Using Use prepared statements and parameterized queries in PHP and MySQLi

dannielle_buchanan · March 28, 2018, 11:00pm

I am learning how to use prepared statements in my simple login system to make it more secure.

I have followed a few different tutorials to get it working but cant get it to work. When i enter the username and password wrong it gives me the error. When i enter the username and password correct i still get the error.

What am i doing wrong?

I am new to this so apologies for any obvious errors.

I have also looked into hashing my password as it is being stored as plain text in the database at the moment but that will be my next step after i get this working.

Here is my code:

<?php

error_reporting(E_ALL); ini_set('display_errors', 1);
session_start(); // Starting Session
$error=''; // Variable To Store Error Message


if($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty($_POST['username']) || empty($_POST['password'])) {

$error = "Enter Username and Password";

 }

else
{
// Define $username and $password
$username = $_POST['username'];
$password = $_POST['password'];


//connect to database
include('dbconx.php');


}

$stmt = $con->prepare("SELECT * from admin where password=? AND username=?");
$stmt->bind_param('ss', $username, $password); 
$stmt->execute();  
$stmt->bind_result($id, $username, $password);
$stmt->store_result();
     if($stmt->num_rows == 1)  //To check if the row exists
        {
 			
 			$_SESSION['login_user'] = $username; // Initializing Session
 			header("location: confirm.php"); // Redirecting To Other Page

 		}

 else {
 $error = "Username or Password is incorrect";
 }

 mysqli_close($con); // Closing Connection
 }

 ?>

Mittineague · March 29, 2018, 12:41am

You’ve probably been looking at it too long to see it. Unless you meant to switch password and username.

9894770 · March 29, 2018, 7:40pm

should be:
SELECT * from admin where username = ? AND password = ?
see if that helps

dannielle_buchanan · March 29, 2018, 7:45pm

This worked perfect! Thank you. So simple, yet ive spent a lot of time trying to solve this. The joys of coding!

SamA74 · March 29, 2018, 7:52pm

How about hashing those passwords?

dannielle_buchanan · March 29, 2018, 7:57pm

Yeah i have just done that. If i posted my new code here would you mind having a look over it? I would appreciate any advice or criticisms you may have

SamA74 · March 29, 2018, 8:01pm

Yes, though I’m finished here for this evening, but I’m sure someone will have a look and I may see it tomorrow.

dannielle_buchanan · March 29, 2018, 8:03pm

Here is my new code if anyone would like to give an advice on how to improve?

<?php

error_reporting(E_ALL); ini_set('display_errors', 1);
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Enter Username and Password";
}

else
{
 // Define $username and $password
$username = $_POST['username'];
$password = $_POST['password'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
//connect to database
include('dbconx.php');
}

 //Using Use prepared statements and parameterized queries for security

$stmt = $con->prepare('SELECT * FROM admin WHERE username = ? AND password = ?');
$stmt->bind_param('ss', $username, $password); 
$stmt->execute();  
$stmt->bind_result($id, $username, $password);

if ($stmt->fetch()) {
	if(password_verify($password, $hashed_password)) {
		
		$_SESSION['login_user'] = $username; // Initializing Session
 		header("Location: confirm.php"); // Redirecting To Other Page
		exit;
 	}
 }


else   {
$error = "Username or Password is incorrect";

}
mysqli_close($con); // Closing Connection

}

?>

TechnoBear · March 30, 2018, 7:30am

Off Topic:

@dannielle_buchanan: when you post code on the forums, you need to format it so it will display correctly. (I’ve edited the post above for you.)

You can highlight your code, then use the </> button in the editor window, or you can place three backticks ``` (top left key on US/UK keyboards) on a line above your code, and three on a line below your code. I find this approach easier, but unfortunately some European and other keyboards don’t have that character.

SamA74 · March 30, 2018, 9:18am

It looks as if this is happening in your other topic, so it’s probably best to keep answers to that topic rather than confusing things with two threads.

system · June 29, 2018, 4:18pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
First attempt at prepared statements, is it correct? it seems to work! PHP	16	1002	December 13, 2019
Prepared statement failing PHP	3	805	October 15, 2015
Login page is not working properly while using PDO prepared statement in php PHP	25	2916	March 31, 2019
Prepared statement keeps returning empty (!$stmt->errno) with my login script PHP mysql	5	1191	June 8, 2018
Prepared statement in PHP 8 / MySQL not working PHP	8	7658	January 31, 2022

Using Use prepared statements and parameterized queries in PHP and MySQLi

Related topics