1

There are several other questions like that, but I didn't understand them correctly, and also don't know how to copy&change the code to work for me.

I got it working, to check, if an user already exists, but if he does, the user should get inserted, and there's the problem I am facing. Because there is a username and a password to insert, I don't know how to bind the ":feldwert" (shown below), to the $username AND $password. The username-check only required a username.

The code:

try {
    $db = new PDO("mysql:dbname=todo;host=localhost",
                        "root",
                        "");
    }catch (PDOException $e) {
        echo "Fehler: " . htmlspecialchars($e->getMessage());
        exit();
    }


    if (isset($_POST["username"]) && isset($_POST["password"]))
    {
    $username = $_POST["username"];
    $password = $_POST["password"];

    $sql = "SELECT username FROM user WHERE username = :feldwert";
    $kommando = $db->prepare($sql);
    $wert = $username;
    $kommando -> bindParam(':feldwert', $wert);
    $kommando -> execute();
    if($kommando->rowCount() > 0){
        echo "exists!";
    } else {
        echo "non existant";
        $sql = "INSERT INTO user VALUES ('$username', '$password');";
        $kommando = db->prepare($sql);
        $wert = ...
        $kommando -> bindParam(':feldwert', $wert);
        $kommando -> execute();
    }
}
Mureinik
  • 297,002
  • 52
  • 306
  • 350
Jimmy
  • 39
  • 6
  • Your second sql (the insert) doesn't have placeholders yet. Need to change that first to smth like `INSERT INTO user VALUES(:feldwert, :pwd)` then bind to those two placeholders ($wert, and the hashed $password) – Jeff Feb 21 '19 at 08:43
  • 2
    Please don't forget to use something like [`password_hash()`](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) – Nigel Ren Feb 21 '19 at 08:45
  • Yeah true, I changed that (copied Mureinik's answer). I didn't handled hash-values yet, but I think it's time to. – Jimmy Feb 21 '19 at 08:47
  • Is the prepare still being done – Nigel Ren Feb 21 '19 at 09:14
  • @NigelRen That was it, I forgot the prepare.. It's mystical, that users here can just find my mistakes, by reading a erorrlor, and exactly know, what I did wrong, like forgetting a whole line of code. – Jimmy Feb 21 '19 at 09:16

1 Answers1

4

You can call bindParam multiple times, once for each parameter you want to bind:

$sql = "INSERT INTO user VALUES (:username, :password);";
$kommando = db->prepare($sql);
$kommando -> bindParam(':username', $username);
$kommando -> bindParam(':password', $password);
$kommando -> execute();
Mureinik
  • 297,002
  • 52
  • 306
  • 350
  • perfect! That simple, I have always trouble with such simple things that makes me think about, if it's worth learning such a "complicated" language even. But than it comes out, that the solution is always easy.. – Jimmy Feb 21 '19 at 08:46
  • Why do you put a blankspace before and after `->` ? – Daniel W. Feb 21 '19 at 09:12