-3

I am using php and mysql to create a website for medical purposes. A user is able to create an account upload medical documents and the admin of the website can review the users registered information and chose to approve or not approve the user. The below code is used to only give access to a mini online shop only if a user is approved by the admin, what i am trying to figure out now is how to redirect the user back to the user page if they input the online store url manually if there not approved users. The below code is also giving me this error but is working perfectly "Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in C:\xampp\htdocs\web-project-medical\user-page.php on line 50"

<?php
   $sql_con = new mysqli('localhost', 'root', '' , 'medical_db');

   if($stmt = $sql_con->prepare("SELECT approved FROM users WHERE approved = 'Approved'")) {

      $stmt->bind_param("s", $Approved);
      $stmt->execute();
      $stmt->bind_result($Approved);

      while ($stmt->fetch()) {

        echo '<a href="products.php">store access</a>';
      }
      $stmt->close();
   }
   ?>
james1989
  • 1
  • 1
  • A bit tangential to your question, but I would advise you to be very, *very* careful with something as sensitive as health data, especially in jurisdictions where this type of data is protected extensively by law. – esqew Apr 23 '20 at 21:12
  • Also tangential, but this logic for "restricting" access doesn't really check out. All this appears to be doing is querying for a list of "approved" users, and `echo`ing a link to a `products.php` page only if the query was successfully executed. There is no check of whether the current user has provided proper authentication or if they are properly authorized. – esqew Apr 23 '20 at 21:17

1 Answers1

1

The error you've included in your question points back to your prepare() statement. From PHP: mysqli::prepare - Manual:

This [query] parameter can include one or more parameter markers in the SQL statement by embedding question mark (?) characters at the appropriate positions.

You haven't included a question mark character in your query. Thus, there is a mis-match between the amount of parameters you've attempted to bind using bind_param() and the amount you've marked in your query using the question mark character.

Update your query to include a question mark character where you'd like your bound parameters to be inserted.

esqew
  • 42,425
  • 27
  • 92
  • 132
  • but i am trying to check if the user has been approved and then give access to the store – james1989 Apr 23 '20 at 21:23
  • You'll need *a lot* of legwork from the snippet you've posted to properly verify the user accessing the site is "approved" - you aren't checking their approval status against their username/ID or anything. More directly to your comment: I'm not sure how anything in my answer is moving you further from that goal... – esqew Apr 23 '20 at 21:25