I’ve been trying to code a login form in PHP using a prepared statement but every time I try to log in I get the following error:
mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement
Here is my code:
<?php
session_start();
$mysqli = new mysqli("localhost", "root" , "" , "security");
if(mysqli_connect_errno()){
echo "Wrong" ;
}
if($stmt = $mysqli->prepare("SELECT username AND password FROM users WHERE username =? AND password =?")){
$username = $_POST['name'];
$password = $_POST['password'];
$stmt->bind_param('ss' ,$username ,$password);
$stmt->execute();
$stmt->bind_result($password ,$username);
if($stmt->fetch() == 'true')
{
echo "welcome";
} else{
echo "wrong password";
}
}
?>
Can someone tell me why this is happening?
If that really is your code, it may be that either $_POST["name"] or $_POST["password"] is an array, so that bind_param binds more than just one value.
Check:
var_dump($_POST["name"]);
var_dump($_POST["password"]);
$mysqli->prepare("SELECT username, password FROM users WHERE username = ? AND password = ?");
$username = $_POST['name'];
$password = $_POST['password'];
$stmt->bind_param('ss' ,$username ,$password);
$stmt->execute();
$stmt->bind_result($username ,$password);
Your select syntax was wrong, the correct syntax is SELECT field1, field2, field3 FROM TABLE WHERE field1 = ? AND field2 = ?
To select more fields simply seperate them by a comma and not an AND
Also, I realize that you're saving your passwords in plaintext which is bad practice, consider hashing them using the numerous hashing functions out there like sha1()