Issue with PDO binding/executing

Question

Hi here's my code I created the 2 sqlite table sample and login_info properly though this error still pops up

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 25 bind or column index out of range in C:\xampp\htdocs\display.php:22

<?php
session_start();
$user  = $_POST['username'] ?? '';
$pword = $_POST['password'] ?? '';
$_SESSION['details'] = [
    'user' => $user,
    'pword'=> $pword
];
$pdo = new PDO('sqlite:'.__DIR__.'/users.db');
$pdo->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);

if (!isset($_SESSION['sample'])){
    $statement = $pdo->prepare("INSERT INTO sample(timecreated) VALUES (?)");
    $statement->execute([time()]);
    $_SESSION['sample'] = $pdo->lastInsertId();
}
$deleteStatement = $pdo->prepare("DELETE FROM login_info WHERE employee_id=?");
$deleteStatement->execute([$_SESSION['sample']]);

This is where my error starts

$insertStatement = $pdo->prepare("INSERT INTO login_info (username,password) VALUES (?,?)");
$insertStatement->execute([$_SESSION['sample'],'username', $user]);
$insertStatement->execute([$_SESSION['sample'],'password', $pword]);
?>
<!DOCTYPE html>
<html>
<head>
    <title>Display</title>
</head>
<body>
    <p>
        Your username is <?php echo $user ?> and your password <?php echo $pword ?>.
    </p>
    <a href="login.php">Go Back</a>
   </body>
</html>'

Answer 1

Your issue is that you don't bind the two values, you try to execute them individually. Either bind them first, then execute, or execute them at the same time. You also provide 3 arguments, instead of two. I can't see how $_SESSION['sample'] (the ID from a previous query) fits into that, so just remove it.

Here's an example of how you can execute it. Note that the array provided as an argument in execute() holds exactly as many elements as there are placeholders, and they appear in the correct order.

$insertStatement = $pdo->prepare("INSERT INTO login_info (username, password) VALUES (?, ?)");
$insertStatement->execute([$user, $pword]);

Your issue was that you tried to execute multiple times. You seemed to confuse with the syntax of PDOStatement::bindParam, which would be

$insertStatement = $pdo->prepare("INSERT INTO login_info (username, password) VALUES (?, ?)");
$insertStatement->bindParam(1, $user);
$insertStatement->bindParam(2, $pword);
$insertStatement->execute();

By calling execute() multiple time on the same statement, you attempt to execute it multiple times - this is useful if you want to insert the same kind of data, but with different values - which is not relevant to what you are doing here.

---

Other things to note...

You currently store passwords in a session and displaying them to the user directly - this is strongly advised against. It also appears like you store psaswords in plain-text, which is a big no-no! Use proper methods of hashing, like password_hash() with password_verify().

References & Readingmaterial

• http://php.net/pdostatement.execute
• http://php.net/pdostatement.bindparam
• How can I store my users' passwords safely?
• Is it secure to store a password in a session?