Search the Community

Hello, I hope it's ok to ask this question here. I have a registration script, but I'm not sure how to handle it efficiently and I have some questions about it. This is used in the page 'signup.php'. The class is called 'User'. I haven't noticed any errors or bugs. It would be very useful for me to be aware of my mistakes. public function regUser($uname,$upass,$upassverify) { $new_password = password_hash($upass, PASSWORD_DEFAULT); if(!password_verify($upassverify, $new_password)) { // passwords are not the same (I thought it would be better to do this after hashing, but maybe it doesn't matter or it's worse. I'm not sure about it) $info = 'pass_err'; } $stmt1 = $this->db->prepare("SELECT * FROM users WHERE username=:uname"); $stmt1->execute(array(':uname'=>$uname)); if($stmt1->rowCount() > 0) { // this username has already been used $info = 'user_err'; } if (!$info) { $stmt2 = $this->db->prepare("INSERT INTO users(username,password) VALUES(:uname, :upass)"); $stmt2->bindparam(":uname", $uname); $stmt2->bindparam(":upass", $new_password); $stmt2->execute(); // succesfully made an account $info = "success"; } header("Location:/signup.php?status=".$info); exit(); } Am I using the prepared statements as how I should be using them? Is this a safe way of handling my data or do you see vulnerabilities? I'm using PRG to prevent resubmission but I want to show a 'everything is fine' or 'oh no, something went wrong' to the one who is signinup. If I now go to signup.php?status=success, i see 'eveything is fine', without actually signing up, is there a better way to do this or can I somehow prevent everyone being able to see this? As you might have noticed in my last post, my English is not very good, sorry about that. Thanks, Fabian

Hi Trying to implement with the prepare statement, and it gives me this error. "PHP Fatal error: Call to a member function prepare() on null." Anybody knows what is wrong? function listMerchant() { $merchant = array(); $merchantList = $this->mysqli->prepare("SELECT * FROM core_merchant"); $merchantList->execute(); while($merchantRows = $merchantList->fetch_array()) { $merchant[] = $merchantRows; } $merchantList->close(); return $merchant; }

Hi, How do you split a search string by space and put it into a prepare query? $strings = $_POST['strings']; $string_array = explode(" ", $strings); $search = $mysqli->prepare(" SELECT * FROM core_table where item_name in ( ? ) "); $search->bind_param("s", $string_array); ...

I'm new to coding and prepared statements. I'm getting: "Fatal error: Call to a member function bind_param() on a non-object in /home/content/01/3251001/html/Manage-Users/acc-files/updateRecord.php on line 17" For this: <?php include "db_connect.php"; if(isset($_POST['UserID'])){ $stmt = $con -> prepare('UPDATE UserList SET Status = ?, FirstName = ?, LastName = ?, Username = ?, Email = ?, Department = ?, Manager = ?, WHERE UserID = ?'); $stmt -> bind_param('isssssss', /* Line 17 */ $_POST['Status'], $_POST['FirstName'], $_POST['LastName'], $_POST['Username'], $_POST['Email'], $_POST['Department'], $_POST['Manager'], $_POST['UserID']); $stmt->execute(); } Thank you in advance for helping.