Mysqli prepared sentences

0

Hello, I have a problem, I would like to know about prepared statements, I have this code:

$query_email = ("SELECT email FROM usuarios_ WHERE email = ?");

$stmt = mysqli_stmt_init($conn);
if (mysqli_stmt_prepare($stmt, $query_email)) {     
   mysqli_stmt_bind_param($stmt, 's', $email);
   mysqli_stmt_execute($stmt);
   mysqli_stmt_bind_result($stmt, $resultado);
   mysqli_stmt_fetch($stmt);

   echo $resultado;

   mysqli_stmt_close($stmt);        
}

So far so good, my question is, how to know if it has worked or not, because as it is a login system I have to pass the feedback back to the user whether the email exists or not.

    
asked by anonymous 18.02.2016 / 01:47

1 answer

1

If it is a login system, you have a problem - I do not know if this is all your code, but if it is, you should also look for the password, never just by email. If your goal is just to inform the user whether the email exists or not (during the login process), I say that this is a bad idea. You're giving an attacker half the information he needs to hack into your system.

mysqli_stmt_fetch returns true / false if a record is found, you can use this to perform a checking and whether or not the email exists in your database. I think that's what you want.

To retrieve the persistent value in your database, and store it in variables, use the mysqli_stmt_bind_result . There are some examples in the function documentation on how to use it.

    
18.02.2016 / 12:16