hbphoto Posted August 27, 2012 Share Posted August 27, 2012 Hello: Would these statements be correct in inserting a hashed password using a bind variable? $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, [b][color=#ff0000]pass[/color][/b], date_created) VALUES (?, ?, ?, ?, ?, ?, ?, ?, [b][color=#ff0000]get_password_hash(?)[/color][/b], NOW() )"; $stmt = mysqli_prepare($dbc, $q); mysqli_stmt_bind_param($stmt, 'sssssiis[color=#ff0000][b]s[/b][/color]', $fn, $ln, '$sa', '$c', '$st', '$z', '$ph', '$e', [b][color=#ff0000]'$p'[/color][/b]); mysqli_stmt_execute($stmt); Thanks for the help. Link to comment Share on other sites More sharing options...
rob Posted August 27, 2012 Share Posted August 27, 2012 You need to remove the styling you've put in your code above, it's messed up. Did you run this code? Link to comment Share on other sites More sharing options...
Larry Posted August 27, 2012 Share Posted August 27, 2012 Also depends upon the format of the hashed password: string or binary. Link to comment Share on other sites More sharing options...
hbphoto Posted August 28, 2012 Author Share Posted August 28, 2012 Hello: My password field in the table is set as varbinary. I removed the formmating from the code. The error message I received stated that only variables could be bound. $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created) VALUES (?, ?, ?, ?, ?, ?, ?, ?, get_password_hash(?), NOW() )"; $stmt = mysqli_prepare($dbc, $q); mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, '$sa', '$c', '$st', '$z', '$ph', '$e', '$p'); mysqli_stmt_execute($stmt); Link to comment Share on other sites More sharing options...
rob Posted August 28, 2012 Share Posted August 28, 2012 You're placing values in the prepared statement, remove these and replace with parameter markers. Remove the single quotes around your variables where you're binding the parameter markers to your application variables. Ensure you have the same number of application variables for the number of parameter markers. Link to comment Share on other sites More sharing options...
hbphoto Posted August 28, 2012 Author Share Posted August 28, 2012 I will give it a try. As for the date, if I use NOW() in my VALUES of the insert statement, I don't include it as a bind variable. Would that be correct? Otherwise, how do I insert a date? And, for the password, if I place a ? in the VALUES, in the bind statement how do I hash the password to be inserted? Link to comment Share on other sites More sharing options...
rob Posted August 28, 2012 Share Posted August 28, 2012 Yeah, you can pass NOW() into the prepared statement as a non-bound parameter. For the password, I would make this bound and assign the result of get_password_hash to a variable, adding it via mysqli_stmt_bind_param. Link to comment Share on other sites More sharing options...
hbphoto Posted August 28, 2012 Author Share Posted August 28, 2012 Ok, I'll give this a try. Link to comment Share on other sites More sharing options...
hbphoto Posted August 29, 2012 Author Share Posted August 29, 2012 I made some modifications to my code and when I run the script I'm receiving the following error message: Fatal error: Only variables can be passed by reference in add_client.php on line 105. Here is the code: line 102: $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created) line 103: VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW() )"; line 104: $stmt = mysqli_prepare($dbc, $q); line 105: mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, '" . get_password_hash($p) . "'); line 106: mysqli_stmt_execute($stmt); Can someone help? Thank you! Link to comment Share on other sites More sharing options...
Antonio Conte Posted August 29, 2012 Share Posted August 29, 2012 Assign the result of get_password_hash($p) to a new variable before the query. Right now, you are just passing in a string. $hash = get_password_hash($p); .... mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, $hash); Link to comment Share on other sites More sharing options...
hbphoto Posted August 29, 2012 Author Share Posted August 29, 2012 I fixed the problem. Here's what I did. I createda variable $pwd which hashes the password first. Then I referenced this new variable in the bind_param statement. $pwd = get_password_hash($p); $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW() )"; $stmt = mysqli_prepare($dbc, $q); mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, $pwd); mysqli_stmt_execute($stmt); Thanks to everyone for the help! Link to comment Share on other sites More sharing options...
Recommended Posts