Previously in the soon-to-be-deprecated normal mysql functions, I had:
// On first connect to database, create a user to hold data for users not logged in
if (mysql_num_rows(mysql_query("SELECT id FROM users WHERE id=1")) === 0) {
mysql_query("INSERT INTO users(id,username,email,password) VALUES(1,'anonymous','anonymous','" . password_hash("noidentity", PASSWORD_BCRYPT) . "')");
}
This is what I have now, trying to accomplish the same thing:
// On first connect to database, create a user to hold data for users not logged in
$stmt = $db->prepare("SELECT id FROM users WHERE id = ?");
$stmt->execute(1);
$stmt->store_result();
if ($stmt->num_rows == 0) {
$stmt = $db->prepare("INSERT INTO users (id, username, email, password) VALUES (?, ?, ?, ?)");
$stmt->execute(1, 'anonymous', 'anonymous', password_hash("noidentity", PASSWORD_BCRYPT));
}
I keep getting the error "Warning: mysqli_stmt::execute() expects exactly 0 parameters, 1 given" where seemingly it expects 1, as I have 1 question mark, but I'm obviously doing something wrong.
Am I doing it right for the following ones?
$stmt = $db->prepare("UPDATE users SET wins = wins + 1 WHERE id = ?");
$stmt->execute($_SESSION["id"]);
Should I have ? for the wins = part? If so, how would I fill in that value later if it depends on the current one in there?
What about:
$stmt = $db->prepare("SELECT id, username, password FROM users WHERE email = ?");
$stmt->execute($email);
$row = $stmt->fetch();
if (password_verify($password, $row["password"])) {
Am I doing it right there?
I'm just trying to grasp these prepared statements for security purposes and finding it a little difficult.
use this code, you have to use bind_param to set the data.
$stmt = $db->prepare("SELECT id FROM users WHERE id = ?");
$stmt->bind_param('i', 1);
$stmt->execute();