I'm trying to switch my signup page to use mysqli_stmt_prepare procederal style.
It works perfectly without preparing so I'm pretty sure the database and everything else is hooked up correctly.
I've followed the PHP manual on how to do this but I keep on getting a blank white page back from PHP.
Here's my code, if anybody can spot what I'm doing wrong I'd be extremly grateful.
Also am not sure if I should put mysqli_real_escape in the front or not.
$postuser = mysqli_real_escape_string($con, $_POST['username']);
$postpass = sha1($_POST['userpass']);
$postemail = mysqli_real_escape_string($con, $_POST['useremail']);
$stmt = mysqli_stmt_init($con);
if (mysqli_stmt_prepare($stmt,'INSERT INTO users (username, userpass, useremail, userdate)
VALUES( '" . ? . "',
'" . ? . "',
'" . ? . "',
NOW())'))
{
mysqli_stmt_bind_param($stmt, "sss", $postuser, $postpass, $postemail);
mysqli_stmt_execute($stmt);
mysqli_stmt_fetch($stmt);
}
if(!$stmt)
{
//something went wrong, display the error
echo '<ul class="ulstylecenter">
<li>Something went wrong while signing in. Please try again later.</li>
<li>If you are not redirected in 5 seconds please <a href="/home.php">click here</a>.</li>
</ul>';
header('Refresh: 5;url=/home.php');
}
When you're using prepared statements, you do must not escape the values, and you must not put the ? placeholder in quotes in the SQL.
$postuser = $_POST['username'];
$postpass = sha1($_POST['userpass']);
$postemail = $_POST['useremail'];
$stmt = mysqli_stmt_init($con);
if (mysqli_stmt_prepare($stmt,'INSERT INTO users (username, userpass, useremail, userdate)
VALUES(?, ? ?, NOW()'))
This is the same whether you use the procedural or OO style -- the only difference between the two is the syntax for calling the functions.