I have one result when I do this in phpMyAdmin:
SELECT password, block FROM jml_users WHERE username = "user01"
However in my PHP code the script does not find my user. Am I doing something wrong with $stmt->bind_param("s", $unsafe_user);
I also tried $stmt->bind_param("s", "user01");
with no luck.
$unsafe_user = "user01";
$mysqli = new mysqli($loginURL, $dbusername, $dbpassword, $database);
// Kill connection
$thread_id = $mysqli->thread_id; // determine our thread id
function LoginCheck()
global $mysqli, $unsafe_user;
//Perpare Statement.
//if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE (username) VALUES (?)")) // this returns false for some reason
if($stmt = $mysqli->prepare("SELECT password, block FROM jml_users WHERE username = ?")) //works, still safe form sql injection?
$stmt->bind_param("s", $unsafe_user);
$stmt->bind_result($dbpw, $bdblock);
if($stmt->num_rows == 0)
echo "could not find user";
// Found user
echo "found user";
echo "Statement creation did not succeed";
The first query you commented out is invalid MYSQL syntax. That type of syntax is for inserts.
Also num_rows won't work with prepared statements unless you use $stmt->store_result();
after $stmt->execute();
Check this answer in the documentation.