I'm writing a function to authenticate a user. I create a connection with a database, then prepare a query, bind the parameter, execute the query, bind the result to a variable,check if the query returned a result.
If it did I compare the result (bound to the variable), close the statement, close the connection, and then return the appropriate value. Well, that's what I think I am doing, but I keep getting a syntax error and I can't figure out what I am doing wrong:
Syntax error: expected: exit, if, identifier, variable, echo, do, while, for, foreach, declare, switch, break, continue, function, return, try, throw, use, global, unset, isset, empty, class, interface, array, {, }, include, include_once, eval, require, require_once, print, ';', +, -, !, ~, ++, --, @, [, new, static, abstract, final, (, $
My code:
/**
* Authenticates a user.
* @param type $email - String value
* @param type $hashedPassword - String value
* @return true if user is authenticated or false otherwise - Boolean value
*/
function isValidUser($email, $hashedPassword)
{
//This variable will hold the value returned from the query to the database.
var $rPassword = NULL;
//Establish a connection
$mysqli = new mysqli($GLOBALS['dbServer'], $GLOBALS['dbUserName'], $GLOBALS['dbPassword'], $GLOBALS['dbName']);
//Check if connection failed
if($mysqli->connect_error)
{
die('Connect Error (' . $mysqli->connect_errno . ') '
. $mysqli->connect_error);
}
$stmt = $mysqli->prepare("SELECT password FROM user_info WHERE email=?");
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->bind_result($rPassword);
if($stmt->fetch())
{
if(($rPassword != null) && ($rPassword == $hashedPassword))
{
$stmt->close();
$mysqli->close();
return true;
}
}
$stmt->close();
$mysqli->close();
return false;
}
I was doing this without using prepared statements and the code worked fine, but then I did some research and found out that prepared statements is the way to go because they help prevent SQL injections.
var $rPassword = NULL;
should be:
$rPassword = NULL;
var is for initializing properties in classes. See documentation. If you are using a class you need to initialize it outside of the method (function) and then access the property through $this->rPassword.
you have tow mistakes
one do not reboot rPassword as NULL just make it like this $rPassword = 0; or make tow NULL and null the same NULL both with caps! second the rPassword not getting the resualt you neet to it like this you need to pass the right verbails look here
http://php.net/manual/en/mysqli-stmt.bind-result.php
$stmt->bind_result($rPassword);
if($stmt->fetch())
{
if(($rPassword == null) || ($rPassword != $hashedPassword))
{
$stmt->close();
$mysqli->close();
return false;
}
}
The var keyword is deprecated from PHP 5.0 on...
It was for declaring class member variables in PHP4, and is no longer needed. It will work in PHP5, but will raise an E_STRICT warning in PHP from version 5.0.0 up to version 5.1.2, as of which it has been deprecated.