[Tenderfoot]

I'm having a slight problem with something in the PHP book I'm reading. It showed me an example of how you would verify a username/password combination using MySQL. It didn't explain much about how you would use something like md5 to encrypt anything, but the example assumed you would take encrypted passwords out of the database, and compare them with an encrypted password that has been submitted by the user. But before I get into that, I want to understand better how I would do this with clear text.

Code follows:

function authenticate_user() 
	{
		header('WWW-Authenticate: Basic realm="Secret Stash"');
		header("HTTP/1.0 401 Unauthorized");
		exit; 
	}
	/* If $_SERVER['PHP_AUTH_USER'] is blank, the user has not yet been
	 prompted for the authentication information.
	*/
	if (! isset($_SERVER['PHP_AUTH_USER']))
	{
		authenticate_user();
	} 
	else 
	{
		$db = new mysqli("localhost", "myUsername (my username, removed for D.I.C.)", "mySQLPassword", "myDatabaseName");
		$stmt = $db->prepare("SELECT userName, pswrd FROM CH14Logins WHERE userName= " . $_SERVER['PHP_AUTH_USER'] . " AND pswrd= " . $_SERVER['PHP_AUTH_PW']);
		//Assuming that s stands for string here, so these ought to be 2 strings in a row.

//What I assume I was doing in the $stmt = $db->prepare line was to select a username from CH14Logins table where the username equals the username entered by the user, and same with the password. 
		$stmt->bind_param('ss', $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); 
		$stmt->execute();
		$stmt->store_result();
		
		if ($stmt->num_rows == 0)
		{
			authenticate_user();
		}
	}

I have a one username and one password (clear text) in my database, and when I enter them on the site, I get this error:

Fatal error: Call to a member function bind_param() on a non-object in C:\apache\htdocs\Chapter 14\verification.php on line 65

So it appears this is the line that isn't working:

$stmt->bind_param('ss', $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);

It's taken directly from the book, honestly I'm not quite sure what it does. At first I thought bind_param would bind the output from the MySQL select command to variables, but I don't get why I would want to bind them to the $_SERVER variables.

Edit: Scratch the last part. Seeing as this is the description for bind_params: "Binds variables to a prepared statement as parameters" I suppose that means that it binds the variables to the prepared statement so that the prepared statement can use them in its search. But I still don't understand the error.

This post has been edited by Tenderfoot: 30 September 2012 - 07:34 AM

[CTphpnwb]

Look at the example here:
http://www.php.net/m....bind-param.php
See where it has question marks in the query? Why doesn't yours?

[Tenderfoot]

CTphpnwb, on 30 September 2012 - 07:43 AM, said:

Look at the example here:
http://www.php.net/m....bind-param.php
See where it has question marks in the query? Why doesn't yours?

Because apparently I'm not a smart man.

The code I got from the book looked like this:

WHERE username=? AND pswd=MD5(?)");

Now, because it looked like that I assumed it was there for me to replace with a string (or variable). But thanks, I've fixed the code accordingly. +1