Tom8001 Posted January 7, 2015 Share Posted January 7, 2015 Hey, so this is my register script <?php error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', 1); require 'connect.php'; echo "<title> Register </title>"; if(isset($_POST['register'])) { $username = trim($_POST['username']); $username = mysqli_real_escape_string($con, $_POST['username']); $password = mysqli_real_escape_string($con, $_POST['password']); $password = hash('sha512', $_POST['password']); if(!$_POST['username'] OR !$_POST['password']) { die("You must enter a username and password!"); } $stmt = $con->prepare("INSERT INTO usrs_usr (username, password) VALUES (?, ?)"); $stmt->bind_param("ss", $username, $password); $stmt->get_result(); var_dump($stmt); $stmt->execute(); echo "New user has been created successfully"; $stmt->close(); $conn->close(); } ?> Now the problem is i have done a variable dump which outputs nothing, and the only error i am getting is Fatal error: Call to a member function bind_param() on a non-object Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 7, 2015 Author Share Posted January 7, 2015 (edited) I can't figure out what's happening. Edited January 7, 2015 by Tom8001 Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted January 7, 2015 Share Posted January 7, 2015 Is your database object stored in $con or $conn? The code seems to use both: <?php $con->prepare(... //... $conn->close(); ?> 1 Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted January 7, 2015 Share Posted January 7, 2015 Also, have you tried seeing if MySQL is throwing errors? http://php.net/manual/en/mysqli-stmt.error.php 1 Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 7, 2015 Author Share Posted January 7, 2015 It's ok i changed $stmt->close(); $conn->close(); to $stmt->close(); $con->close(); and the variables were wrong when i was binding the parameters, the variable dump now outputs object(mysqli_stmt)#2 (10) { ["affected_rows"]=> int(0) ["insert_id"]=> int(0) ["num_rows"]=> int(0) ["param_count"]=> int(2) ["field_count"]=> int(0) ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["sqlstate"]=> string(5) "00000" ["id"]=> int(1) } New user has been created successfully and everything is successful, however in my login script when i try to login it says the username or password is incorrect, now i think i have done something wrong when trying to hash the password, here is my login script <?php session_start(); error_reporting(E_ALL | E_NOTICE); include 'header.php'; require 'connect.php'; if(isset($_SESSION['loggedIn'])) { echo "<br><br><br><br><br><br><br><center>You are already logged in, <a href='logout.php'><h3>click here</h3></a> if you want to logout</center>"; echo "<div id='index'><button><a href='index.php'>Index Page</a></div>"; echo "<style> a {color: #ff0000; font-weight: bold; text-decoration: none;} a:hover {color: #000;} #index {position: absolute; top: 80; left: 60;} #index button:hover {border: 2px solid #ff0000;}</style>"; exit(); } if(isset($_POST['submit'])) { $username = trim($_POST['username']); $password = $_POST['password']; $password = hash('sha512', $_POST['password']); if($username&&$password) { } else { die("Please enter a username and password"); } $username = mysqli_real_escape_string($con, $_POST['username']); $password = mysqli_real_escape_string($con, $_POST['password']); $sql = $con->prepare("SELECT username, password, user_level, active FROM $tbl_name WHERE username=? AND password=? AND active=? AND user_level=?"); $sql->bind_param("ssii", $username, $password, $active, $user_level); $sql->execute(); $row = $sql->fetch(); $user_level = $row['user_level']; $active = $row['active']; if($sql->num_rows == 1) { if($row['active'] == 1) { if($row['user_level'] == 1) { $_SESSION['username'] = $_POST['username']; $_SESSION['user_level'] = 1; $_SESSION['active'] = 1; $_SESSION['loggedIn'] = 1; header("Location: admin.php"); exit(); } $_SESSION['user_level'] = 0; $_SESSION['active'] = 1; $_SESSION['loggedIn'] = 1; $_SESSION['username'] = $_POST['username']; header("Location: index.php"); exit(); } else if($row['active'] == 0) { header("Location: banned.php"); $_SESSION['active'] = 0; } } else { echo "Username / Password is incorrect!"; exit(); } } ?> I have also dumped the variables in my login script which outputs object(mysqli_stmt)#1 (10) { ["affected_rows"]=> int(-1) ["insert_id"]=> int(0) ["num_rows"]=> int(0) ["param_count"]=> int(4) ["field_count"]=> int(4) ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["sqlstate"]=> string(5) "00000" ["id"]=> int(1) } I don't get any errors apart from my custom message "Username or Password is incorrect" Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 7, 2015 Share Posted January 7, 2015 Also - re-read your code. You escape a couple of fields and then hash the un-escaped one. You also go to the trouble of grabbing the post values before you check to even see if there are any values. Kinda backwards, no? Also - try to add some error checking on your actions. Check the connection results. Check the prepare result. Then do your query. IMHO - something doesn't seem right here. I've not used mysqli (PDO) but as I read the manual this is the order of things: build query prepare query stmt bind params to stmt execute the stmt get_result loop thru the results obtained from get_result using fetch_array/fetch_assoc You do the get_result before the execute AND you don't assign the get_result to anything. Read the manual and see if you agree with my impression. Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 7, 2015 Author Share Posted January 7, 2015 I changed if(isset($_POST['submit'])) { $username = trim($_POST['username']); $password = $_POST['password']; $password = mysqli_real_escape_string($con, hash('sha512', $password)); and $sql->get_result($sql); Before i execute the statement. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 7, 2015 Share Posted January 7, 2015 The execute should come first. You have nothing to 'get' until you run it. Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 8, 2015 Author Share Posted January 8, 2015 Thanks for that it's weird how i can make such an idiotic mistake,but that cleared a few things up, Thanks Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 8, 2015 Author Share Posted January 8, 2015 I have changed all the things that i have done wrong but is still not working, this is my updated script <?php session_start(); error_reporting(E_ALL | E_NOTICE); include 'header.php'; require 'connect.php'; if(isset($_SESSION['loggedIn'])) { echo "<br><br><br><br><br><br><br><center>You are already logged in, <a href='logout.php'><h3>click here</h3></a> if you want to logout</center>"; echo "<div id='index'><button><a href='index.php'>Index Page</a></div>"; echo "<style> a {color: #ff0000; font-weight: bold; text-decoration: none;} a:hover {color: #000;} #index {position: absolute; top: 80; left: 60;} #index button:hover {border: 2px solid #ff0000;}</style>"; exit(); } if(isset($_POST['submit'])) { $username = trim($_POST['username']); $password = $_POST['password']; $password = mysqli_real_escape_string($con, hash('sha512', $password)); if($username&&$password) { } else { die("Please enter a username and password"); } $username = mysqli_real_escape_string($con, $_POST['username']); $password = mysqli_real_escape_string($con, $_POST['password']); $sql = $con->prepare("SELECT username, password, user_level, active FROM $tbl_name WHERE username=? AND password=? AND active=? AND user_level=?"); $sql->bind_param("ssii", $username, $password, $active, $user_level); $sql->execute(); $sql->get_result(); var_dump($sql); $row = $sql->fetch_assoc(); $user_level = $row['user_level']; $active = $row['active']; if($sql->num_rows > 0) { if($row['active'] == 1) { if($row['user_level'] == 1) { $_SESSION['username'] = $_POST['username']; $_SESSION['user_level'] = 1; $_SESSION['active'] = 1; $_SESSION['loggedIn'] = 1; header("Location: admin.php"); exit(); } $_SESSION['user_level'] = 0; $_SESSION['active'] = 1; $_SESSION['loggedIn'] = 1; $_SESSION['username'] = $_POST['username']; header("Location: index.php"); exit(); } else if($row['active'] == 0) { header("Location: banned.php"); $_SESSION['active'] = 0; } } else { echo "Username / Password is incorrect!"; exit(); } } ?> And i get the following error Fatal error: Call to undefined method mysqli_stmt::fetch_assoc() in /home/www/ps3modding.co.uk/webdir/login.php on line 47 I ran a variable dump here object(mysqli_stmt)#1 (10) { ["affected_rows"]=> int(0) ["insert_id"]=> int(0) ["num_rows"]=> int(0) ["param_count"]=> int(4) ["field_count"]=> int(4) ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["sqlstate"]=> string(5) "00000" ["id"]=> int(1) } And even without the error it still says username or password is incorrect, also not sure if this has anything to do with it but here is my register script <?php error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', 1); require 'connect.php'; echo "<title> Register </title>"; if(isset($_POST['register'])) { $username = trim($_POST['username']); $username = mysqli_real_escape_string($con, $_POST['username']); $password = mysqli_real_escape_string($con, $_POST['password']); $password = hash('sha512', $_POST['password']); if(!$_POST['username'] OR !$_POST['password']) { die("You must enter a username and password!"); } $stmt = $con->prepare("INSERT INTO $tbl_name (username, password) VALUES (?, ?)"); $stmt->bind_param('ss', $username, $password); $stmt->get_result(); var_dump($stmt); $stmt->execute(); echo "New user has been created successfully"; $stmt->close(); $con->close(); } ?> I think it is to do with the password encryption i have done something wrong but i don't know what. Quote Link to comment Share on other sites More sharing options...
