How do I return this value in PHP?

Question

I'm having a problem with this code:

$loginrequest = $mysqli->prepare(
    "SELECT name, password, salt FROM users WHERE name = ? OR email = ?");
$loginrequest->bind_param("ss", $login, $login);
$loginrequest->execute();
$loginrequest->bind_result($name, $encrypted_password, $salt);

while ($loginrequest->fetch()) {

  $hash = $this->checkhashSSHA($salt, $password);

  if ($encrypted_password == $hash) {
    return $name;
  }
  else {
    return false;
  }
}

As you can see I want to check a user login, and if the password is correct I want to return the username, otherwise false.

But don't I have to close the $mysqli query doing this?

$loginrequest->close();
$mysqli->close();

Because the value $name is only available in the while loop (if I understood this correctly). I mean I could declare a string before and change it to the $name value, but is it necessary to close her?

By the way I can't use store_result since the PHP Version is too old.

Why would you want to use a while loop for this, there can be only one user row? — jtheman, Dec 08 '12 at 00:14
If you call `$mysqli->close()` you will no longer have access to the connection; this is different from calling close on the statement (`$loginrequest->close()`) — NullUserException, Dec 08 '12 at 00:14
And you need not close your mysqli; it will close automatically. — RonaldBarzell, Dec 08 '12 at 00:15
On another note, calling a hashed password "encrypted" is a misnomer. Also, if possible, use a dedicated password hashing function like bcrypt or PBKDF2. Here's why: http://security.stackexchange.com/a/6415/4665 — NullUserException, Dec 08 '12 at 00:18
@NullUserException But if I do `$loginrequest->close()`, wouldnt that stop the fetch() method and kick me out of the loop? — Lotzki, Dec 08 '12 at 00:23
Because I found it [here](http://stackoverflow.com/questions/8321096/call-to-undefined-method-mysqli-stmtget-result) aswell as [here](http://php.net/manual/en/mysqli-stmt.fetch.php) in the examples. Though I wondered about this I though this is necessary, isn't it? — Lotzki, Dec 08 '12 at 00:28
Also the so called "hash" method is actually creating a salted base64 string which I think is secure enough — Lotzki, Dec 08 '12 at 00:35
No it's not. Just write: `$loginrequest->fetch();` You only need to bind the parameters once. Also you probably want to check the return on that - if it's false there was an error, if it's NULL there was no user. — Philip Whitehouse, Dec 09 '12 at 00:35

score 0 · Accepted Answer · answered Dec 09 '12 at 01:33

Closing statement doesn't unbound fetched variables.
You fetch one row and return, so the while can be removed.

This will compare password and close statement:

    $loginrequest->fetch();
    $loginrequest->close();
    $hash = $this->checkhashSSHA($salt, $password);
    if ($encrypted_password == $hash)
      return $name;
    return false;

How do I return this value in PHP?

1 Answers1