Jump to content
Larry Ullman's Book Forums

Chapter 13 Prepared Statements


Recommended Posts

Hello:

 

Would these statements be correct in inserting a hashed password using a bind variable?

 

$q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, [b][color=#ff0000]pass[/color][/b], date_created)
	 VALUES (?, ?, ?, ?, ?, ?, ?, ?, [b][color=#ff0000]get_password_hash(?)[/color][/b], NOW() )";

$stmt = mysqli_prepare($dbc, $q);

mysqli_stmt_bind_param($stmt, 'sssssiis[color=#ff0000][b]s[/b][/color]', $fn, $ln, '$sa', '$c', '$st', '$z', '$ph', '$e', [b][color=#ff0000]'$p'[/color][/b]);

mysqli_stmt_execute($stmt);

 

Thanks for the help.

Link to comment
Share on other sites

Hello:

 

My password field in the table is set as varbinary.

 

I removed the formmating from the code. The error message I received stated that only variables could be bound.

 

$q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created)
	 VALUES (?, ?, ?, ?, ?, ?, ?, ?, get_password_hash(?), NOW() )";

$stmt = mysqli_prepare($dbc, $q);

mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, '$sa', '$c', '$st', '$z', '$ph', '$e', '$p');

mysqli_stmt_execute($stmt);

Link to comment
Share on other sites

You're placing values in the prepared statement, remove these and replace with parameter markers.

 

Remove the single quotes around your variables where you're binding the parameter markers to your application variables.

 

Ensure you have the same number of application variables for the number of parameter markers.

Link to comment
Share on other sites

I will give it a try.

 

As for the date, if I use NOW() in my VALUES of the insert statement, I don't include it as a bind variable. Would that be correct? Otherwise, how do I insert a date?

 

And, for the password, if I place a ? in the VALUES, in the bind statement how do I hash the password to be inserted?

Link to comment
Share on other sites

Yeah, you can pass NOW() into the prepared statement as a non-bound parameter.

 

For the password, I would make this bound and assign the result of get_password_hash to a variable, adding it via mysqli_stmt_bind_param.

Link to comment
Share on other sites

I made some modifications to my code and when I run the script I'm receiving the following error message:

 

Fatal error: Only variables can be passed by reference in add_client.php on line 105.

 

Here is the code:

line 102:   $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created)
line 103: 		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW() )";
line 104:   $stmt = mysqli_prepare($dbc, $q);
line 105:   mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, '"  .  get_password_hash($p) .  "');
line 106:   mysqli_stmt_execute($stmt);

 

Can someone help?

Thank you!

Link to comment
Share on other sites

I fixed the problem. Here's what I did.

 

I createda variable $pwd which hashes the password first. Then I referenced this new variable in the bind_param statement.

 

$pwd = get_password_hash($p);

 $q = "INSERT INTO client (first_name, last_name, address, city, state, zip, phone, email, pass, date_created)
	 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NOW() )";
 $stmt = mysqli_prepare($dbc, $q);
 mysqli_stmt_bind_param($stmt, 'sssssiiss', $fn, $ln, $sa, $c, $st, $z, $ph, $e, $pwd);
 mysqli_stmt_execute($stmt);

 

Thanks to everyone for the help!

Link to comment
Share on other sites

 Share

×
×
  • Create New...