Variables bind_result () can be equal to bind_param ()?

Question

Variables bind_result () can be equal to bind_param ()?

Navigation

#1 by (0 votes)

1

I'm starting to see the prepared statement of SQL . I have the following code for a simple login :

$stmt = $mysqli->prepare("SELECT id_admin,usuario,hash_pass FROM admins WHERE usuario = ?");
$stmt->bind_param("s", $usuario);
$stmt->execute();
$stmt->bind_result($id, $usuario, $hash_pass); 
while ($stmt->fetch())  /* obtener los valores */
{
    if(password_verify($password, $hash_pass)){ 
        $_SESSION['usuario'] = $usuario;
        $_SESSION['id'] = $id;
        header('location: admin-area.php');
        die();
    }
    else{
        $resultado =  "Datos incorrectos.";
    }
}

$stmt->free_result(); /* Libera la memoria de los resultados */
$stmt->close(); /* Cerrar la sentencia */
$mysqli->close(); /* Cerrar la conexion. */

The variable that happened in bind_param() is $ user , has the same name as the variable that happened in bind_result() . I tried it and there is no problem. Could this be the same or could there be some error in more complex sentences? Should the variables have different names?

sql php

asked by fed R 18.01.2017 в 17:26

source

1 answer

How to delete margin in my AppBarLayout? Display date format in "d-m-y" and save to a database in "y-m-d" format

score 0 · Accepted Answer

I think there is nothing wrong, although you have to be careful, a problem could be, not in your case, is that you ever overwrite some variable with some value already started, which later you use.

Conclude:

You are simply overwriting the value of your variable, in your case ($ user).

We logically analyze:

The variable ($ user), is the user name that you get from the form, its value could be Foo, then with this variable you check if Foo exists in your Database and if, if Foo exists, you associate to Foo again. I mean, you really overwrote Foo again to Foo.

You could optimize your SQL request in the following way and something important is to check if the user exists or not:

$stmt = $mysqli->prepare("SELECT id_admin,hash_pass FROM admins WHERE usuario = ?");
$stmt->bind_param("s", $usuario);
$stmt->execute();
//Transfiere un conjunto de resultados desde una sentencia preparada
$stmt->store_result();
//Comprobamos si existe usuario.
if ($stmt->num_rows===1) { //Verdadero.
   $stmt->bind_result($id,$hash_pass); 
   while ($stmt->fetch()) {
       if(password_verify($password, $hash_pass)){ 
           $_SESSION['usuario'] = $usuario; //Usuario formulario no sobrescrito.
           $_SESSION['id'] = $id;
           header('location: admin-area.php');
           die();
       } else { //Contraseña incorrecto.
           $resultado =  "Datos incorrectos.";
       }
   }
} else { //Falso, usuario no existe.
  $resultado =  "Datos incorrectos.";
}
$stmt->close();

Note: It's just a personal opinion, I'm not saying it's better or right. I personally like to work with an ordered code, so I do not like to mix, for example, variables that I obtain from a form, with variables that I extract from the Database. Personally for difference I add 'BD' at the end, an example would be: bind_result ($ userBD);