0

I've been working with mysqli prepared statements in PHP and have done many with no problems. Now I'm working on encrypting some previously plain-text passwords, and I need to use the mysql password() function in my query.

This is my code:

$stmt = $mysqli->prepare("select id from tm_users where login = ? and pwEnc = password(?)");
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$userdata = $stmt->get_result();

This code is generating the error:

PHP message: PHP Fatal error: Uncaught Error: Call to a member function bind_param() on bool in /var/www/...../test.php

If I remove the password function from the query, I don't get an error. But, of course, I need the function in order for the query to work properly!

Can somebody suggest what I should do to fix this?

Dharman
  • 30,962
  • 25
  • 85
  • 135
Jules
  • 1
  • 3
    You should not be using `password()` for user passwords. This is not the purpose of this SQL function. You should be only storing a hash of a password. To generate hash use https://www.php.net/manual/en/function.password-hash.php – Dharman Dec 08 '20 at 21:36
  • Note also that the `PASSWORD()` function was deprecated somewhere in MySQL 5.7, and has been removed entirely in MySQL 8. –  Dec 08 '20 at 22:48
  • Thank you for your responses. When doing it using php password_hash, is there any way to verify the password within the mysql query itself? Or do I need to select the stored hash and then verify it in php? – Jules Dec 09 '20 at 21:21

0 Answers0