1

I'm having a problem with my SQL statement, it gives the error on the first if statement, the SQL statement has been failed. For prepared statements I've used mmtuts and w3schools, but I don't know what's going wrong.

Here's my code:

function login($conn) {
  if (isset($_POST['submitLogin'])) {
    $username = $conn->escape_string($_POST['emailorusername']);
    $password = $conn->escape_string($_POST['password']);
    $sql = "SELECT * FROM users WHERE username = ?";
    $stmt = mysqli_stmt_init($conn);
    if (!mysqli_stmt_prepare($stmt, $sql)) {
      header("Location: ?error=sqlstatementfailed");
      exit();
    } else {
      mysqli_stmt_prepare($stmt, $sql);
      mysqli_stmt_bind_param($stmt, "s", $username);
      mysqli_stmt_execute($stmt);
      $result = mysqli_stmt_get_result($stmt);
      $row = mysqli_fetch_assoc($result);
      if (mysqli_num_rows($result) == 0) {
        header("Location: ?username=notfound");
        exit();
      } else {
        if (mysqli_num_rows($result) > 1) {
          header("Location: ?error=toomuchresults");
          exit();
        } else {
          header("Location: ?username=ok");
          if ($password !== $row['password']) {
            header("Location: ?password=false");
            exit();
          } else {
            header("Location: ?password=ok");
            $_SESSION['username'] = $row['username'];
            $_SESSION['email'] = $row['email'];
            $_SESSION['firstname'] = $row['firstname'];
            $_SESSION['lastname'] = $row['lastname'];
            header("Location: Index");
            exit();
          }
        }
      }
    }
  }
}

The server is connected to the database so that isn't the problem.

Can someone help? Thanks!

Solution:

Check for mysqli errors after your prepare, it will tell you why it failed.

J0eppp
  • 49
  • 7
  • 2
    Check for [mysqli errors](http://php.net/manual/en/mysqli.error.php) after your prepare, it will tell you why it failed. – aynber Oct 26 '18 at 16:30
  • Also, why are you preparing it twice? – aynber Oct 26 '18 at 16:32
  • Thank you, I was stupid and forgot some columns. The next time I'll use this again! Oh yes I see that I'm preparing it twice, I'll remove it! – J0eppp Oct 26 '18 at 16:35
  • Please read up how to use [`password_hash()`](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) – Nigel Ren Oct 26 '18 at 16:37
  • You shouldn't have to escape a string if you're binding it as a parameter. That can actually cause problems. – Don't Panic Oct 26 '18 at 16:41
  • @NigelRen ? Where am I using it? – J0eppp Oct 26 '18 at 18:45
  • @Don'tPanic ok, but what kind of problem can you get? – J0eppp Oct 26 '18 at 18:46
  • @J0eppp If any characters are actually escaped, the escape characters will be stored with your data. See [this answer](https://stackoverflow.com/a/34692482/2734189) for a good explanation. – Don't Panic Oct 26 '18 at 19:08
  • @Don'tPanic ok, thank you! BTW: Can someone tell me how I can "complete" this question? It's fixed so yeah... – J0eppp Oct 26 '18 at 19:10
  • @J0eppp as far as "completing" a question, there are a few different ways. If someone answers, and their answer solves your problem, you can accept the answer. If you solved the problem yourself, then you can either add an answer that explains how you did it, or if you don't think that would be useful to others, you can delete the question. But you don't really need to worry about it. It's okay for Qs to remain open. Really, even after you have accepted an answer other people can still add new answers. – Don't Panic Oct 26 '18 at 19:15
  • However, if you see a pattern developing of never getting an answer you can accept, you should take a close look at how you write your questions. There are a lot of resources available that offer guidance in writing good questions. It's more difficult than most people think it is. – Don't Panic Oct 26 '18 at 19:21
  • Thanks, I've experienced already that it's pretty hard to ask something. Thanks for your help guys! – J0eppp Oct 26 '18 at 19:36

0 Answers0