rootKID Posted December 10, 2014 Author Share Posted December 10, 2014 (edited) ok this dosen't makes any sence to me... i litterally to created a new user in the database with the username "MA_01" and password "WebKode1234", crypt is $6$rounds=959000$SimpleSourceMade$rDHvP/nvcww3SlQcbaGZzeCHC74xpyRiY76eokE5CJEmn3DNZ.jcfzVo2C2wkYEJXbgp.6NiokqfA/vN7ts0i. I even tried the way you said Ingolme, the only problem is that whenever i tried to login with the password "WebKode1234", it only sends me back to the login screen with the error from the else statement i made on the login screen (No users were found in our database). So not sure because i can't select anything at the moment :/ Ideas? :/ Edited December 10, 2014 by rootKID Link to comment Share on other sites More sharing options...
justsomeguy Posted December 10, 2014 Share Posted December 10, 2014 Well, how are you going to troubleshoot that? Maybe you should select the record from the database with that username, print out the password hash from the database, print the hash that you calculated from the password entered on the login form, and compare them. Link to comment Share on other sites More sharing options...
rootKID Posted December 11, 2014 Author Share Posted December 11, 2014 ok lol this explains alot... i double checked my SQL... forgot i changed the "usersname & password" to "user_username & user_password".... now i have another problem. Ok not a problem, more like a question. If i wanted to check INSIDE the if statement like before, if there was a user then run else send the user back to the login page with an error? Is there a way? I did try this one: //if ($stmt = $mysqli->prepare($query) && $mysqli->num_rows == 1) but since that was on the actual if statement line, i commented out. Besides, i had a feeling it would not work, that i'm aware off? Wrong? If anyone of you has any ideas that would be awsome! Thanks! Link to comment Share on other sites More sharing options...
Ingolme Posted December 11, 2014 Share Posted December 11, 2014 First you execute the query, then you do comparisons with whatever data has been returned from the query. Link to comment Share on other sites More sharing options...
justsomeguy Posted December 11, 2014 Share Posted December 11, 2014 You could combine all of those things into a single if statement, but it's going to make error checking difficult and if you see that in the future you might not have any idea what you're doing. It's better to just separate them into individual statements for clarity rather than trying to jam everything into an if statement. Link to comment Share on other sites More sharing options...
rootKID Posted December 11, 2014 Author Share Posted December 11, 2014 hmm, ok, not sure if i understood this one correct but this is my code: // Query$query = "SELECT user_id, user_username, user_first_name, user_last_name, user_password FROM users WHERE user_username=? AND user_password=?";if ($stmt = $mysqli->prepare($query))//if ($stmt = $mysqli->prepare($query) && $mysqli->num_rows == 1){ // Catch user details! $username = $_POST['username']; $password = crypt( $_POST['password'], '$6$rounds=959000$SimpleSourceMadeReal$' ); // Make the salt unique for each password // Input parameters that are put into the query before you execute it $stmt->bind_param('ss', $username, $password); // execute statement $stmt->execute(); // Set output variables, these are the data from the database fields: // -> user_id, user_username, user_first_name, user_last_name and user_password $stmt->bind_result($user_id, $user_username, $user_firstname, $user_lastname, $user_password); // Fetch data from the query $stmt->fetch(); // Thats it, nothing more. //$count = $stmt->num_rows; if($stmt->num_rows == 1) { $_SESSION['admin'] = array(); $_SESSION['admin']['u_id'] = $user_id; $_SESSION['admin']['username'] = $user_username; $_SESSION['admin']['firstname'] = $user_firstname; $_SESSION['admin']['lastname'] = $user_lastname; $_SESSION['admin']['password'] = $user_password; // close statement $stmt->close(); // close connection $mysqli->close(); header("location: index.php"); } else { // Send user back to login page with error // ERR MSG: No match found in DB! Try again! header("location: login.php?err=match"); }}else{ // Send user back to login page with error // ERR MSG: We have a problem with our database! Try again later! header("location: login.php?err=dbsqlerr");} I execute like you say, i even make the "fetch" part... however, i still get back to the login page for some reason, did i get this wrong Oo? Link to comment Share on other sites More sharing options...
justsomeguy Posted December 11, 2014 Share Posted December 11, 2014 Which error do you get? Do you have PHP set to display and report all errors? Link to comment Share on other sites More sharing options...
