PHP SQL Server get error message on execute - php

I am lost a bit, shifting from regular queries to parametrized and it seems I cannot get an error.
I know for sure sql does not perform INSERT but also there is no error displayed.
How do I see errors with execute statements? The actual query has 50 values. Below is a code smaple, I just need ot know how to pull errors on execute. Thank you!
$sqlParamsArUpd = array('10', '20')
$data = $conn->prepare($sqlNew);
$data->execute($sqlParamsArUpd);
if ($data) {
// code continues here (SQL does not insert values and code simply continues here, instead of showing error
} else {
print_r($conn->errorInfo())
}


Use the boolean from PDOStatement::execute
$sqlParamsArUpd = array('10', '20')
$stmt = $conn->prepare($sqlNew);
$inserted = $stmt->execute($sqlParamsArUpd); // Returns true or false
if ($inserted) {
echo $stmt->rowCount()." rows inserted";
} else {
print_r($stmt->errorInfo())
}

Related

php sql search issues

ok here is my code maybe someone out there can explain what I am doing wrong here as I just don't get it. My understanding of this is that IF the stmt finds a result it will then run the code in the {} and hence return a result. And IF there is no result then it would return nothing, as the IF statement is false. But I am getting a return in postman even though the ID that I am searching is false. It does not exist on the table. Why do I get a return?
public function getDoc($ID){
if( $xromstmt = $this->con->prepare("SELECT adegree, bdegree, cset, dset FROM xromdb WHERE ID = ?")) {
$xromstmt->bind_param("s", $ID);
$xromstmt->execute();
$xromstmt->bind_result($adegree, $bdegree, $cset, $dset);
$xromstmt->fetch();
$evalxrom = array();
$edocxrom = array();
some other code here dealing with the return etc... } <-- the end bracket
to the if statement. There is nothing past this bracket.
} bracket to getDoc

The if statement that you have is just checking that the prepare was successful. To see if there was any data returned from the query, you need to check the result of the call to fetch. Try something like this:
if ($xromstmt = $this->con->prepare("SELECT adegree, bdegree, cset, dset FROM xromdb WHERE ID = ?")) {
$xromstmt->bind_param("s", $ID);
$xromstmt->execute();
$xromstmt->bind_result($adegree, $bdegree, $cset, $dset);
if ($xromstmt->fetch()) {
$evalxrom = array();
$edocxrom = array();
...
some other code here dealing with the return etc...
}
}
You should probably also check the result of the call to execute.

The $xromstmt->prepare statement does not search the database it sets-up the search; the database is not searched until $xromstmt->execute. The execute and prepare statements will return true or false if the statement was run correctly (i.e. no errors in your code) regardless of whether any results were found.
What you want is to use is the number of rows from the query, 0 if no results found:
$num_rows = mysql_num_rows($xromstmt)
then run if statements of $num_rows
Hope this helps

sqlsrv_query returns false without any error (sqlsrv_errors())

We have to execute an MSSQL stored procedure in order to insert a set of rows and return the result. The procedure is working perfectly as intended when executed inside the Microsoft SQL Server Management Studio. But it's not working when executed with sqlsrv_execute or sqlsrv_query in PHP. It's inserting only one row and returning no rows.
The Stored Procedure can be found Here
The PHP code is
//Here my SP required one argument. so i passed one argument. this #param and stored procedure argument name should be same(case sensitive)
$sql = " { call ResmaxCompareWithProduction ( ?,? ) } ";
$param1 = 'All';
$param2 = 'desk';
$params = array(array(&$param1, SQLSRV_PARAM_IN),array(&$param2, SQLSRV_PARAM_IN));
$stmt = sqlsrv_prepare($conn,$sql,$params);
if ($stmt===false) {
// handle error
print_r(sqlsrv_errors(),true);
}else{
if (sqlsrv_execute($stmt)===false) {
// handle error. This is where the error happens
print_r(sqlsrv_errors(),true);
}
else
{
$resultsetarr = array();
while($row = sqlsrv_fetch_array($stmt)){
$resultArray[] = $row;
}
print_r($resultArray);
// success! It never gets here, though.
}
}
I tried to var_dump the result the procedure returned and it output resource(4) of type (SQL Server Statement)
The sqlsrv_errors() returns NULL
sqlsrv_fetch_array returned boolean(false)
I even tried using sqlsrv_query instead of sqlsrv_prepare and sqlsrv_execute, but same result.
Could you guys help me figure out what the issue is and make the procedure run as intended.

How to get all errors after calling to mysqli_multi_query?

