I'm writing a function to authenticate a user. I create a connection with a database, then prepare a query, bind the parameter, execute the query, bind the result to a variable,check if the query returned a result.
If it did I compare the result (bound to the variable), close the statement, close the connection, and then return the appropriate value. Well, that's what I think I am doing, but I keep getting a syntax error and I can't figure out what I am doing wrong:
Syntax error: expected: exit, if, identifier, variable, echo, do, while, for, foreach, declare, switch, break, continue, function, return, try, throw, use, global, unset, isset, empty, class, interface, array, {, }, include, include_once, eval, require, require_once, print, ';', +, -, !, ~, ++, --, @, [, new, static, abstract, final, (, $
My code:
/**
* Authenticates a user.
* @param type $email - String value
* @param type $hashedPassword - String value
* @return true if user is authenticated or false otherwise - Boolean value
*/
function isValidUser($email, $hashedPassword)
{
//This variable will hold the value returned from the query to the database.
var $rPassword = NULL;
//Establish a connection
$mysqli = new mysqli($GLOBALS['dbServer'], $GLOBALS['dbUserName'], $GLOBALS['dbPassword'], $GLOBALS['dbName']);
//Check if connection failed
if($mysqli->connect_error)
{
die('Connect Error (' . $mysqli->connect_errno . ') '
. $mysqli->connect_error);
}
$stmt = $mysqli->prepare("SELECT password FROM user_info WHERE email=?");
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->bind_result($rPassword);
if($stmt->fetch())
{
if(($rPassword != null) && ($rPassword == $hashedPassword))
{
$stmt->close();
$mysqli->close();
return true;
}
}
$stmt->close();
$mysqli->close();
return false;
}
I was doing this without using prepared statements and the code worked fine, but then I did some research and found out that prepared statements is the way to go because they help prevent SQL injections.