What's wrong with my prepared statement? How to set the two values of it? And lastly how many parameter can mysqli_stmt_bind_param() can handle?
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 's', $username);
mysqli_stmt_bind_param($sql, 's', $password);
mysqli_stmt_execute($sql);
$count = mysqli_num_rows($sql);
if($count == 1)
{
$_SESSION['login_user'] = $username;
header("Location: AdminHome.php");
exit;
}
else
{
$msg='Username and Password didnt match';
}
mysqli_stmt_close($sql);
mysqli_close($connection);
You need to bind the parameters all at once (it can handle many parameters):
$sql = mysqli_prepare($connection, "SELECT username FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($sql, 'ss', $username, $password);
Incidentally, you shouldn't store passwords in your database, but use hashes instead, and then check the password using password_verify: http://php.net/manual/en/function.password-verify.php
Also, you don't need to escape the strings first: Is mysql_real_escape_string() necessary when using prepared statements?
Finally, you need to rewrite a few lines:
mysqli_stmt_execute($sql);
$result = mysqli_stmt_get_result($sql);
$count = mysqli_num_rows($result);