-1

I have a login page (login.php) and below is the code I am trying to use to authenticate the user by using mysqli_prepare:

if(!$_POST["username"] || !$_POST["password"])
{
    echo "Username and Password fields are mandatory.";
}
else
{
    $unsafe_username = $_POST["username"];
    $unsafe_password = md5($_POST["password"]);
    $query=mysqli_prepare($con, "select user_id from users where user_name= ? and password= ? ");
    $query->bind_param("ss", $unsafe_username, $unsafe_password);
    $query->execute();
    $data = $query->get_result();

    if(is_array($data))
    {
       echo "Login successful";
    }
    else
    {
       echo "Login failed";
    }
}

Below is the code used for making MYSQL connection:

function connect_database()
{
    $con = mysqli_connect("servername", "username", "", "dbname");
    if (!$con) 
    {
        $con = "";
        echo("Database connection failed: " . mysqli_connect_error());
    }
    return $con;
}

By using mysqli_prepare, I am getting following warning and error messages:

Warning: mysqli_prepare() expects exactly 2 parameters, 1 given

Fatal error: Call to a member function bindParam() on null

I asked the similar question two days ago, but did not get any complete solution. (Prevent SQL Injection to Login Page in PHP and MySQL).

Please help me in resolving the problem. Is it the best approach to prevent my DB from SQL Injection?

Community
  • 1
  • 1
KP Joy
  • 505
  • 1
  • 7
  • 16
  • You have to supply the second argument to `mysqli_prepare()` like so: `mysqli_prepare($connection,"SELECT * FROM table");`. – KIKO Software Jul 11 '16 at 09:45
  • missing connection variable $query=mysqli_prepare($con,"select user_id from users where user_name= ? and password= ? "); – JYoThI Jul 11 '16 at 09:45
  • Mixing `mysqli with PDO` at `bindParam` – Saty Jul 11 '16 at 09:46
  • Please actually read the manual and see the examples: http://php.net/mysqli_prepare – deceze Jul 11 '16 at 09:50
  • Was typing this as you deleted your question just now: Since this site is live, add a new column to this table called `hash_type`, and then set it to `md5` for all rows. Change the size of the `password` column to be big enough to store newer hashtypes (e.g. varchar(128)). Then, as users log in, dynamically change their hash type to the new format - a nice easy way to get users to re-hash their accounts. – halfer Jul 11 '16 at 12:55
  • You asked a [question](http://stackoverflow.com/q/38307263) that you delete around now, seem to still be struggling with security. For a login routine with modern hashing, see this for [mysqli](http://stackoverflow.com/a/33665819) and this one for [pdo](http://stackoverflow.com/a/32556010) and good luck – Drew Jul 11 '16 at 13:32
  • You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 11 '16 at 21:20

3 Answers3

1

You have to add $con variable in the prepare function

$query=mysqli_prepare($con,"SELECT user_id FROM users WHERE user_name= ? AND password= ? ");

Muhammad Sumon Molla Selim
  • 3,415
  • 1
  • 21
  • 29
Aniruddha Chakraborty
  • 1,738
  • 1
  • 17
  • 29
1

missing connection variable $con

$query=mysqli_prepare($con,"select user_id from users where user_name= ? and 
password= ? ");

and change this too

$query->bind_Param("ss", $unsafe_username, $unsafe_password);
           ^^^
JYoThI
  • 11,587
  • 1
  • 9
  • 24
  • By making your change, now I am getting this error: Fatal error: Call to undefined method mysqli_stmt::bindParam() – KP Joy Jul 11 '16 at 09:52
  • @KPJ I'm not sure where you get your information from, but you seem to be doing piecemeal mix-and-matching between different database APIs. mysqli indeed has nothing called `bindParam`. It *does* have something called `bind_param`. Again, you should actually read the manual and stick to the examples shown there: http://php.net/mysqli_prepare – deceze Jul 11 '16 at 09:55
  • i updated my answers try it now @KPJoy – JYoThI Jul 11 '16 at 09:59
  • @jothi - I am getting no error now, but not able to login. My query is right, username and password are also in database but even then its not working. What am I missing now? – KP Joy Jul 11 '16 at 10:26
  • did you set up display_errors=on in php.ini file ? – JYoThI Jul 11 '16 at 10:39
  • @jothi - Yes. I am checking for is_array. I think that is wrong. I have updated my question with exact syntax. – KP Joy Jul 11 '16 at 10:47
  • 1
    $data = $query->get_result(); $data = mysqli_fetch_assoc($data); if(is_array($data)) { echo "Login successful"; } else { echo "Login failed"; } add this line @KPJoy – JYoThI Jul 11 '16 at 10:51
1

The procedural style of mysqli_prepare expects the first parameter to be the connection variable and second one to be the string (query).

Change 

mysqli_prepare("select user_id from users where user_name= ? and password= ? ");

to

mysqli_prepare($conn, "select user_id from users where user_name= ? and password= ? ");

Read documentation here.

Basit
  • 1,697
  • 2
  • 25
  • 47