CODEWITHSUNDEEP
phpphp-password-hash
Anonymous Penguin
Anonymous Penguin

Reputation: 2137

Why isn't PHP's "password_hash" returning a string?

<?php
    $connection=new PDO("mysql:host=localhost;dbname=userdata", "secure_credentials", "battery_staple");
    $user=$_POST['username1'];
    $pass=$_POST['password1'];
    $snip=mb_substr($user, 0, 3);
    $pass=password_hash($pass, PASSWORD_BCRYPT);
    $user_query=$connection->prepare("INSERT INTO login (email, password, semod, snippet) VALUES (:email, :password, :semod, :snippet)");
    $user_query->bindParam(':email', $user);
    $user_query->bindParam(':password', $pass);
    $user_query->bindParam(':semod', "false");
    $user_query->bindParam(':snippet', $snip);
    $user_query->execute;

(Password changed)

I'm facing a small problem with the above PHP code, whenever it's executed I get this error:

Fatal error: Cannot pass parameter 2 by reference in [location] on line [##: I shortened the above code... it's the password field with issues]

Looking around, this seems to be an issue when passing an string/integer directly, without using a variable. However, password_hash() returns a string, so I am led to believe that it's not returning a string. What could be the problem of this issue?

Upvotes: 2

Views: 211

Answers (1)

Barmar
Barmar

Reputation: 780879

Your error is on this line:

$user_query->bindParam(':semod', "false");

You need to use bindValue.

$user_query->bindValue(':semod', "false");

bindParam passes the second argument by reference, so it has to be a variable, not a literal.

Additionally, known values don't need to be bound. You could have just as easily added the literal 'false' string to your statement query, ie

"INSERT INTO login (email, password, semod, snippet) VALUES (:email, :password, 'false', :snippet)"

Upvotes: 5

Related Questions