rootKID Posted December 12, 2014 Author Share Posted December 12, 2014 i dont get any errors, that is one of the problems actually. It's just sending me to the login page with the error without telling me if it's because of the details i was writing wrong? Or because the code was wrong :/ And yes, i have enabled ALL errors to report Link to comment Share on other sites More sharing options...
justsomeguy Posted December 12, 2014 Share Posted December 12, 2014 I meant which one of these is it doing:header("location: login.php?err=match");header("location: login.php?err=dbsqlerr"); Link to comment Share on other sites More sharing options...
rootKID Posted December 14, 2014 Author Share Posted December 14, 2014 sorry for late reply, this is the error URL it gives me: login.php?err=match ideas Oo? This is my code: // Query$query = "SELECT user_id, user_username, user_first_name, user_last_name, user_password FROM users WHERE user_username=? AND user_password=?";if ($stmt = $mysqli->prepare($query))//if ($stmt = $mysqli->prepare($query) && $mysqli->num_rows == 1){ // Catch user details! $username = $_POST['username']; $password = crypt( $_POST['password'], '$6$rounds=959000$SimpleSourceMadeReal$' ); // Make the salt unique for each password // Input parameters that are put into the query before you execute it $stmt->bind_param('ss', $username, $password); // execute statement $stmt->execute(); // Set output variables, these are the data from the database fields: // -> user_id, user_username, user_first_name, user_last_name and user_password $stmt->bind_result($user_id, $user_username, $user_firstname, $user_lastname, $user_password); // Fetch data from the query $stmt->fetch(); // Thats it, nothing more. //$count = $stmt->num_rows; if($stmt->num_rows == 1) { $_SESSION['admin'] = array(); $_SESSION['admin']['u_id'] = $user_id; $_SESSION['admin']['username'] = $user_username; $_SESSION['admin']['firstname'] = $user_firstname; $_SESSION['admin']['lastname'] = $user_lastname; $_SESSION['admin']['password'] = $user_password; // close statement $stmt->close(); // close connection $mysqli->close(); header("location: index.php"); } else { // Send user back to login page with error // ERR MSG: No match found in DB! Try again! header("location: login.php?err=match"); }}else{ // Send user back to login page with error // ERR MSG: We have a problem with our database! Try again later! header("location: login.php?err=dbsqlerr");} Link to comment Share on other sites More sharing options...
justsomeguy Posted December 15, 2014 Share Posted December 15, 2014 Well, look at where that redirection happens. It's in an else statement, so obviously the if statement isn't true. Maybe print out the value you're testing to see why. If the query isn't returning any results then print out the values you're using for it and compare against the database. Link to comment Share on other sites More sharing options...
funbinod Posted December 16, 2014 Share Posted December 16, 2014 can u please explain what are these 'i' or 'ss' (or any other available options) used in stmt->bind_param? how and when are these used? I've got confused about this ever since I've heard about the prepared staments.... Link to comment Share on other sites More sharing options...
Ingolme Posted December 16, 2014 Share Posted December 16, 2014 It's right in the manual: http://php.net/manual/en/mysqli-stmt.bind-param.php Scroll down to "types" Link to comment Share on other sites More sharing options...
rootKID Posted December 18, 2014 Author Share Posted December 18, 2014 First of all, thanks for the answers, second of all regarding the "types", what i b and d? All it says are "blob and double"... not sure what those are? Third of all, i will test the thing you said SomeGuy when home, im out atm Will update you later and tell you all what i figure out Thanks Link to comment Share on other sites More sharing options...
Ingolme Posted December 18, 2014 Share Posted December 18, 2014 "blob" is binary data (Binary Large OBject), which is like a string of characters with codes from 0 to 255. You would use this if you were storing data from binary files, like images and other media. "double" is for numbers with decimals. It's called that because it has double the precision of an ordinary floating point number. I don't think PHP actually has normal floats, just doubles. Link to comment Share on other sites More sharing options...
funbinod Posted December 20, 2014 Share Posted December 20, 2014 thank u! it helped me a lot. another question regarding d same topic... at http://php.net/manual/en/mysqli-stmt.bind-param.php there is a prepared statement as example... $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");$stmt->bind_param('sssd', $code, $language, $official, $percent); what I didn't understand is --- how can this statement understand that in which column will d values be inserted??? Link to comment Share on other sites More sharing options...
