Mysqli prepared sentences

Asked

Viewed 61 times

0

Hello, I have a problem, I would like to know about prepared sentences, I have this code:

$query_email = ("SELECT email FROM usuarios_ WHERE email = ?");

$stmt = mysqli_stmt_init($conn);
if (mysqli_stmt_prepare($stmt, $query_email)) {     
   mysqli_stmt_bind_param($stmt, 's', $email);
   mysqli_stmt_execute($stmt);
   mysqli_stmt_bind_result($stmt, $resultado);
   mysqli_stmt_fetch($stmt);

   echo $resultado;

   mysqli_stmt_close($stmt);        
}

So far so good, my question is, how to know if it worked or not, because as it is a login system I have to pass the return to the user if the email exists or not.

php mysqli prepared-statement

  • Your code looks right, what’s the problem? or you want the number of rows returned?

  • Ray,, I needed to know if the query had records or not, ie if she found the email provided by the user.

1 answer

1


If it’s a login system, there’s a problem - I don’t know if this is all your code, but if it is, you should also look for the password, never just email. If your goal is just to inform the user whether or not the email exists (during the login process), I say this is a bad idea. You’re handing an attacker half the information he needs to hack into your system.

mysqli_stmt_fetch returns true/false if a record is found, you can use this to perform a check and know whether or not the email exists in your database. I think that’s what you want.

To retrieve the value persisted in your database, and store in variables, use the mysqli_stmt_bind_result. There are some examples in the function documentation on how to use it.

  • Renato, yes...has more code.. taking advantage of his experience, as I’m kind of starting with prepared sentences and now I’m logging in with salt, and from what I realized login with salt aleorio has no way to check login and password in a single line of sql, The way I found it was this...?

  • @Dungacardoso You need to store salt along with the encrypted email and password, that is, three fields instead of two. The login can be done in a single time (unico select), selecting from the table with the three fields, concatenating the salt and performing the hash check. other information here http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190

  • My difficulty is this... then to make a select I take the email...if there is...I take the password typed...encryption, concateno more salt and encryption again, the result I compare with the password of the bank..

  • The password you encrypt once, if the guy type [email protected] and the password 123456 tu da um select email, salt, password from users Where email = email_sent if there is this email he returns a data né... ai tu pega o salt que recebeu do select e concatena direto com a password (123456abcdef) ai yes encrypts, and checks if it matches. PHP has several functions to take care of passwords in its newer versions http://php.net/manual/en/faq.passwords.php

  • Exactly this...my difficulty was in when I was doing select asking for more of a field type, select email, password, was giving error.. however I found that for each field of select needs a variable in the bind to receive the value...so I believe I can do everything in a select only... Thank you..

  • Look at the result: SELECT email, password, hash FROM usuarios_ WHERE email = ? and password = md5(Concat(md5(?), hash)) @Renato Tavares

  • Do not use MD5. Try something new http://php.net/manual/en/book.password.php. MD5 is cold https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored

Show 2 more comments

Browser other questions tagged php mysqli prepared-statement

You are not signed in. Login or sign up in order to post.