I'm using this code:
$mysqli = new mysqli(...);
$sql = file_get_contents("my_sql_file.sql");
$result = $mysqli->multi_query($sql);
if (!$result)
report_error(); //my function
while ($mysqli->more_results()) {
$result = $mysqli->next_result();
if (!$result)
report_error();
}
However the 'while' loop in the code above turned out to be an infinite loop. Anything wrong?

Actually your code doesn't really make sense. The proper way to handle multiqueries is the following (see php manual)
if ($mysqli->multi_query($query)) {
do {
// store first result set
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
// do something with the row
}
$result->free();
}
else { error_report(); }
} while ($mysqli->next_result());
}
else { error_report(); }

The code provided in the question reaches to an infitie loop because "If your second or late query returns no result or even if your query is not a valid SQL query, more_results(); returns true in any case.", see this note on php.net: http://us3.php.net/manual/en/mysqli.multi-query.php#104076
And further more, mysqli_more_results always returns true in the code because the results are not discarded, must call mysqli_store_results to discard result after each call to mysqli_next_result. See: http://us3.php.net/manual/en/mysqli.multi-query.php#91677
There is no official way to catch all errors when executing MySQL text (multi-commands separated by semicolons) by mysqli_multi_query. The function mysqli_multi_query will stop execution when it faces a bad SQL command, so it is only possible to catch the first error (no matter where the error occurs, in the first SQL command or any other SQL command in the SQL text).
Related to Jon's answer to this question: When does mysqli_multi_query stop execution?
And as noted in http://www.php.net/manual/en/mysqli.multi-query.php#106126 The first error can be catched by scanning mysqli_next_result coz: $mysqli->next_result() will return false if it runs out of statements OR if the next statement has an error.
Finally the answer is that results must be discarded after calling to mysqli_next_result using mysqli_store_result:
$mysqli = new mysqli(...);
$sql = file_get_contents("my_sql_file.sql");
$result = $mysqli->multi_query($sql);
if (!$result)
report_error(); //my function
while ($mysqli->more_results()) {
$result = $mysqli->next_result();
//important to make mysqli_more_results false:
$discard = $mysqli->store_result();
if (!$result)
report_error();
}

PHP MySQL query not working

I'm having trouble with this long sql query. If I change $result= mysql_query( to an echo statement and copy the resulting string into MySQL, it adds the data into the db just fine. It's only when I'm using PHP to do it that it fails.
Code:
$con = mysql_connect("-","-","-");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
else {
// connected to database successfully
}
mysql_select_db("casemanagers", $con);
$result= mysql_query("INSERT INTO `criminal` (`JudgeID`, `Month`, `Year`, `PendingCapDefs`, `PendingCapCases`, `PendingNonCapDefs`, `PendingNonCapCases`, `AsgNewCapDefs`, `AsgNewCapCases`, `AsgNewNonCapDefs`, `AsgNewNonCapCases`, `AsgTRCapDefs`, `AsgTRCapCases`, `AsgTRNonCapDefs`, `AsgTRNonCapCases`, `AsgRCCapDefs`, `AsgRCCapCases`, `AsgRCNonCapDefs`, `AsgRCNonCapCases`,
`DispGPCapDefs`, `DispGPCapCases`, `DispGPNonCapDefs`, `DispGPNonCapCases`, `DispDDCapDefs`, `DispDDCapCases`, `DispDDNonCapDefs`, `DispDDNonCapCases`, `DispNPCapDefs`, `DispNPCapCases`, `DispNPNonCapDefs`, `DispNPNonCapCases`, `DispODCapDefs`, `DispODCapCases`, `DispODNonCapDefs`, `DispODNonCapCases`, `DispBTACapDefs`, `DispBTACapCases`, `DispBTANonCapDefs`, `DispBTANonCapCases`, `DispBTCCapDefs`, `DispBTCCapCases`, `DispBTCNonCapDefs`, `DispBTCNonCapCases`, `DispJTACapDefs`, `DispJTACapCases`, `DispJTANonCapDefs`, `DispJTANonCapCases`, `DispJTCCapDefs`, `DispJTCCapCases`, `DispJTCNonCapDefs`, `DispJTCNonCapCases`, `DispADDCapDefs`, `DispADDCapCases`, `DispADDNonCapDefs`, `DispADDNonCapCases`, `DispSCDCapDefs`, `DispSCDCapCases`, `DispSCDNonCapDefs`, `DispSCDNonCapCases`, `DispCTOCapDefs`, `DispCTOCapCases`, `DispCTONonCapDefs`, `DispCTONonCapCases`, `OldCapDefs`, `OldCapCases`, `OldNonCapDefs`, `OldNonCapCases`) VALUES ('$judgeID',' $month',' $year',' $PendingCapDefs','$PendingCapCases','$PendingNonCapDefs','$PendingNonCapCases','$AsgNewCapDefs','$AsgNewCapCases','$AsgNewNonCapDefs','$AsgNewNonCapCases','$AsgTRCapDefs','$AsgTRCapCases','$AsgTRNonCapDefs','$AsgTRNonCapCases',' $AsgRCCapDefs','$AsgRCCapCases','$AsgRCNonCapDefs',' $AsgRCNonCapCases','$DispGPCapDefs','$DispGPCapCases','$DispGPNonCapDefs','$DispGPNonCapCases','$DispDDCapDefs','$DispDDCapCases','$DispDDNonCapDefs','$DispDDNonCapCases',' $DispNPCapDefs',' $DispNPCapCases',' $DispNPNonCapDefs','$DispNPNonCapCases','$DispODCapDefs',' $DispODCapCases','$DispODNonCapDefs','$DispODNonCapCases','$DispBTACapDefs','$DispBTACapCases','$DispBTANonCapDefs','$DispBTANonCapCases','$DispBTCCapDefs','$DispBTCCapCases','$DispBTCNonCapDefs','$DispBTCNonCapCases','$DispJTACapDefs','$DispJTACapCases','$DispJTANonCapDefs','$DispJTANonCapCases','$DispJTCCapDefs','$DispJTCCapCases','$DispJTCNonCapDefs','$DispJTCNonCapCases','$DispADDCapDefs','$DispADDCapCases','$DispADDNonCapDefs','$DispADDNonCapCases','$DispSCDCapDefs','$DispSCDCapCases','$DispSCDNonCapDefs','$DispSCDNonCapCases','$DispCTOCapDefs','$DispCTOCapCases','$DispCTONonCapDefs','$DispCTONonCapCases','$OldCapDefs','$OldCapCases','$OldNonCapDefs','$OldNonCapCases');");
if ($result==1){
$statusCaption = 'New Civil Report';
echo 'Report Successfully Saved!<br/><br/><-- Back to User Menu';
}
else {
$statusCaption = 'Error';
echo 'There was a problem with one or more of your entries. Please try again.<br/><br/><--Back to Civil Report';
}

