php - Prepared mysqli

Asked

Viewed 32 times

0

I created this code, and it says that it does not find any record, even knowing that the registration exists and the email and the pass are right.

Error and always "INVALID USERNAME/PASSWORD Combination!"

$uid = mysqli_real_escape_string($con, sanitize($_POST['email']));
$pwd = mysqli_real_escape_string($con, sanitize($_POST['password']));

$stmt = $con->prepare("SELECT email, password FROM public_users WHERE email = ? AND password = ? LIMIT 1");
$stmt->bind_param('is', $uid, $pwd);
$stmt->execute();
$stmt->bind_result($uid, $pwd);
$stmt->store_result();

if($stmt->num_rows == 1) {

    if($stmt->fetch()) {

       if(password_verify($pwd, $hashed_password)) {

          echo "Combination!";

       } else {

          echo "PASSWORD Combination!";
       }

    }

} else {
    echo "INVALID USERNAME/PASSWORD Combination!";
}

$stmt->close();

where I’m going wrong people?

php

  • Only one bank record comes? Because if more than one comes, it will never enter the if..

  • Forget about Limit 1, I took it back, but it’s still a mistake

1 answer

0


Email and password fields are text (varchar for example) correct? In this case, your query is missing quotes:

$stmt = $con->prepare("SELECT email, password FROM public_users WHERE email = '?' AND password = '?' LIMIT 1");

  • yes they are, something in the code is wrong.. I have not yet understood...

  • tested using the simple quotes in the parameters as I put in the answer? like this '?'

  • same mistake, I don’t think that’s why...

  • yes, parameter declaration is wrong, see command bind_param, you are passing "is", ie you will pass an internal parameter (i) and another string(s), and obviously email is not integer, the correct is $stmt->bind_param('ss', $uid, $pwd)

  • got it, I saw that we can’t have password inside, just email

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.