0

I am They try to use mysqli :: bind_param unsuccessfully . In the code , below , the function login ( ) is called with a username and password on the page login.php . Despite all efforts and guides and forums have read , continues to return the same error .

I tried both with

bind_param ( 's' , $ variable )

that with

bind_param ( 1 , $ variable )

that with

bind_param ( 'ss' , $ variable1 , $ variable2 )

and i tried query without ''

"SELECT id,org_id,org_group_id,people_id FROM users WHERE username = ? AND password = ?"

Where am I wrong ?

public function login($_username, $_password) {
    $this->sessionOpen ();

     if ($_username == "") {
        $this->log->error ( "Username vuoto" );
        throw new AuthLoginFailed ();
    }
    if ($_password == "") {
        $this->log->error ( "Password vuota" );
        throw new AuthLoginFailed ();
    }

    $db = new mysqli ( $this->sql ['server'], $this->sql ['username'], $this->sql ['password'], $this->sql ['database'] );
    if (mysqli_connect_errno ()) {
        $this->log->error ( "Errore di connessione a mysql: " . mysqli_error ( $db ) );
        throw new MysqliConnectionError ( "Mysqli error: " . mysqli_error ( $db ) );
    }

    $stmt = $db->prepare ( "SELECT id,org_id,org_group_id,people_id FROM users WHERE 'username' = ? AND 'password' = ?" );
    if (! $stmt) {
        $this->log->error ( "Mysqli prepare error: " . mysqli_error ( $db ) );
        throw new MysqliPrepareException ( "Mysqli error: " . mysqli_error ( $db ) );
    }
    echo md5 ( $_username ) . "---" . md5 ( $_password );
    //on page username and password is showed at this point
    $user=trim(md5 ( $_username ));
    $pass=trim(md5 ( $_password ));
    $stmt->bind_param ( 1,  $user);
    $stmt->bind_param ( 2,  $pass);
    /* Execute it */
    $stmt->execute ();
    if (! $stmt) {
        $this->log->error ( "Mysqli prepare error: " . mysqli_error ( $db ) );
        throw new MysqliExecuteException ( "Mysqli error: " . mysqli_error ( $db ) );
    }


    $stmt->fetch($rst);

    echo "results: " . $rst->num_rows; //output of this: results:

    if ($rst->num_rows == 0) {
        throw new AuthLoginFailed ();
    }



    /* Close statement */
    $stmt->close ();

    /* Close connection */
    $db->close ();
}

Error in the log of apache is

[Sat Oct 24 08:52:04 2015] [error] [client 192.168.253.6] PHP Warning:  mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in /www/gexy/XXXX/html/lib/Auth.php on line 77, referer: https://gexy.it/login.php
[Sat Oct 24 08:52:04 2015] [error] [client 192.168.253.6] PHP Warning:  mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in /www/gexy/XXXX/html/lib/Auth.php on line 78, referer: https://gexy.it/login.php

Many thanks to all

Improve this question

1 Answer 1

Reset to default
1

Modification is:

$stmt->bind_param ( "ss", $user, $pass); because 1 data type is not defind in bind_param (). bind_param() will take two arguments 1st one is types (i, d, s, b) corresponding datatype in your query(?) and 2nd arg are values.

Suggestion's are:

  1. Don't compare with ==, for empty string because if user enter's 3 white spaces it will not equal. use empty() for checking empty string or not.

  2. Don't call unnecessary methods, it does not have any meaning, for eg: in your code your calling trim() after md5(). md5() will not return any white space character. So calling trim(md5($username)) is meaning less.

Try to replace your code with my code hope your problem is solved.

public function login($_username, $_password) {
$this->sessionOpen ();

 if (empty($_username)) {
    $this->log->error ( "Username vuoto" );
    throw new AuthLoginFailed ();
}
if (empty($_password)) {
    $this->log->error ( "Password vuota" );
    throw new AuthLoginFailed ();
}

$db = new mysqli ( $this->sql ['server'], $this->sql ['username'], $this->sql ['password'], $this->sql ['database'] );
if (mysqli_connect_errno ()) {
    $this->log->error ( "Errore di connessione a mysql: " . mysqli_error ( $db ) );
    throw new MysqliConnectionError ( "Mysqli error: " . mysqli_error ( $db ) );
}

$stmt = $db->prepare ( "SELECT id,org_id,org_group_id,people_id FROM users WHERE 'username' = ? AND 'password' = ?" );
if (! $stmt) {
    $this->log->error ( "Mysqli prepare error: " . mysqli_error ( $db ) );
    throw new MysqliPrepareException ( "Mysqli error: " . mysqli_error ( $db ) );
}
echo md5 ( $_username ) . "---" . md5 ( $_password );
//on page username and password is showed at this point
$user=md5 ( $_username );
$pass=md5 ( $_password );
$stmt->bind_param ( "ss",  $user,$pass);
/* Execute it */
$stmt->execute ();
if (! $stmt) {
    $this->log->error ( "Mysqli prepare error: " . mysqli_error ( $db ) );
    throw new MysqliExecuteException ( "Mysqli error: " . mysqli_error ( $db ) );
}


$stmt->fetch($rst);

echo "results: " . $rst->num_rows; //output of this: results:

if ($rst->num_rows == 0) {
    throw new AuthLoginFailed ();
}



/* Close statement */
$stmt->close ();

/* Close connection */
$db->close ();
}

Let me know once your problem is solved.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It works , and thank you for the other tips . How I see my mistake is quoting , I used ' ss ' instead of " ss ".
I also found another error bind_result , in the query I requested more than one column and I should specify more than one variable , corresponding to the required columns in bind_result . Thanks again

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.