mysqli never returns anything

Question

As part of a PHP web application, I'm querying a MySQL database using mysqli and prepared statements.

I've used exactly the same code on a few queries and it works, but on one particular query, it always returns an empty record set. I've run exactly the same query from the MySQL command line, and it correctly returns the result. I've checked the parameters being passed in, and they're fine.

I've spent the best part of a day trying to figure out why I'm always getting an empty record set with no errors or warnings. I've got PHP's errors set to display on the page, and I've got them set to E_ALL|E_STRICT. I still don't get any warnings or errors.

I've tried all the obvious things, like making sure I can actually connect to the database, checking the parameters that are being passed in, and making sure the row I'm trying to return actually exists in the database. I've had var_dump()s and die()s all over the page to check what's coming back, and it's always a legitimate, but empty, recordset.

function salt() {
   return("I've removed my salt from this sample code");
}

function openDatabase() {
   $conn = new mysqli("127.0.0.1", "username", "password", "database")
      or die("Error: Could not connect to database.");
   return($conn);
}

function checkUserCredentials($username, $password) {
   $goodPassword = md5(salt().$username.$password);

   $conn = openDatabase();
   $query = $conn->stmt_init();

   $query->prepare("SELECT id FROM users WHERE email = ? AND passwordHash = ?")
      or die('Problem with query');

   $query->bind_param("ss", $username, $goodPassword)
      or die('Error binding parameters');

   $query->execute() or die("Could not execute");
   $query->bind_result($col1) or die ("Could not bind result");

   if ($col1 !== 0) {
      die("Authentication Complete");
   } else {
      die("Authentication Failure! Number of Rows: ".$query->num_rows." Username: " . $username . " Password Hash: " . $goodPassword);
   }
}

Any feedback is appreciated. I'm sure I'm missing something simple, but if I didn't shave my head I'd be tearing my hair out right now.

Thanks

Answer 1

I'm not familiar with the mysqli library (I usually use PDO which provides a very similar cross platform API) so I can't immediately see any problem. However, you might try watching the mysqld log. See here for info:

http://dev.mysql.com/doc/refman/5.1/en/query-log.html

By tailing the log, you should be able to see the exact query that was submitted.

One final note, I notice you're using a fixed salt value. Wouldn't it be better to generate this value randomly each time you need it and then store it in the users table? Generally, a salt is not intended to be secret, it's just there to prevent people precomputing tables of passwords using the hash algorithm that you use.

Answer 2

In case anyone else runs into similar issues, it really helps if you run fetch() on your mysqli_stmt object.

In my code above, the solution looks like this:

$query->bind_result($col1) or die ("Could not bind result");

$query->fetch(); // <--- How could I forget to do this?

if ($col1 !== 0) {
   return true;
} else {
   return false;
}

_{Added on behalf of OP}