PDO prepare() error Php / Mysql

Question

PHP

session_start(); 
$username = $_POST['regduser']; 
$userpass = md5($_POST['regdpass']); 
$sql = $sql->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
$sql->bindParam(':username', $username);
$sql->bindParam(':userpass', $userpass);
$stmnt->execute();
$result = mysql_query($sql); 
if (mysql_num_rows($result)!= 1) { 
 $error = "Login failed"; 
 #include "loginform.php"; 
} else { 
    echo "<h1>exists</h1>";
 #$_SESSION['regduser'] = "$username"; 
 #$_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 
 // any other data needed to navigate the site or 
 // to authenticate the user can be added here 
 #include "membersection.php"; 
}

?>

HTML:

<form action="inc/check_regUsr.php" method="post" id="userLogon">
    <div class="field required">
        Username: <input type="text" name="regduser" tabindex="1" /><br />
        </div>
        <div class="field required">
        Password: <input type="password" name="regdpass" tabindex="2" /><br />
        </div>
        <input type="submit" name="submitUser" />
</form>

Fatal error: Call to a member function prepare() on a non-object on line 9 That line is:

$sql = $sql->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");

What am I doing wrong here?!

Answer 1

$sql is not an object at all. It has to be an object, like something from PDO, e.g. $sql = new PDO(…).

Furthermore, you should not use MD5 hashes for passwords, see Secure hash and salt for PHP passwords.

Answer 2

Ohoh, where to begin...

1. Where is the database connection $sql made?
2. Use :placeholdername in prepared statements, not $placeholdername.
3. You are overwriting $sql, destroying your database connection if you ever had one.
4. $stmnt does not exist
5. What does mysql_query do there? You have 3 options: mysql, mysqli or PDO. Stick with one, don't mix & match.