MYSQLI Object oriented, what's wrong with my script?

Question

I'm trying to do an execution of a query and see if it goes well, but right now it doesn't enter the IF or ELSE. I had it on mysqli procedural and all worked flawlessy now I'm trying to change it to object oriented and it won't enter inside if/else.

        if(isset($_POST['submit']))
{
    $email = $_POST["email"]; 
    $password = md5($_POST["password"]); 

    $query = "SELECT * FROM Users WHERE Email=? AND Password=?";
    $stmt = $conn->prepare($query);
    $stmt->bind_param('ss', $email,$password);
    $stmt->execute();
    $result = $stmt->get_result();

    if ($result->num_rows == 1)
    {
            ?>
            <script type="text/javascript">
                alert("INSIDE");
            </script>
        <?php
        $row = $result->fetch_assoc();
        if(isset($_POST['remember']))
        {
            $_SESSION["remember"] = "1"; 
        }
        $_SESSION["username"] = $row['Username'];
        $_SESSION['check'] = "1";
        $_SESSION['ID'] = $id;
        $_SESSION['permission'] = $row['Admin'];
        header("Location: dashboard.php");
        exit;
    } 
    else
    {
        ?>
            <script type="text/javascript">
                alert("Credentials Are Wrong!");
            </script>
        <?php
        exit;
    }
    $stmt->close();
}

Thank you all.

It'd be a lot easier to tell you what's wrong with it if you'd tell us what the problem is. Please include the error this returns, and what's supposed to happen instead. — Ethan, Nov 10 '18 at 10:12
It doesn't execute the query, it gives error when executing query — Luca Verdecchia, Nov 10 '18 at 10:14
Can't mark as dupe of https://stackoverflow.com/a/52720089/2943403 because no votes on my answer. — mickmackusa, Nov 10 '18 at 10:38
**DO NOT** use `md5()` as encryption. Use `password_hash()` and `password_verify()` instead. — rpm192, Nov 10 '18 at 10:39
@LucaVerdecchia If your script is halted before the if/else, then there will be an error. We need to know what that error is. — mickmackusa, Nov 10 '18 at 11:34

score 0 · Answer 1 · answered Nov 10 '18 at 10:20

You should be using

$stmt->bind_result($col1, $col2 ...);

and

$result = $stmt->fetch();

in order to access the data from the query, rather than

$conn->query($stmt);

(an example is provided at https://secure.php.net/manual/en/mysqli-stmt.fetch.php). Note that for this to work you will need to specify the column names you want to fetch from the database, rather than using * in your SQL query, and for each column data is fetched from in the query, you should have a variable for in the fetch() parameters, so for example, something as follows should work (note these may not match the names of your database columns):

$email = $_POST["email"]; 
$password = md5($_POST["password"]); 

$stmt = $conn->prepare("SELECT ID, Name FROM Users WHERE Email=? AND Password=?");
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->bind_result($id, $name);
$stmt->fetch();
$stmt->close();
echo $id . ': ' . $name;

Joseph_J · Answer 2 · 2018-11-10T11:07:46.867

0

Updated Answer

You are very close. Use $result = $stmt->get_result(); instead of $result = $stmt->query; to check to see if the query returned a result or not.

$email = $_POST["email"]; 
$password = md5($_POST["password"]);     

$query = "SELECT * FROM Users WHERE Email = ? AND Password = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$result = $stmt->get_result();

if($result->num_rows !== 0){

  if(isset($_POST['remember'])){
    $_SESSION["remember"] = "1"; 
  }

  $_SESSION['check'] = "1";
  $_SESSION['ID'] = $row['ID'];
  header("Location: dashboard.php");
  exit();

}else{

  echo
  '<script type="text/javascript">
    alert("Credentials Are Wrong!");
  </script>';

  exit();

  }

$stmt->close();

As several have already stated in their comments do not use MD5 for password hashes. PHP has it's own built in functions for handling passwords. Please research Password_has() and Password_verify(). Spend the time to research and implement these now instead of later. It will save you time.

edited Nov 10 '18 at 11:07

answered Nov 10 '18 at 10:23

Joseph_J

3,654
2
13
22

Thanks for the responce, and I will surely see php functions for password hash! But I've done as you told and now it seems that it doesn't go inside IF or ELSE. Check my original post for the new version of the code – Luca Verdecchia Nov 10 '18 at 10:47
Run `echo $result->num_rows;` before the if statement and tell me what it says. – Joseph_J Nov 10 '18 at 10:52
There is some error as browser says 500 error, so there is an error on the code but dreamviewer doesn't tell me anything about errors. If i remove $result = $stmt->get_result(); the browser doesn't display any 500 error – Luca Verdecchia Nov 10 '18 at 11:11
I've updated the answer, If i remove $result = $stmt->get_result(); the browser doesn't display any 500 error – Luca Verdecchia Nov 10 '18 at 11:15
Are you sure that $password & $email have populated values? – Joseph_J Nov 10 '18 at 11:23
Yes, I'm sure they are populated as I've for this moment manually populated them for be 101% sure about it – Luca Verdecchia Nov 10 '18 at 11:24
Sorry, I do not see where your error is at. Your code should work. – Joseph_J Nov 10 '18 at 11:29
I would make sure your mysqli error reporting is turned on and that you set your PHP error reporting to all. – Joseph_J Nov 10 '18 at 11:33

MYSQLI Object oriented, what's wrong with my script?

2 Answers2