Edit: I think the bug is in a different part of the code. Apparently, when testing prepared statements in phpmyadmin, phpmyadmin simply performs a search-replace on the parameters rather than actually using a prepared statement in PDO.
The PHP login script which I am working on uses mysqli to access a database.
A key part of the script queries the users
table to return the password hash.
$stmt = $mysqli->prepare("SELECT password FROM users WHERE username = ?");
$stmt->bind_param("s", $_POST["username"]);
$stmt->execute();
$stmt->bind_result($hash);
I have a row in the table with itcha2
as the username, but when I pass itcha2
as the username to the script, it returns no rows.
When I enter the query into phpmyadmin , SELECT * FROM users WHERE username = :user
, binding itcha2
as :user
, phpmyadmin returns the error #1054 - Unknown column 'itcha2' in 'where clause'
As I understand it, a parameter from a prepared statement should never be interpreted as a column name.
What is going on?
Any help is most sincerely appreciated.