Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hello:

 

Would these statements be correct in inserting a hashed password using a bind variable?

 

$q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, [b][color=#ff0000]pass[/color][/b], date_created)
	 VALUES (?, ?, ?, ?, ?, ?, ?, ?, [b][color=#ff0000]get_password_hash(?)[/color][/b], NOW() )";

$stmt = mysqli_prepare($dbc, $q);

mysqli_stmt_bind_param($stmt, 'sssssiis[color=#ff0000][b]s[/b][/color]', $fn, $ln, '$sa', '$c', '$st', '$z', '$ph', '$e', [b][color=#ff0000]'$p'[/color][/b]);

mysqli_stmt_execute($stmt);

 

Thanks for the help.

Share this post


Link to post
Share on other sites

You need to remove the styling you've put in your code above, it's messed up.

 

Did you run this code?

Share this post


Link to post
Share on other sites

Hello:

 

My password field in the table is set as varbinary.

 

I removed the formmating from the code. The error message I received stated that only variables could be bound.

 

$q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created)
	 VALUES (?, ?, ?, ?, ?, ?, ?, ?, get_password_hash(?), NOW() )";

$stmt = mysqli_prepare($dbc, $q);

mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, '$sa', '$c', '$st', '$z', '$ph', '$e', '$p');

mysqli_stmt_execute($stmt);

Share this post


Link to post
Share on other sites

You're placing values in the prepared statement, remove these and replace with parameter markers.

 

Remove the single quotes around your variables where you're binding the parameter markers to your application variables.

 

Ensure you have the same number of application variables for the number of parameter markers.

Share this post


Link to post
Share on other sites

I will give it a try.

 

As for the date, if I use NOW() in my VALUES of the insert statement, I don't include it as a bind variable. Would that be correct? Otherwise, how do I insert a date?

 

And, for the password, if I place a ? in the VALUES, in the bind statement how do I hash the password to be inserted?

Share this post


Link to post
Share on other sites

Yeah, you can pass NOW() into the prepared statement as a non-bound parameter.

 

For the password, I would make this bound and assign the result of get_password_hash to a variable, adding it via mysqli_stmt_bind_param.

Share this post


Link to post
Share on other sites

I made some modifications to my code and when I run the script I'm receiving the following error message:

 

Fatal error: Only variables can be passed by reference in add_client.php on line 105.

 

Here is the code:

line 102:   $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created)
line 103: 		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW() )";
line 104:   $stmt = mysqli_prepare($dbc, $q);
line 105:   mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, '"  .  get_password_hash($p) .  "');
line 106:   mysqli_stmt_execute($stmt);

 

Can someone help?

Thank you!

Share this post


Link to post
Share on other sites

Assign the result of get_password_hash($p) to a new variable before the query. Right now, you are just passing in a string.

 

$hash = get_password_hash($p);

....
mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, $hash);

Share this post


Link to post
Share on other sites

I fixed the problem. Here's what I did.

 

I createda variable $pwd which hashes the password first. Then I referenced this new variable in the bind_param statement.

 

$pwd = get_password_hash($p);

 $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created)
	 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW() )";
 $stmt = mysqli_prepare($dbc, $q);
 mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, $pwd);
 mysqli_stmt_execute($stmt);

 

Thanks to everyone for the help!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×