mysql_query() returns a statement handle on success, or boolean false on failure/errors. It'll never return an integer '1'.
if ($result !== false) {
... success ...
} else {
... failure ...
}
Note that 'failure' is only due to a syntax error in the query or a violation of a constraint in the db or a failure in the client-server communications link. A select query that returns no rows is NOT a failure. It's just a result set that happens to contain no rows.

$result= mysql_query("INSERT INTO `criminal` VALUES ('$judgeID',' $month',' $year',' $PendingCapDefs','$PendingCapCases','$PendingNonCapDefs','$PendingNonCapCases','$AsgNewCapDefs','$AsgNewCapCases','$AsgNewNonCapDefs','$AsgNewNonCapCases','$AsgTRCapDefs','$AsgTRCapCases','$AsgTRNonCapDefs','$AsgTRNonCapCases',' $AsgRCCapDefs','$AsgRCCapCases','$AsgRCNonCapDefs',' $AsgRCNonCapCases','$DispGPCapDefs','$DispGPCapCases','$DispGPNonCapDefs','$DispGPNonCapCases','$DispDDCapDefs','$DispDDCapCases','$DispDDNonCapDefs','$DispDDNonCapCases',' $DispNPCapDefs',' $DispNPCapCases',' $DispNPNonCapDefs','$DispNPNonCapCases','$DispODCapDefs',' $DispODCapCases','$DispODNonCapDefs','$DispODNonCapCases','$DispBTACapDefs','$DispBTACapCases','$DispBTANonCapDefs','$DispBTANonCapCases','$DispBTCCapDefs','$DispBTCCapCases','$DispBTCNonCapDefs','$DispBTCNonCapCases','$DispJTACapDefs','$DispJTACapCases','$DispJTANonCapDefs','$DispJTANonCapCases','$DispJTCCapDefs','$DispJTCCapCases','$DispJTCNonCapDefs','$DispJTCNonCapCases','$DispADDCapDefs','$DispADDCapCases','$DispADDNonCapDefs','$DispADDNonCapCases','$DispSCDCapDefs','$DispSCDCapCases','$DispSCDNonCapDefs','$DispSCDNonCapCases','$DispCTOCapDefs','$DispCTOCapCases','$DispCTONonCapDefs','$DispCTONonCapCases','$OldCapDefs','$OldCapCases','$OldNonCapDefs','$OldNonCapCases');") or die(mysql_error());
try it
BTW, you're probably missing a lot of variables

try to add
or die(mysql_error());
just after query
it will give you answer/error/tell you what's wrong.

