PHP Prepared Statement Issues

StackOverflow https://stackoverflow.com/questions/23617117

  •  21-07-2023
  •  | 
  •  

Question

I am having trouble implementing the below prepared statement. I have used this same prepared statement code and made it work elsewhere so not sure where I am going wrong. I had the below script up and running without a prepared statement which used concatenation so I know there is no issue with my SQL or the initial email/password validation.

The database query only returns one row, i dont think this should affect my while array fetch? Email address and password set to strings in the prepared statement ('ss'), assuming no issues with that.

I used get_password_hash($p) in my initial query concatenation and it worked. Perhaps I should include it in the bind param like this:

$loginQuery->bind_param('ss',$e,get_password_hash($p));

instead of below...

Any advice would be much appreciated.

// Array for recording errors:
$login_errors = array();


// Validate the email address:
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$e = $_POST['email'];
} else {
$login_errors['login'] = 'Please enter a valid email address!';
}

// Validate the password:
if (!empty($_POST['pass'])) {
$p = $_POST['pass'];
} else {
$login_errors['pass'] = 'Please enter your password!';
}


if (empty($login_errors)) { // OK to proceed!
// Query the database:

/************NO ISSUES WITH ABOVE; THIS WORKED FINE BEFORE I TRIED CONVERTING TO PREPARED STATEMENTS************/

    $pas = get_password_hash($p);
    $loginQuery = $dbc->prepare("SELECT id, username, type, IF(date_expires >= NOW(), true, false) FROM user WHERE (email= ? AND pass= ?)");
    $loginQuery->bind_param('ss',$e,$pas);
    $loginQuery->execute();
    $loginQuery->bind_result($l);

        while(loginQuery->fetch()){
        $login = $l;
        $_SESSION['user_id'] = $login[0];
        $_SESSION['username'] = $login[1];
        } 

}
Was it helpful?

Solution

You're using the variable $p up top but you're using $pas down below.

You shouldn't be doing any of that mysql_escape_blahblahblah stuff with prepared statements, anyway. Just do this directly:

$loginQuery->bind_param('ss',$_POST['email'],$_POST['pass']);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top