A prepared statements question

Hello everyone,

I am having a problem getting my prepared statements working. Here is my
setup...

index.php -> authenticate.php -> admin.php

1)index.php has a login form on it so when someone enters their username
the form redirects to another page I call authenticate.php.

2)In the authenticate.php file I want to use prepared statements to
interact with the MySQL database. I want to compare the username submitted
from the form with the username in the database.

3)If the login username was legitimate then you are forwarded to admin.php

Its step 2 I am having problems with. Here is what I have but I don't
think it makes any sense and it doesn't work.


$link = mysqli_connect($hostname, $dbusername, $password, $database);
$stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
adminusers=?");
mysqli_stmt_bind_param($stmt, 's', $username);
$result = mysqli_stmt_execute($stmt);

$count=mysqli_num_rows($result);

if($count==1){
header("location:admin.php");
} else {
echo "Failure";
}

Any help is appreciated.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

[Redirected to PHP-DB: php-db@lists.php.net]


On Sun, Jul 12, 2009 at 00:31, Jason Carson wrote:
> Hello everyone,
>
> I am having a problem getting my prepared statements working. Here is my
> setup...
>
> =A0 =A0index.php -> authenticate.php -> admin.php
>
> 1)index.php has a login form on it so when someone enters their username
> the form redirects to another page I call authenticate.php.
>
> 2)In the authenticate.php file I want to use prepared statements to
> interact with the MySQL database. I want to compare the username submitte=
d
> from the form with the username in the database.
>
> 3)If the login username was legitimate then you are forwarded to admin.ph=
p
>
> Its step 2 I am having problems with. Here is what I have but I don't
> think it makes any sense and it doesn't work.
>
>
> $link =3D mysqli_connect($hostname, $dbusername, $password, $database);
> $stmt =3D mysqli_prepare($link, "SELECT * FROM administrators WHERE
> adminusers=3D?");
> mysqli_stmt_bind_param($stmt, 's', $username);
> $result =3D mysqli_stmt_execute($stmt);
>
> $count=3Dmysqli_num_rows($result);
>
> if($count==1){
> header("location:admin.php");
> } else {
> echo "Failure";
> }
>
> Any help is appreciated.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



--=20

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

[Redirected to PHP-DB: php-db@lists.php.net]


On Sun, Jul 12, 2009 at 00:31, Jason Carson wrote:
> Hello everyone,
>
> I am having a problem getting my prepared statements working. Here is my
> setup...
>
> =A0 =A0index.php -> authenticate.php -> admin.php
>
> 1)index.php has a login form on it so when someone enters their username
> the form redirects to another page I call authenticate.php.
>
> 2)In the authenticate.php file I want to use prepared statements to
> interact with the MySQL database. I want to compare the username submitte=
d
> from the form with the username in the database.
>
> 3)If the login username was legitimate then you are forwarded to admin.ph=
p
>
> Its step 2 I am having problems with. Here is what I have but I don't
> think it makes any sense and it doesn't work.
>
>
> $link =3D mysqli_connect($hostname, $dbusername, $password, $database);
> $stmt =3D mysqli_prepare($link, "SELECT * FROM administrators WHERE
> adminusers=3D?");
> mysqli_stmt_bind_param($stmt, 's', $username);
> $result =3D mysqli_stmt_execute($stmt);
>
> $count=3Dmysqli_num_rows($result);
>
> if($count==1){
> header("location:admin.php");
> } else {
> echo "Failure";
> }
>
> Any help is appreciated.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



--=20

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

--0015174989f6c2e57c046e7ce5ac
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On Sun, Jul 12, 2009 at 10:01 AM, Jason Carson wrote:

> Hello everyone,
>
> I am having a problem getting my prepared statements working. Here is my
> setup...
>
> index.php -> authenticate.php -> admin.php
>
> 1)index.php has a login form on it so when someone enters their username
> the form redirects to another page I call authenticate.php.
>
> 2)In the authenticate.php file I want to use prepared statements to
> interact with the MySQL database. I want to compare the username submitted
> from the form with the username in the database.
>
> 3)If the login username was legitimate then you are forwarded to admin.php
>
> Its step 2 I am having problems with. Here is what I have but I don't
> think it makes any sense and it doesn't work.
>
>
> $link = mysqli_connect($hostname, $dbusername, $password, $database);
> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
> adminusers=?");

No Password ? I hope you are only using the statement for determining the
role of already logged in user.

> mysqli_stmt_bind_param($stmt, 's', $username);
> $result = mysqli_stmt_execute($stmt);
>
> $count=mysqli_num_rows($result);
>
> if($count==1){
> header("location:admin.php");
> } else {
> echo "Failure";
> }
>
> Any help is appreciated.
>

You forgot to mention the about the problem you are facing :), "I am having
problem" statement is not good enough.


