0

Okay, so I am in the process of trying to switch my query's to avoid sql injection, but something isn't working cause it never queries the DB. My query for some reason isn't working. I have copied it exactly from another stackoverflow question.

My PHP:

// QUERY THE DB
$stmt = $DBconnection->prepare('SELECT * FROM users WHERE username = '$username' AND password = '$password'');
$stmt->bind_param('s', $search);
$stmt->execute();
$result = $stmt->get_result();

if(mysqli_num_rows($result) > 0)
{
     echo "Valid Login";
}
Jayce
  • 566
  • 3
  • 11
  • 31
  • @Qirel that is where I got the code, but it isn't working. – Jayce Nov 20 '16 at 18:14
  • @arkascha the code isn't working. It doesn't query the DB, my alert(data) comes back blank and doesn't redirect. – Jayce Nov 20 '16 at 18:15
  • @user3186578 Because 1) you're not using placeholders (you have variables), 2) you have syntax errors (see the highlighting), 3) your number of expected parameters and the actual bound parameters are different. – Qirel Nov 20 '16 at 18:15
  • that isn't how the function works - RTM http://php.net/manual/en/mysqli.prepare.php – Funk Forty Niner Nov 20 '16 at 18:16

0 Answers0