Bind_Param Function in PHP returning error from Uwamp

Question

I'm trying to make a login system with PHPMyAdmin and I seem to be having trouble with the bind function. It should print the records stored in the database of the account I log in with but instead I get this error from uwamp; Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in C:\UwAmp\www\Test\M2\Authentication.php on line 22 For reference, here's my code;

<?php
//Perameters needed to login to the database
$serverName= "localhost";
$DBUsername= "root";
$DBPassword= "root";
$DatabaseName="database 1";

//Connect to the database using the parameters
$conn = new mysqli($serverName, $DBUsername, $DBPassword, $DatabaseName);

//If there is a connection error, kill the connection and show said error.
if ($conn -> connect_error)
{
    die("Connection fail: " . $conn -> connect_error);
}

//Query the table
$paramUsername = $_POST['InputUsername'];
$paramPassword = $_POST['InputPassword'];

$Statement= $conn-> prepare("SELECT UserID, Name, Username, Password, PrivilegeLevel FROM users WHERE Username AND Password= ?");
$Statement -> bind_param('ss', $paramUsername, $paramPassword);
$Statement -> execute();
$Statement -> store_result();
$Statement -> bind_result($UserId, $UtBLName, $UtBLUsername, $UtBLPassword, $PrivLevel);
$Statement -> fetch();
$Statement -> close();


?>

<!DOCTYPE html>
<html lang="en">
<head>
    <title>Document</title>
</head>
<body>
    <div>
        Your user ID is: <?php echo $UserId; ?> <br>
        Your name is: <?php echo $UtBLName; ?> <br>
        Your username is: <?php echo $UtBLUsername; ?> <br>
        Your password is: <?php echo $UtBLPassword; ?> <br>
        Your privilege level is: <?php echo $PrivLevel; ?> <br>

    </div>
</body>
</html>

Now I have looked around on this site and found a thread that says I should change the number of S-es in the bind bind_param, so I changed it from one to two and it's still giving the same error. Any suggestions?

Answer 1

Your SQL

Username AND Password= ?

Is bad syntax. As you're providing two values, it should be:

Username = ? AND Password = ?

The bind_param call is placing X number of variables in X number of ? in the SQL, so the number of variables must always match the number of ? in the query.

Therefore:

$Statement= $conn-> prepare("SELECT UserID, Name, Username, Password, PrivilegeLevel FROM users WHERE Username = ? AND Password= ?");
// Two ? in the SQL mean two variables are required.
$Statement -> bind_param('ss', $paramUsername, $paramPassword);

Security

Passwords should NEVER be stored as plaintext in any medium. You can easily work around this using PHPs Password Hash mechanism which is Highly Encouraged.

$paramPassword = password_hash($_POST['InputPassword'],PASSWORD_DEFAULT);