-1

so I have 2 tables: admin and employee with only 2 columns they share in common

one login form

and 2 separate dashboards for each

to make them in one table temporarily I've incorporated them with UNION as well as adding a temporary column as well to define the type of user and hence logging in to the right dashboard.

so for making this happen after a very long searching and quite many trail and error I've concluded that this is the best I can do and understand as a newbie in this field.

that's how my final piece looks like:

    // preparing a temporary table that unions the admin and employee tables
$TMP = "SELECT EMP_ID AS ID, EMP_EMAIL AS EMAIL, 2 AS TYPE FROM employee
                        UNION
                        SELECT ID, EMAIL, 1 AS TYPE FROM admin ";
$result = $con->prepare($TMP);                      
$result-> execute();
$result-> store_result();
$result-> fetch();

    // preparing select statement for logging in
$stmt = $con->prepare('SELECT `TYPE` FROM `".$result."` WHERE `ID` = ?');
    // Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
    $stmt->bind_param('i', $_POST['ID']);
    $stmt->execute();
    // Store the result so we can check if the account exists in the database.
    $stmt->store_result();
    if ($stmt->num_rows > 0) {
    $stmt->bind_result($ID);
    $stmt->fetch();
    }
        if ($stmt['TYPE'] == 1) {
            if ($_POST['ID'] == $ID) {
        // Verification success! User has loggedin!
        // Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
            session_regenerate_id();
            $_SESSION['loggedin'] = TRUE;
            $_SESSION['email'] = $_POST['EMAIL'];
            $_SESSION['id'] = $ID;
            echo 'Welcome ' . $_SESSION['email'] . '!';
        } else {
        echo 'Incorrect password!';
    }
        } else if ($stmt['TYPE'] == 2) {
    if ($_POST['ID'] == $ID) {
        // Verification success! User has loggedin!
        // Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
        session_regenerate_id();
        $_SESSION['loggedin'] = TRUE;
        $_SESSION['email'] = $_POST['EMAIL'];
        $_SESSION['id'] = $ID;
        echo 'Welcome ' . $_SESSION['email'] . '!';
    } else {
        echo 'Incorrect password!';
    }
        }
    $stmt-> close();



$result-> close();
$con-> close();

the code used was from a tutorial meant for logging one user and it was working just fine with me but because my goal was different I tried to modify it for my needs but unfortunately fatal errors about binding the parameter keeps popping up.

I really appreciate giving me some of your time. thank you.

Sarah Fahad
  • 3
  • 6
  • Your concatenation is wrong. You have single quotes on the full string, but try to break out of it with double quotes. Thus, your prepare statement failed. – aynber Mar 20 '19 at 18:24
  • @aynber you're right the error has gone but I received another error (Catchable fatal error: Object of class mysqli_stmt could not be converted to string ) do you think this is has something to do with the temporary table's name? thanks for your help. – Sarah Fahad Mar 21 '19 at 05:37
  • You call `$stmt->fetch()` but never assign it to a variable, then attempt to use the mysql_stmt `$stmt` as an array. That won't work. Do `$row = $stmt->fetch()` so that `$row` will contain the results of the query, which you can then use as an array `$row['TYPE']` – aynber Mar 21 '19 at 12:27

1 Answers1

3

The problem is in the outer quotes ' vs "

When the prepared statement fails it will return a boolean (false).

Documentation

mysqli_prepare() returns a statement object or FALSE if an error occurred.

I think you meant to make this line like this:

$stmt = $con->prepare("SELECT `TYPE` FROM `".$result."` WHERE `ID` = ?");
Benjie Wheeler
  • 540
  • 3
  • 16
  • you're right this issue is solved thank you. but do know whether my table's name is affecting the code in any way or not? I really appreciate your help. – Sarah Fahad Mar 21 '19 at 05:39
  • Your table name being in the `$result` variable is prone to [SQL Injection](https://en.m.wikipedia.org/wiki/SQL_injection), I would advise you yo [escape](https://secure.php.net/manual/en/mysqli.real-escape-string.php) the variable – Benjie Wheeler Mar 21 '19 at 13:50