>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: http://www.zareef.net

--0015174989f6c2e57c046e7ce5ac--

Re: Re: [PHP] A prepared statements question

--001636e90e87ab1199046e7f013f
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Why don't using consider using PDO for this purpose? Examples can be found
here: http://au.php.net/manual/en/pdo.prepare.php

On Sun, Jul 12, 2009 at 2:52 PM, Daniel Brown wrote:

> [Redirected to PHP-DB: php-db@lists.php.net]
>
>
> On Sun, Jul 12, 2009 at 00:31, Jason Carson wrote:
> > Hello everyone,
> >
> > I am having a problem getting my prepared statements working. Here is my
> > setup...
> >
> > index.php -> authenticate.php -> admin.php
> >
> > 1)index.php has a login form on it so when someone enters their username
> > the form redirects to another page I call authenticate.php.
> >
> > 2)In the authenticate.php file I want to use prepared statements to
> > interact with the MySQL database. I want to compare the username
> submitted
> > from the form with the username in the database.
> >
> > 3)If the login username was legitimate then you are forwarded to
> admin.php
> >
> > Its step 2 I am having problems with. Here is what I have but I don't
> > think it makes any sense and it doesn't work.
> >
> >
> > $link = mysqli_connect($hostname, $dbusername, $password, $database);
> > $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
> > adminusers=?");
> > mysqli_stmt_bind_param($stmt, 's', $username);
> > $result = mysqli_stmt_execute($stmt);
> >
> > $count=mysqli_num_rows($result);
> >
> > if($count==1){
> > header("location:admin.php");
> > } else {
> > echo "Failure";
> > }
> >
> > Any help is appreciated.
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
>
> --
>
> daniel.brown@parasane.net || danbrown@php.net
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--001636e90e87ab1199046e7f013f--

Re: Re: [PHP] A prepared statements question

>=20
> [Redirected to PHP-DB: php-db@lists.php.net]
>=20
>=20
> On Sun, Jul 12, 2009 at 00:31, Jason Carson wrote:
> > Hello everyone,
> >
> > I am having a problem getting my prepared statements working. Here is m=
y
> > setup...
> >
> > =A0 =A0index.php -> authenticate.php -> admin.php
> >
> > 1)index.php has a login form on it so when someone enters their usernam=
e
> > the form redirects to another page I call authenticate.php.
> >
> > 2)In the authenticate.php file I want to use prepared statements to
> > interact with the MySQL database. I want to compare the username submit=
ted
> > from the form with the username in the database.
> >
> > 3)If the login username was legitimate then you are forwarded to admin.=
php
> >
> > Its step 2 I am having problems with. Here is what I have but I don't
> > think it makes any sense and it doesn't work.
> >
> >
> > $link =3D mysqli_connect($hostname, $dbusername, $password, $database);
> > $stmt =3D mysqli_prepare($link, "SELECT * FROM administrators WHERE
> > adminusers=3D?");
> > mysqli_stmt_bind_param($stmt, 's', $username);
> > $result =3D mysqli_stmt_execute($stmt);
> >
> > $count=3Dmysqli_num_rows($result);
> >
> > if($count==1){
> > header("location:admin.php");
> > } else {
> > echo "Failure";
> > }
> >
> > Any help is appreciated.

The main problem is you are not testing your results. With that code
you do not even know if you have a connection or not. I'd say there is
a good chance you do not have error reporting enabled or you would have
picked up the error straight away.

mysqli_stmt_execute returns a boolean indicating success or failure.=20
You are trying to use it as a result set, which will not work. Replace:

$count=3Dmysqli_num_rows($result);

with:

mysqli_stmt_store_result($stmt);
$count =3D mysqli_stmt_num_rows($stmt);

>=20
> --=20
>
> daniel.brown@parasane.net || danbrown@php.net
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig
>=20
> --=20
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20

--
Niel Archer



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: [PHP] A prepared statements question

