Jump to content


New Members
  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About kielly32

  • Rank
  1. Why is coding so much more easier without prepared statements than with? - I just can't seem to grasp how to code with prepared statements but I need my website to be safe from MySQL injection. Escape strings, check. I got them down path. This is my code that just doesn't work: I'm sure there's multiple errors, but it's edited from a code that did work perfectly - besides the fact that it was exploitable. It throws me Binding paramaters failed:(0)Prepare failed: (0) <?php /* Registration process, inserts user info into the database and sends account confirmation email message */ session_start(); // Set session variables to be used on profile.php page $_SESSION['email'] = $_POST['email']; $_SESSION['first_name'] = $_POST['firstname']; $_SESSION['last_name'] = $_POST['lastname']; // Escape all $_POST variables to protect against SQL injections $first_name = $mysqli->escape_string($_POST['firstname']); $last_name = $mysqli->escape_string($_POST['lastname']); $email = $mysqli->escape_string($_POST['email']); $password = $mysqli->escape_string(password_hash($_POST['password'], PASSWORD_BCRYPT)); $hash = $mysqli->escape_string( md5( rand(0,1000) ) ); $igname = $mysqli->escape_string($_POST['igname']); $profileurl = $mysqli->escape_string($_POST['profileurl']); $rules = $mysqli->escape_string($_POST['rules']); $username2 = $mysqli->escape_string($_POST['username']); // Check if user with that email already exists if(!($stmt = $mysqli->prepare("SELECT * FROM users WHERE email='?' OR username='?'"))){ echo "Prepare failed: (" . $mysqli->errno . ")" . $mysqli->error; } if(!$stmt->bind_param('ss', $email, $username2)){ echo "Binding paramaters failed:(" . $stmt->errno . ")" . $stmt->error; } if(!$stmt->execute()){ echo "Execute failed: (" . $stmt->errno .")" . $stmt->error; } if($stmt->num_rows > 0) { $_SESSION['message'] = 'User with this email already exists!'; header("location: error.php"); exit(); }elseif ($stmt->num_rows > 0){ $_SESSION['message'] = 'User with this username already exists!'; header("location: error.php"); exit(); } else { // Email doesn't already exist in a database, proceed... //define the receiver of the email $to = 'kielly@website.ca'; //define the subject of the email $subject = 'NEWUSER'; //define the message to be sent. Each line should be separated with \n $message = "Someone has registered"; //define the headers we want passed. Note that they are separated with \r\n $headers = "From: general@website.ca\r\nReply-To: webmaster@example.com"; //send the email $mail_sent = @mail( $to, $subject, $message, $headers ); //if the message is sent successfully print "Mail sent". Otherwise print "Mail failed" echo $mail_sent ? "Mail sent" : "Mail failed"; // active is 0 by DEFAULT (no need to include it here) if(!($stmt = $mysqli->prepare("INSERT INTO users (first_name, last_name, email, password, hash, igname, profileurl, readrules, admin, username) VALUES (?,?,?,?,?,?,?,?,?,?)}"))){ echo "Prepare failed: (" . $mysqli->errno . ")" . $mysqli->error; } if(!$stmt->bind_param('ssssisssss', $first_name, $last_name, $email, $password, $hash, $igname, $profileurl, $rules, 0, $username2)){ echo "Binding paramaters failed:(" . $stmt->errno . ")" . $stmt->error; } if(!$stmt->execute()){ echo "Execute failed: (" . $stmt->errno .")" . $stmt->error; } if($stmt) { $_SESSION['active'] = 0; //0 until user activates their account with verify.php $_SESSION['logged_in'] = true; // So we know the user has logged in $_SESSION['admin'] = 0; $_SESSION['message'] = "Thank you for applying. Please wait while admins check over your application. You should recieve an email shortly. (Check junk folders and allow up to 5 hours for a review)"; header("location: usertest.php"); exit(); } else{ echo "Registration failed"; } } $mysqli->close(); Sorry in advance for the formatting and indenting. That's the result of being messy. If anyone's willing to help me and would like the php pages (index.php includes the form) and (register.php which includes the code after the button is pressed) I'd be more than willing to upload them.
  2. Not sure if I'm even allowed to post here without any code, but I'm not asking anyone to code. I'm currently trying to design an admin panel that can manage user reports created from a report form. I have it set so only admins can access this panel via sessions and now I need to design the form its self. The problem is I'm fairly new to PHP and barely knows where to start. I need a option box to populate from a table, that option box needs to have the values of the report ID's. - I have that much done and completed. Next part is I need textboxes (report type, report comment, and admin resolution) to populate depending on the report ID (value of the option box). From what I gathered, I either need to do that action with js, ajax, etc or code it to a button. My problem is I don't know any of the code to write, nor do I know anything about any language besides PHP/HTML, CSS. I've searched, and searched, and searched, and searched all through Google. Trying different keywords, phrases. All I could find was outdated guides that uses MySql. There are no guides or pre-made codes that I could find that is using MySqli. Maybe im just crazy, but it seems there's very little how-to guides and help on the internet when it comes to mysqli. I almost feel like reverting back to an old php version. So I guess my question is, does anyone know of a guide online, or a similar question with code that was resolved that would fit this situation?
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.