Barand Posted January 8, 2015 Share Posted January 8, 2015 fetch_assoc() is a method of the mysql_result class, not statement class. Use $result = $sql->get_result(); $row = $result->fetch_assoc(); As you are using a prepared query you do not escape the variables with real_escape_string. Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 9, 2015 Author Share Posted January 9, 2015 I have made the following changes, $result = $sql->get_result(); $row = $result->fetch_assoc(); And have removed real_escape_string from the username and password variables. This is my current code <?php session_start(); error_reporting(E_ALL | E_NOTICE); include 'header.php'; require 'connect.php'; if(isset($_SESSION['loggedIn'])) { echo "<br><br><br><br><br><br><br><center>You are already logged in, <a href='logout.php'><h3>click here</h3></a> if you want to logout</center>"; echo "<div id='index'><button><a href='index.php'>Index Page</a></div>"; echo "<style> a {color: #ff0000; font-weight: bold; text-decoration: none;} a:hover {color: #000;} #index {position: absolute; top: 80; left: 60;} #index button:hover {border: 2px solid #ff0000;}</style>"; exit(); } if(isset($_POST['submit'])) { $username = trim($_POST['username']); $password = $_POST['password']; $password = mysqli_real_escape_string($con, hash('sha512', $password)); if($username&&$password) { } else { die("Please enter a username and password"); } $sql = $con->prepare("SELECT username, password, user_level, active FROM $tbl_name WHERE username=? AND password=? AND active=? AND user_level=?"); $sql->bind_param("ssii", $username, $password, $active, $user_level); $sql->execute(); $result = $sql->get_result(); $row = $result->fetch_assoc(); $user_level = $row['user_level']; $active = $row['active']; if($result == 1) { if($row['active'] == 1) { if($row['user_level'] == 1) { $_SESSION['username'] = $_POST['username']; $_SESSION['user_level'] = 1; $_SESSION['active'] = 1; $_SESSION['loggedIn'] = 1; header("Location: admin.php"); exit(); } $_SESSION['user_level'] = 0; $_SESSION['active'] = 1; $_SESSION['loggedIn'] = 1; $_SESSION['username'] = $_POST['username']; header("Location: index.php"); } else if($row['active'] == 0) { header("Location: banned.php"); $_SESSION['active'] = 0; exit(); } } else { echo "Username / Password is incorrect!"; exit(); } } ?> I don't get any errors, it automatically redirects to banned.php even when i enter a fake username and password. Quote Link to comment Share on other sites More sharing options...
Barand Posted January 9, 2015 Share Posted January 9, 2015 And have removed real_escape_string from the username and password variables. No, you haven't. And what makes you think $result should == 1? Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted January 9, 2015 Author Share Posted January 9, 2015 $password = mysqli_real_escape_string($con, hash('sha512', $password)); Didn't see that one. and what? Quote Link to comment Share on other sites More sharing options...
maxxd Posted January 9, 2015 Share Posted January 9, 2015 Where are you instantiating $user_level and $active? I see them as query parameters for your select query, then they're assigned values returned from the the query, but they're not set before you use them in the bind_param() statement. Quote Link to comment Share on other sites More sharing options...
Barand Posted January 9, 2015 Share Posted January 9, 2015 (edited) Return Values Returns a resultset or FALSE on failure. You have if ($result == 1) "1" is not false nor is it a resultset. Edited January 9, 2015 by Barand Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.