Can't find a specific value from a table using prepared statements

Question

I created some sort of "blog" application, a website that offers users the ability to post articles that are shown on a specific articles.php page.

Because of that, I also created a "login system", and to make it more secure, I hashed the passwords and used mysqli_real_escape_string(), just to find out that the function doesn't have anything to do with security. And that's why I chose to learn how to use prepared statements.

Anyways, that's how my users table looks like:

username - varchar(30) and password - varchar(60)

... and that's my login form:

<form action="" method="POST">
   <input type="textbox" name="user" placeholder="Username" class="textbox" required>
   <input type="password" name="pass" placeholder="Password" class="textbox" required>
   <input type="submit" name="btn" value="Login" class="btn">
</form>

... and that's the part of the code where I'm trying to use the prepared statements (it worked before replacing everything with the prep. statements):

if (isset($_POST['btn']))
{
    $user = $_POST['user'];
    $pass = $_POST['pass'];
    $stmt = $con->prepare("SELECT * FROM users WHERE username = ? LIMIT 1");
    $stmt->bind_param("s", $user);
    $stmt->execute();
    $res = $stmt->get_result();
    $row = $res->fetch_array();
    $num = $stmt->num_rows();
    if ($num) {
        if (password_verify($pass, $row['password'])) {
            echo "Successfully logged in.";
            $_SESSION['logged'] = true;
            $_SESSION['username'] = $user;
            setcookie("username", $user, time() + 86400*2);
            setcookie("password", $pass, time() + 86400*2);
            header("Location: index.php");
        }else 
            echo "Password is incorrect.";
    } else 
        echo "Username doesn't exist.";

    $stmt->close();
}

The problem is, when I type in mmateas or admin, I can see the message:

Username doesn't exist

shown on my webpage.

What did I do wrong? If anything's wrong with the question, please leave a comment and I'll edit it as soon as possible. Thank you!

Edit: I realized I forgot to assign values to $user and $pass, before starting the prep. statements. I've added these two lines of code

$user = $_POST['user'];
$pass = $_POST['pass'];

but I still receive the same error.

@RiggsFolly As I modified the code and changed it to prep statements, I forgot to take $user and $pass directly from the form. But now I've added them. `$user = $_POST['user']` and `$pass = $_POST['pass']`. Still, I get the same error when attempting to log in — mmateas, May 06 '20 at 08:54
This doesn't look like a *real* code. `$stmt->num_rows()` will cause a fatal error because there is no such method. First of all you have to post the real code, especially one that explains where $user and $pass come from — Your Common Sense, May 06 '20 at 08:54
@YourCommonSense Yes, yes, I've edited the question now. Inserted the two lines of code `$user = ...` and `$pass = ...` right after the if bracket — mmateas, May 06 '20 at 08:57
To get errors out of PHP even in a LIVE environment add these 4 lines to the top of any `MYSQLI_` based script you want to debug `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);`. This will force any `MYSQLI_` errors to generate an Exception that you can see on the browser as well as normal PHP errors. — RiggsFolly, May 06 '20 at 08:58
`$stmt->num_rows()` is still there it means you will see a fatal error, not `Username doesn't exist` — Your Common Sense, May 06 '20 at 08:58
@YourCommonSense What do you mean `$stmt->num_rows()` is no such method? Doesn't that function exist? — mmateas, May 06 '20 at 08:59
@YourCommonSense yes, there is. It is in __statement__, not in __result__ — u_mulder, May 06 '20 at 09:00
@YourCommonSense https://www.php.net/manual/ro/mysqli-stmt.num-rows.php — mmateas, May 06 '20 at 09:00
I dont see any code to connect to the DB. Do we assume it exists? In this script?? — RiggsFolly, May 06 '20 at 09:02
Just change `$num = $stmt->num_rows();` to `$num = $res->num_rows();`, or `if ($num) {` to `if ($row) {` — Slava Rozhnev, May 06 '20 at 09:03
Surely YCS is right. `num_rows` is a property and NOT a Method so `$stmt->num_rows;` — RiggsFolly, May 06 '20 at 09:05
If you add the DEBUG code I suggested above. All this would be shown on the web page — RiggsFolly, May 06 '20 at 09:06
@RiggsFolly follow the link too https://www.php.net/manual/ro/mysqli-stmt.num-rows.php — u_mulder, May 06 '20 at 09:07
@u_mulder I did :) `$stmt->num_rows;` or proceedurally `mysqli_num_rows(mysql::result);` — RiggsFolly, May 06 '20 at 09:14
Ok. Fixed it! Thanks to everyone! Really! Changed `$num = $stmt->num_rows();` to `$num = $res->num_rows;` — mmateas, May 06 '20 at 09:58

Can't find a specific value from a table using prepared statements

0 Answers0