>>
>> [Redirected to PHP-DB: php-db@lists.php.net]
>>
>>
>> On Sun, Jul 12, 2009 at 00:31, Jason Carson wrote:
>> > Hello everyone,
>> >
>> > I am having a problem getting my prepared statements working. Here is
>> my
>> > setup...
>> >
>> >    index.php -> authenticate.php -> admin.php
>> >
>> > 1)index.php has a login form on it so when someone enters their
>> username
>> > the form redirects to another page I call authenticate.php.
>> >
>> > 2)In the authenticate.php file I want to use prepared statements to
>> > interact with the MySQL database. I want to compare the username
>> submitted
>> > from the form with the username in the database.
>> >
>> > 3)If the login username was legitimate then you are forwarded to
>> admin.php
>> >
>> > Its step 2 I am having problems with. Here is what I have but I don't
>> > think it makes any sense and it doesn't work.
>> >
>> >
>> > $link = mysqli_connect($hostname, $dbusername, $password, $database);
>> > $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
>> > adminusers=?");
>> > mysqli_stmt_bind_param($stmt, 's', $username);
>> > $result = mysqli_stmt_execute($stmt);
>> >
>> > $count=mysqli_num_rows($result);
>> >
>> > if($count==1){
>> > header("location:admin.php");
>> > } else {
>> > echo "Failure";
>> > }
>> >
>> > Any help is appreciated.
>
> The main problem is you are not testing your results. With that code
> you do not even know if you have a connection or not. I'd say there is
> a good chance you do not have error reporting enabled or you would have
> picked up the error straight away.
>
> mysqli_stmt_execute returns a boolean indicating success or failure.
> You are trying to use it as a result set, which will not work. Replace:
>
> $count=mysqli_num_rows($result);
>
> with:
>
> mysqli_stmt_store_result($stmt);
> $count = mysqli_stmt_num_rows($stmt);
>
>>
>> --
>>
>> daniel.brown@parasane.net || danbrown@php.net
>> http://www.parasane.net/ || http://www.pilotpig.net/
>> Check out our great hosting and dedicated server deals at
>> http://twitter.com/pilotpig
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
> --
> Niel Archer
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
That did it, everything is working now. Thank you very much :-)


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

> Hello everyone,
>
> I am having a problem getting my prepared statements working. Here is my
> setup...
>
> index.php -> authenticate.php -> admin.php
>
> 1)index.php has a login form on it so when someone enters their username
> the form redirects to another page I call authenticate.php.
>
> 2)In the authenticate.php file I want to use prepared statements to
> interact with the MySQL database. I want to compare the username submitted
> from the form with the username in the database.
>
> 3)If the login username was legitimate then you are forwarded to admin.php
>
> Its step 2 I am having problems with. Here is what I have but I don't
> think it makes any sense and it doesn't work.
>
>
> $link = mysqli_connect($hostname, $dbusername, $password, $database);
> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
> adminusers=?");
> mysqli_stmt_bind_param($stmt, 's', $username);
> $result = mysqli_stmt_execute($stmt);
>
> $count=mysqli_num_rows($result);
>
> if($count==1){
> header("location:admin.php");
> } else {
> echo "Failure";
> }
>
> Any help is appreciated.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
For anyone reading this thread, here is the final code that I used...

$link = mysqli_connect($hostname, $username, $password, $database);
$stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
adminusers=?);
mysqli_stmt_bind_param($stmt, "s", $adminuser);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$count = mysqli_stmt_num_rows($stmt);

if($count==1){
header("location:admin.php");
} else {
echo "Failure";
}


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

On Sun, 12 Jul 2009 15:25:15 -0400 (EDT), "Jason Carson" wrote:

> For anyone reading this thread, here is the final code that I used...
>
> $link = mysqli_connect($hostname, $username, $password, $database);
> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
> adminusers=?);
> mysqli_stmt_bind_param($stmt, "s", $adminuser);
> mysqli_stmt_execute($stmt);
> mysqli_stmt_store_result($stmt);
> $count = mysqli_stmt_num_rows($stmt);
>
> if($count==1){
> header("location:admin.php");
> } else {
> echo "Failure";
> }

You should always check for errors, so...

/* without actually testing or checking against the manual */

$q = "SELECT * FROM administrators WHERE adminusers=?";

if ( $link = mysqli_connect($hostname, $username, $password, $database)
&& $stmt = mysqli_prepare($link, $q)
&& mysqli_stmt_bind_param($stmt, "s", $adminuser)
&& mysqli_stmt_execute($stmt)
&& mysqli_stmt_store_result($stmt))
{
$count = mysqli_stmt_num_rows($stmt);
} else {
/* Of course, at this point it would be nice to know which
function failed. I don't think there is a neat way to
find that out, and checking every function for errors
would make the code look much much worse than using the
old mysql[i]_query functions. Bleah. */
}


/Nisse

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

>  if (   $link =3D mysqli_connect($hostname, $username, $passwor=
d, $database)
>      && $stmt =3D mysqli_prepare($link, $q)
>      &&         mysqli_stmt_bind_param=
($stmt, "s", $adminuser)
>      &&         mysqli_stmt_execute($s=
tmt)
>      &&         mysqli_stmt_store_resu=
lt($stmt))
>  {
>    $count =3D mysqli_stmt_num_rows($stmt);
>  } else {
>    /* Of course, at this point it would be nice to know which
>       function failed. I don't think there is a neat way t=
o
>       find that out, and checking every function for error=
s
>       would make the code look much much worse than using =
the
>       old mysql[i]_query functions. Bleah. */
>  }
>
>
> /Nisse
>

Not to sort of start (another) holy war on this list, but it's ugly
blocks of code like this that pushed me into using PDO.