Ingolme Posted December 20, 2014 Share Posted December 20, 2014 The order of the parameters tells it where to put things. Since "d" is the fourth parameter then it will be put where the fourth placeholder is. Link to comment Share on other sites More sharing options...
funbinod Posted December 20, 2014 Share Posted December 20, 2014 I got a error on same type of query.. this is my first try on prepared statements so please consider my mistake... $username = mysqli_real_escape_string($mysqli, $_POST['username']);if($rstmt = $mysqli->prepare("SELECT salt,active FROM user WHERE username='$username'")) { $rstmt->execute(); $rstmt->bind_result('ss', $salt,$active); $rstmt->fetch();}$password = hash('sha512', mysqli_real_escape_string($mysqli, $_POST['password'] . $salt)); this query returned error Fatal error: Cannot pass parameter 1 by reference please guide.... Link to comment Share on other sites More sharing options...
Ingolme Posted December 21, 2014 Share Posted December 21, 2014 You seem to have mistaken bind_result() for bind_params(). The syntax is different. bind_result() does not use the first parameter for data types. Read the manual: http://php.net/manual/en/mysqli-stmt.bind-result.php Don't put variables in the query string, put placeholders: 'SELECT salt,active FROM user WHERE username=?' If you put a variable in the query string you're missing half of the purpose of prepared statements. Link to comment Share on other sites More sharing options...
funbinod Posted December 21, 2014 Share Posted December 21, 2014 thank u. I understood d problem. but i'm encountering problem still please find some error on following if any---- $username = mysqli_real_escape_string($mysqli, $_POST['username']);if($rstmt = $mysqli->prepare("SELECT salt,password FROM user WHERE username=?")) { $rstmt->bind_param('s', $username); $rstmt->execute(); $rstmt->bind_result($salt,$dbPass); $rstmt->fetch();}$password = hash('sha512', mysqli_real_escape_string($mysqli, $_POST['password']).$salt);if($stmt=$mysqli->prepare("SELECT uid,cid,name,username,password,type FROM user WHERE username=? AND password=?")){ $stmt->bind_param('ss', $username, $password); $stmt->execute(); $stmt->store_result(); if($stmt->num_rows()!=0) { $stmt->bind_result($uid1, $cid1, $name, $uname, $dbPass, $typ); $stmt->fetch(); } else { $_SESSION['error']="Username and Password didnot match on our database!"; return false; }} Link to comment Share on other sites More sharing options...
Ingolme Posted December 21, 2014 Share Posted December 21, 2014 What is it doing and what did you expect it to do? Don't use mysqli_real_escape_string with prepared statements. Just forget that that function exists, it's only there for backwards compatibility with the old mysql library. Are you doing the exact same hashing procedure you did when adding the password to the database? Link to comment Share on other sites More sharing options...
funbinod Posted December 22, 2014 Share Posted December 22, 2014 (edited) oh ok. I will remove escape string. yes I did the exact hashing procedure while adding the password to the database. it worked before with MySQLi query method. I tried to change it with prepared statements but it did not give the return the data for the columns... EDIT: I found that it is showing error on this statement query--- if($stmt = $mysqli->prepare("SELECT uid,cid,name,username,password,type FROM user WHERE username=? AND password=?")) { Edited December 22, 2014 by funbinod Link to comment Share on other sites More sharing options...
Ingolme Posted December 22, 2014 Share Posted December 22, 2014 What does the error say? Link to comment Share on other sites More sharing options...
funbinod Posted December 22, 2014 Share Posted December 22, 2014 (edited) I dunno! but it returns the query on "else" segment not on "if" segment. see the following--- if($stmt = $mysqli->prepare("SELECT uid,cid,name,username,password,type FROM user WHERE username=? AND password=?")) { $stmt->bind_param('ss', $username, $password); $stmt->execute(); $stmt->bind_result($uid1, $cid1, $name, $uname, $dbPass, $typ); $stmt->fetch(); echo 'result:'.$uid1.','.$cid1;} else { echo 'error'; // it returns this block.....} Edited December 22, 2014 by funbinod Link to comment Share on other sites More sharing options...
Ingolme Posted December 22, 2014 Share Posted December 22, 2014 } else { echo $mysqli->error;} 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now