Please read the PHP.net page. The function mysql_query() does not return true/false. It only returns false when there was an error. Your code should look like this:
if ($result === false) {
//error
}
else {
//success
}
That way you only see the error occurs when it REALLY REALLY returns false.
EDIT: Also, I never include ; in the actual query in your PHP code when you have one query. That is a query delimiter and is only needed in command prompt or when you are executing two queries in the same mysql_query() instance.

PHP mySql update works fine on localhost but not when live

I have a a php page which updates a mySql database it works fine on my mac (localhost using mamp)
I made a check if its the connection but it appears to be that there is a connection
<?php require_once('connection.php'); ?>
<?php
$id = $_GET['id'];
$collumn = $_GET['collumn'];
$val = $_GET['val'];
// checking if there is a connection
if(!$connection){
echo "connectioned failed";
}
?>
<?php
$sqlUpdate = 'UPDATE plProducts.allPens SET '. "{$collumn}".' = '."'{$val}'".' WHERE allPens.prodId = '."'{$id}'".' LIMIT 1';
mysql_query($sqlUpdate);
// testing for errors
if ($sqlUpdate === false) {
// Checked this and echos NO errors.
echo "Query failed: " . mysql_error();
}
if (mysql_affected_rows() == 1) {
echo "updated";
} else {
echo "failed";
}?>
In the URL i pass in parameters and it looks like this: http://pathToSite.com/updateDB.php?id=17&collumn=prodid&val=4
Maybe this has to do with the hosting? isn' t this simple PHP mySql database updating? what can be wrong here?
Why on localhost it does work?
Why on live server it doesn't?

Let's start with troubleshooting your exact problem. Your query is failing for some reason. We can find out what that problem is by checking what comes back from mysql_query, and if it's boolean false, asking mysql_error what went wrong:
$sh = mysql_query($sqlUpdate);
if($sh === false) {
echo "Query failed: " . mysql_error();
exit;
}
You have other problems here. The largest is that your code suffers from an SQL Injection vulnerability. Let's say your script is called foo.php. If I request:
foo.php?collumn=prodId = NULL --
then your SQL will come out looking like:
UPDATE plProducts.allPens SET prodId = NULL -- = "" WHERE allPens.prodId = "" LIMIT 1
-- is an SQL comment.
I just managed to nuke all of the product IDs in your table.
The most effective way to stop SQL injection is to use prepared statements and placeholders. The "mysql" extension in PHP doesn't support them, so you'd also need to switch to either the must better mysqli extension, or the PDO extension.
Let's use a PDO prepared statement to make your query safe.
// Placeholders only work for *data*. We'll need to validate
// the column name another way. A list of columns that can be
// updated is very safe.
$safe_columns = array('a', 'b', 'c', 'd');
if(!in_array($collumn, $safe_columns))
die "Invalid column";
// Those question marks are the placeholders.
$sqlUpdate = "UPDATE plProducts.allPens SET $column = ? WHERE allPens.prodId = ? LIMIT 1";
$sh = $db->prepare($sqlUpdate);
// The entries in the array you pass to execute() are substituted
// into the query, replacing the placeholders.
$success = $sh->execute(array( $val, $id ));
// If PDO is configured to use warnings instead of exceptions, this will work.
// Otherwise, you'll need to worry about handling the exception...
if(!$success)
die "Oh no, it failed! MySQL says: " . join(' ', $db->errorInfo());

Most mysql functions return FALSE if they encounter an error. You should check for error conditions and if one occurs, output the error message. That will give you a better idea of where the problem occurred and what the nature of the problem is.
It's amazing how many programmers never check for error states, despite many examples in the PHP docs.
$link = mysql_connect(...);
if ($link === false) {
die(mysql_error());
}
$selected = mysql_select_db(...);
if ($selected === false) {
die(mysql_error());
}
$result = mysql_query(...);
if ($result === false) {
die(mysql_error());
}

Your call to mysql_query() is faulty; you're checking the contents of the variable you're passing in but the function call doesn't work that way. It returns a value which is what you should check. If the query failed, it returned false. If it returns data (like from a SELECT) it returns a resource handle. If it succeeds but doesn't return data (like from an INSERT) it returns true.
You also have some problems constructing your SQL. #Charles mentions SQL injection and suggests prepared statements. If you still want to construct a query string, then you need to use mysql_real_escape_string(). (But I would recommend you read up on the mysqli extension and use those functions instead.)
Secondly, you're concatenating strings with embedded substitution. This is silly. Do it this way instead:
$sqlUpdate = 'UPDATE plProducts.allPens SET '.$collumn.' = \''.$val.'\'
WHERE allPens.prodId = '.intval($id).' LIMIT 1';
If you must accept it in the querystring, you should also check that $collumn is set to a valid value before you use it. And emit and error page if it's not. Likewise, check that $id will turn into a number (use is_numeric()). All this is called defensive programming.

Categories