Prepared statement fails when it shouldn't

Question

I have a signup form on my website and the following code should run whenever a new user signs up:

$sql = "SELECT * FROM users WHERE uidUsers=?;";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt)) {
    header("Location: ../signup.php?error=sqlerror");
    exit();
}
else {
 mysqli_stmt_bind_param($stmt, "s", $username);
 mysqli_stmt_execute($stmt);
 $resultCheck = mysqli_stmt_num_rows($stmt);
if ($resultCheck > 0) {
    header("Location: ../signup.php?error=usertaken");
    exit();
}
else {
    $hashedPwd = password_hash(PASSWORD_DEFAULT, $password);
    $sql = "INSERT INTO users (`uidUsers`, `pwdUsers`, `phraseUsers`) VALUES(?, 
?, ?)";
    $stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt)) {
    header("Location: ../signup.php?error=sqlerror");
    exit();
}
else {
    mysqli_stmt_bind_param($stmt, "sss", $username, $hashedPwd, 
    $securityphrase);
    mysqli_stmt_execute($stmt);
    header("Location: ../login.php?signup=success");
    exit();
}

The !mysqli_stmt_prepare error handler is triggered when it shouldn't be given the database circumstance, as well as the correct INSERT statement. Therefore I don't understand why it's triggered and I'm asking why?

There is a similar question here on Stack Overflow

Add `$sql` to the call(s) otherwise it doesn't know what you want to prepare. `mysqli_stmt_prepare($stmt, $sql)` — user3783243, Jan 21 '19 at 17:02
Please read the documentation on the functions you're using. In addition to the above, you also have the wrong order of args in `password_hash`... — Jonnix, Jan 21 '19 at 17:04
You cannot prepare without an accessible bind. You need to place all of the calls for preparing, binding and executing inside of one condition, splitting this up conditionally will fail. — Jay Blanchard, Jan 21 '19 at 17:05
This is also is pretty hard to read. You should use a consistent indentation method. — user3783243, Jan 21 '19 at 17:06
@user3783243 I tried adding `$sql` to the calls but nothing happened in the database — frogman578, Jan 21 '19 at 17:08
Try checking for [mysqli errors](http://php.net/manual/en/mysqli.error.php) to find out *why* it fails. — aynber, Jan 21 '19 at 17:12
Do you get redirected? If so what is the page you end up on? If not go through the execution and see where it stops. Also add error reporting, both PHP and `mysqli`. — user3783243, Jan 21 '19 at 17:16
Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. — tadman, Jan 21 '19 at 18:07
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. — tadman, Jan 21 '19 at 18:08

score 2 · Accepted Answer · answered Jan 21 '19 at 17:30

Thank you for your help, the problems where the password_hash order, it should be like this password_hash($var, PASSWORD_DEFAULT);. The second mistake I made was not including my $sql statements in the mysqli_stmt_prepare, it should be like this !mysqli_stmt_prepare($stmt, $sql).

Prepared statement fails when it shouldn't

1 Answers1