This, IMO, is so much easier to read:

try {
$stmt =3D $pdo->prepare();
$stmt->bindValue();
$stmt->execute();
$stmt->numRows();
} catch (PDOException $p) {
//do stuff
}

I would much rather try/catch exceptions than clutter up code with
hundreds of if/elseif/else statements.

This is just my opinion, of course :)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

2009/7/12 Eddie Drapkin :
>
> This is just my opinion, of course :)

Which is welcome. Preferrably, on the php-db@ list, but welcome
nonetheless. ;-P

--

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

Jason Carson wrote:
>> Hello everyone,
>>
>> I am having a problem getting my prepared statements working. Here is my
>> setup...
>>
>> index.php -> authenticate.php -> admin.php
>>
>> 1)index.php has a login form on it so when someone enters their username
>> the form redirects to another page I call authenticate.php.
>>
>> 2)In the authenticate.php file I want to use prepared statements to
>> interact with the MySQL database. I want to compare the username submitted
>> from the form with the username in the database.
>>
>> 3)If the login username was legitimate then you are forwarded to admin.php
>>
>> Its step 2 I am having problems with. Here is what I have but I don't
>> think it makes any sense and it doesn't work.
>>
>>
>> $link = mysqli_connect($hostname, $dbusername, $password, $database);
>> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
>> adminusers=?");
>> mysqli_stmt_bind_param($stmt, 's', $username);
>> $result = mysqli_stmt_execute($stmt);
>>
>> $count=mysqli_num_rows($result);
>>
>> if($count==1){
>> header("location:admin.php");
>> } else {
>> echo "Failure";
>> }
>>
>> Any help is appreciated.
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> For anyone reading this thread, here is the final code that I used...
>
> $link = mysqli_connect($hostname, $username, $password, $database);
> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
> adminusers=?);
> mysqli_stmt_bind_param($stmt, "s", $adminuser);
> mysqli_stmt_execute($stmt);
> mysqli_stmt_store_result($stmt);
> $count = mysqli_stmt_num_rows($stmt);
>
> if($count==1){
> header("location:admin.php");
> } else {
> echo "Failure";
> }
>
>

I hope not, because you have a parse error on your second line, mysqli_prepare()

Might want to close your double-quoted string

--
Jim Lucas

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: A prepared statements question

Jim Lucas wrote:
> Jason Carson wrote:
>>> Hello everyone,
>>>
>>> I am having a problem getting my prepared statements working. Here is my
>>> setup...
>>>
>>> index.php -> authenticate.php -> admin.php
>>>
>>> 1)index.php has a login form on it so when someone enters their username
>>> the form redirects to another page I call authenticate.php.
>>>
>>> 2)In the authenticate.php file I want to use prepared statements to
>>> interact with the MySQL database. I want to compare the username
>>> submitted
>>> from the form with the username in the database.
>>>
>>> 3)If the login username was legitimate then you are forwarded to
>>> admin.php
>>>
>>> Its step 2 I am having problems with. Here is what I have but I don't
>>> think it makes any sense and it doesn't work.
>>>
>>>
>>> $link = mysqli_connect($hostname, $dbusername, $password, $database);
>>> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
>>> adminusers=?");
>>> mysqli_stmt_bind_param($stmt, 's', $username);
>>> $result = mysqli_stmt_execute($stmt);
>>>
>>> $count=mysqli_num_rows($result);
>>>
>>> if($count==1){
>>> header("location:admin.php");
>>> } else {
>>> echo "Failure";
>>> }
>>>
>>> Any help is appreciated.
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>> For anyone reading this thread, here is the final code that I used...
>>
>> $link = mysqli_connect($hostname, $username, $password, $database);
>> $stmt = mysqli_prepare($link, "SELECT * FROM administrators WHERE
>> adminusers=?);
>> mysqli_stmt_bind_param($stmt, "s", $adminuser);
>> mysqli_stmt_execute($stmt);
>> mysqli_stmt_store_result($stmt);
>> $count = mysqli_stmt_num_rows($stmt);
>>
>> if($count==1){
>> header("location:admin.php");
>> } else {
>> echo "Failure";
>> }
>>
>>
>
> I hope not, because you have a parse error on your second line,
> mysqli_prepare()
>
> Might want to close your double-quoted string
>
> --
> Jim Lucas

Not to mention that I don't see $adminuser defined anywhere. If its
from a form and register_globals are off, maybe $_POST['adminuser'].

--
Thanks!
-Shawn
http://www.spidean.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php