Prepared select query login

[Mudsaf]

if ($stmt = $con->prepare("SELECT <username> FROM <accounts> WHERE <username> = ? AND <password> = ?")) {$username = <username>;$password = <password>;$stmt->bind_param('ss', $username, $password);$stmt->execute();$stmt->fetch();$rows = mysqli_stmt_num_rows($stmt);if ($rows == 1) {printf ("%s, %s", $username, $password);echo $rows;} else {printf ("%s, %s", $username, $password);echo $rows;}}

I tried to figure out how to see if the query rows match but at the moment $rows displays 0 even with correct data. So how i check if user have logged in with prepared select query?

[thescientist]

i assume the real username and password are not as in the code, yes?

 

One way to check your query is to print out the query, and run it via mysql command line, or in an application like MySQLWorkbench or phpMyAdmin and confirm if the query works directly against the DB.

 

I think the issue is that your query is wrong. I would expect a SELECT statement to be something like:

$sql = "SELECT someColumn FROM tableName WHERE username = {$username} and password = {$password}"

Edited August 27, 2013 by thescientist

[Mudsaf]

so does { } prevent SQL injection? Yeah those are false data added here where is <data>.

Edited August 27, 2013 by Mudsaf

[Ingolme]

Are you sure the field name is "<username>" rather than "username" and the table is "<accounts>" ?

 

To count the rows, try $rows = $stmt->num_rows

[Mudsaf]

Year I'm sure those are correct data.

$rows = $stmt->num_rows(); //Returned 0 aswell while data was correct @ Database.//Taste my code :/if ($stmt = $con->prepare("SELECT userName FROM ms_accounts WHERE userName = ? AND userPass = ?")) {$username = $_POST['username'];$password = md5($_POST['password']);$stmt->bind_param('ss', $username, $password);$stmt->execute();$stmt->fetch();$rows = $stmt->num_rows();if ($rows == 1) {printf ("%s, %s", $username, $password);echo $rows;} else {printf ("%s, %s", $username, $password);echo $rows;}}

Getting no errors but rows = 0

[Ingolme]

In object-oriented style, num_rows is a property, not a method, so it doesn't use the parentheses ()

 

Since PHP didn't throw any errors, I suppose that's not the problem. If the query says that no rows were returned that means that your query didn't return anything- Try to check the database through other means.

[Mudsaf]

Well i'm wondering what is method in MySQLi to check if user exists in database like in MySQL it was below.

$result = mysql_query("SELECT * FROM accounts WHERE username = '$username' AND password = '$password'");$rows = mysql_num_rows($result);if ($rows == 1) {echo "User data found.";}

The SQL query worked with data.

SELECT * FROM ms_accounts WHERE userName = ? AND userPass = ?

//This fixed my problemif($stmt->fetch()) {echo "SUCCESS";} else {echo "WRONG UNAME OR PW";}

Edited August 28, 2013 by Mudsaf

[birbal]

bind_param should be either named parameter. where :user is place holder$stmt->bind_param(':user', $username);

 

OR

 

numeric place holder '?' . like...$stmt->bind_param(0, $username);

 

or directly pass parameters to execute()

$stmt->execute([$user,$password]);