Olamilekan Oshodi Olamilekan Oshodi - 2 months ago 7
PHP Question

php mysqli non prepared to prepare statement

so i have a login page which works very well using php mysqli, but is non prepare so i usually use mysqli_real_escape to secure the data.

But am now migrating to using prepared statement, have manage this with my register page and this as work very well.

here is my non prepared login code:

$loginQuery = "select * from user where user_name = '$user_name' AND password = '$password'";
$result = mysqli_query($con,$loginQuery);
if(mysqli_num_rows($result)){

$row = mysqli_fetch_array($result);

// password verify
if (password_verify($password, $row['password'])) {

$_SESSION['user_id'] = $row['id'];
$_SESSION['user_name'] = strtoupper($row['user_name']);
$user_type = strtolower($row['user_type']);
if(strtolower($user_type) == 'member'){

$_SESSION['user_type'] = 'member';
//header('Location: member-dashboard-home.php');
header('Location: profile.php');

}elseif(strtolower($user_type) == 'admin' || strtolower($user_type) == 'leader'){

$_SESSION['user_type'] = strtolower($user_type);
//header('Location: admin-dashboard-home.php');
header('Location: profile.php');
}


}else{
$_SESSION['main_notice'] = "Invalid login details!";
header('Location: '.$_SERVER['PHP_SELF']);exit();
}


And below is my effort in using prepared statement.

$stmt = $mysqli->prepare("SELECT user_name FROM user WHERE user_name = ? ");
$stmt->bind_param('s', $user_name);
$stmt->execute();
$stmt->bind_result($user_name);
if($res = $stmt->num_rows()){

$row = $stmt->fetch_array($res);

// password verify
if (password_verify($password, $row['password'])) {

$_SESSION['user_id'] = $row['id'];
$_SESSION['user_name'] = strtoupper($row['user_name']);
$user_type = strtolower($row['user_type']);
if(strtolower($user_type) == 'member'){

$_SESSION['user_type'] = 'member';
//header('Location: member-dashboard-home.php');
header('Location: profile.php');
// exit;

}elseif(strtolower($user_type) == 'admin' || strtolower($user_type) == 'leader'){

$_SESSION['user_type'] = strtolower($user_type);
//header('Location: admin-dashboard-home.php');
header('Location: profile.php');
//exit;
}

}else{
$_SESSION['main_notice'] = "Invalid username OR password details, please try again!";
header('Location: '.$_SERVER['PHP_SELF']);exit();
}
}


I didn't get any error code when i tried to login, but the form just return blank and didn't redirect to user profile.

I don't think this is redirection issue tho or is it?

i don't i arrange the
$stmt
properly, hopefully you guy see what i can't.

thanks in advance

Answer

From your comment,

i did include at the top and i receive this error Notice: Undefined variable: mysqli in /home/connection.php... ...

Look at your code here,

$con = new mysqli("localhost", "***", "***", "***"); 
if ($mysqli->connect_errno) { 
    ^^^^^^^^^^^^^^^^^^^^^^
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error; 
                                           ^^^^^^^^^^^^^^^^^^^^^^          ^^^^^^^^^^^^^^^^^^^^^^
}

Your connection handler is $con, not $mysqli, it should be like this:

$con = new mysqli("localhost", "***", "***", "***"); 
if ($con->connect_errno) { 
    echo "Failed to connect to MySQL: (" . $con->connect_errno . ") " . $con->connect_error; 
}

Update(1): Change your code in the following way,

$stmt = $con->prepare("SELECT * FROM user WHERE user_name = ? ");
$stmt->bind_param('s', $user_name);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows){
    // username exists
    $row = $result->fetch_array();

    // your code

}else{
    // username doesn't exist

    // your code

}