[SOLVED] Select and prepared statements

[JC99]

Hello everyone,

 

I am having a problem getting my "prepared statements" working. Here is my setup...

 

index.php -> authenticate.php -> admin.php

 

1)index.php has a login form on it so when someone enters their username the form redirects to another page I call authenticate.php.

 

2)In the authenticate.php file I want to use prepared statements to interact with the MySQL database. I want to compare the username submitted from the form with the username in the database.

 

3)If the login username was legitimate then you are forwarded to admin.php

 

Here is what I have but I don't think it makes any sense and it doesn't work.

 

$link = mysqli_connect($hostname, $dbusername, $password, $database);
$stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE adminusers=?");
mysqli_stmt_bind_param($stmt, 'ss', $username);
$result = mysqli_stmt_execute($stmt);

$count=mysqli_num_rows($result);

if($count==1){
header("location:admin.php");
} else {
echo "Failure";
}

 

Any help is appreciated.

[JC99]

ok, I have the following code using mysqli but it is not using prepared statements. Anyone know how I can modify it to use prepared statements?

 

 

<?php
$connect = mysqli_connect($hostname, $username, $password, $database);
$sql="SELECT * FROM administrators WHERE adminusers='$adminuser'";
$result=mysqli_query($connect, $sql);

$count=mysqli_num_rows($result);

if($count==1){
header("location:admin.php");
} else {
echo "Failure";
}
?>

[Philip]

It's been a while, and this is untested.... but:

$query = "SELECT * FROM administrators WHERE adminusers=?";
if($dbh = $connect->prepare($query)) {
// bind the parameters:
$dbh->bind_param('s', $adminuser);

// execute
$dbh->execute();

if(!$connect->error) {
	while($row = $dbh->fetch_assoc()) {
		echo $row['column']; // echo a row, or whatever you want to do.
	}
} else {
	echo $connect->error;
}
}

[JC99]

ok, I am new to programming so I don't understand what you are doing plus it didn't work. Thanks anyways 

[Philip]

Well, what errors did it give?

 

The way I did it is the way I'm used to, OOP style.  Do the following comments help:

// Create the query string, notice the ? as a placeholder
$query = "SELECT * FROM administrators WHERE adminusers=?";

// Prepare the statement, but only run it if it doesn't fail
if($dbh = $connect->prepare($query)) {

// If we are here, then the prep didn't fail...

// bind the parameters (I'm guessing $adminuser is a string, thus the 's')
$dbh->bind_param('s', $adminuser);

// execute your query
$dbh->execute();

// As long as there wasn't an error,
if(!$connect->error) {

	// We should loop through the results
	while($row = $dbh->fetch_assoc()) {

		// and echo the row, or whatever.
		echo $row['column']; 
	}

} else {

	// but if we got here, there was an error.
	echo $connect->error;
}

} else {

// and if we got here, the prepare call didn't work. so lets see why:
echo $connect->error;
}

[JC99]

ok, I have it working now. For anyone reading this post and needing help here is what I have...

 

$link = mysqli_connect($hostname, $username, $password, $database);
$stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE adminusers=?");
mysqli_stmt_bind_param($stmt, "s", $adminuser);
$result = mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$count = mysqli_stmt_num_rows($stmt);

 

KingPhillip: Thanks for commenting your code, but I am new to programming and PHP and have not yet learned OOP style :-)