I have searched google, read in the PHP manual and tried several tutorials to make a secure login script for mysqli and PHP. Does anyone know of one that actually works without md5?

I would like to see some working code or a tutorial if possible.

Mine won't actually query the db or return a value, even after hardcoding the values into the script... I'm looking for something like:

• connect using the 'connectdb' file
• post the user/pwd from the form
• query db for user/pwd
• set session with username
• etc.

This is my code that doesn't work:

<?php

include ("conectionlink.php");

//connection errors if any...

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$userid = htmlentities($_POST['userid'], ENT_QUOTES);
$password = htmlentities($_POST['password'], ENT_QUOTES);


//create a prepared statement

if ($stmt = $mysqli->prepare("SELECT userid, password FROM admins WHERE userid=? and password=?")) {



// bind parameters-define them...
    $stmt->bind_param("is", $userid, $password);


//execute...
    $stmt->execute();

    // bind result variables 
    $stmt->bind_result($userid,$password)



//fetch value
    $stmt->fetch();

 var_dump($userid, $password);
 printf("%n is associated with %s", $userid, $password);

    /* close statement */
    $stmt->close();
}

/* close connection */
$mysqli->close();
?>

I receive the following error message:

According to the PHP documentation for mysqli, bind_result() syntax should be in one line, rather than performing multiple binds:

bind_result ( mixed &$var1 [, mixed &$... ] )

So, instead of this:

$stmt->bind_result($userid);
$stmt->bind_result($password);

try doing this:

$stmt->bind_result($userid,$password);

You seem to be treating the userid column as containing an integer, when I suspect you are really receiving a string. You initialize $userid like this:

$userid = htmlentities($_POST['userid'], ENT_QUOTES);

Then you use it in a SELECT and treat it as an integer in your bind_param() call. So, you're treating it like an integer (which seems unlikely in a $_POST variable -- I expect you are really receiving a string username, not an integer ID).

You also have a problem with your call to printf() -- %n is not a recognized format. You can see the acceptable formats at the sprintf() manual page.

In short, I suspect you are using the wrong column in your SELECT statement, and that it is actually supposed to be something like username.