Prepared statement keeps returning empty (!$stmt->errno) with my login script

<?php
	session_start();
    include("connect.php");
    include("db.php");

if(isset($_POST['loginSubmit'])){


	$sql = "SELECT email,password,status FROM reg_db WHERE email=?, password=? AND status=?;";

	$stmt = $db->stmt_init();

	if (!$stmt->errno) {
		header("Location:login.php?err=" . urlencode("Prepared statement error!"));
		exit(); 
	}else{

		$stmt->prepare($sql);

		$stmt->bind_param('ssi',$_POST['email'],$_POST['password'],$row['status']);

		$stmt->execute();

		$stmt->bind_result($email, $password, $status);
        
        $stmt->store_result();

		while ($stmt->fetch()) {

			if($row['status'] == 1 && $_POST['email'] ===  $row['email']) {
				if(password_verify($_POST['password'], $row['password'])){
					  $row['email'] = $_SESSION['email'];
					header("Location:index.php"); 
					exit();

				} else {
					header("Location:login.php?err=" . urlencode("Wrong Email or Password!"));
					exit();

				}
			} else {
				header("Location:login.php?err=" . urlencode("The user account is not activated!"));
				exit();

			}
		}
	}   
}
?>

When I try to login then it returns this part:

	if (!$stmt->errno) {
		header("Location:login.php?err=" . urlencode("Prepared statement error!"));
		exit(); 
	

The email and password is correct.
Can someone please show me what I’m doing wrong?

This:

SELECT email,password,status FROM reg_db WHERE email=?, password=? AND status=?;

That’s not valid SQL.

Thank you so much

Also:-

password=?

If the password is hashed (as it should be) that will never be true, unless you bind the hashed version. But best to select by a unique value like email and validate using the function.

the password is hashed, thank you, I will make the changes

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.