer does not need to process. include require and their _once variants are PHP language control structures not function calls.

Additionally you should always specify the full path to avoid ambiguity, avoiding an include_path lookup when a file is not found, and potential exploits in the path.

Also to avoid unnecessarily loading configuration scripts several times, such as database connectivity that your other scripts rely on, you can use require_once.

Example:

require_once __DIR__ . '/../../../mysql_connect/mysqli_connect_accounts.php';

Sessions

You should always check to see if a session already exists before using session_start. 

if (!session_id()) {
    session_start();
}

It is also recommended to regenerate the session id, using session_regenerate_id() to avoid session hijacking. Source :http://php.net/manual/en/features.session.security.management.php#features.session.security.management.session-id-regeneration

Single/Double Quote use

It is highly recommended to conform to using single quotes only.

Aside from negligible performance loss when using double quotes, mixing single and double quote usage in your code often leads to confusion and hard to find bugs. Single quoted values are treated as literal strings and will always result in the value you supply and do not need to be escaped. While using double quotes causes the lexer to parse the string to determine if there are special characters that need to be interpreted, such as using $ or \.

http://php.net/manual/en/language.types.string.php

The exception to this is when you do need to use special characters such as \r \n \t, etc which require double quotes for the lexer to process.

For example:

echo 'Hello you owe $money';
//vs
echo 'Hello you owe ' . $money;
//vs
echo "Hello you owe $money";
//vs
echo "Hello you owe \$money";
Will B.
  • 17,883
  • 4
  • 67
  • 69