I have one result when I do this in phpMyAdmin:
SELECT password, block FROM jml_users WHERE username = "user01"
However in my PHP code the script does not find my user. Am I doing something wrong with $stmt->bind_param("s", $unsafe_user);?
I also tried $stmt->bind_param("s", "user01"); with no luck.
<?
include("dbinfo.php");
$unsafe_user = "user01";
$mysqli = new mysqli($loginURL, $dbusername, $dbpassword, $database);
LoginCheck();
// Kill connection
$thread_id = $mysqli->thread_id; // determine our thread id
$mysqli->kill($thread_id);
$mysqli->close();
function LoginCheck()
{
global $mysqli, $unsafe_user;
//Perpare Statement.
//if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE (username) VALUES (?)")) // this returns false for some reason
if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE username = ?")) //works, still safe form sql injection?
{
$stmt->bind_param("s", $unsafe_user);
$stmt->execute();
$stmt->bind_result($dbpw, $bdblock);
if($stmt->num_rows == 0)
{
echo "could not find user";
}
// Found user
else
{
echo "found user";
}
$stmt->close();
}
else
{
echo "Statement creation did not succeed";
}
}
?>
The first query you commented out is invalid MYSQL syntax. That type of syntax is for inserts.
Also num_rows won't work with prepared statements unless you use
$stmt->store_result();after$stmt->execute();.Check this answer in the documentation.