This question already has answers here:
How can I with mysqli make a query with LIKE and get all results?
(2 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(2 answers)
Closed 3 years ago.
I'm attempting to use a SQL LIKE clause with mysqli prepared statements.
I have already tried other examples such as
$sysName = "{$_POST['ss']}%";
and
$sysName = $_POST['ss'] . '%';
if(isset($_POST['ss'])) {
$sysName = $_POST['ss'] . '%';
if(strlen($sysName) >0) {
$qry = mysqli_stmt_prepare($link, "SELECT * FROM tblSchools WHERE systemName LIKE ?");
mysqli_stmt_bind_param($qry,'s',$sysName);
mysqli_stmt_execute($qry);
$result = mysqli_stmt_get_result($qry);
}
}
If $_POST['ss'] is populated with the word sys and there exists a systemName in tblSchools called 'system' then the result set should include the row information that pertains to the 'system' row. No matter what I put in there though the result always comes back null. My connection to the database is successful. I have tested with mysqli_query and just straight strings successfully, but when I switched to prepared statements on the LIKE clause it doesn't work. I've been beating my head against this problem for almost a full day now.
EDIT: In response to first answer
Still doesn't work
$stmt = mysqli_stmt_init($link);
$sysName = "sys%";
if(strlen($sysName) >0) {
if(!mysqli_stmt_prepare($stmt, "SELECT * FROM tblSchools WHERE systemName LIKE ?")) {
echo "1";
exit;
} else {
if(mysqli_stmt_bind_param($stmt,'s',$sysName)) echo "2";
if(mysqli_stmt_execute($stmt)) echo "3";
$result = mysqli_stmt_fetch($stmt);
$row = mysqli_fetch_array($result);
var_dump($row);
echo "Hey";
}
}
Prints 2 and 3 not 1
Try this:
$link = \mysqli_connect("127.0.0.1", "user", "password", "dbname");
if (!$link) {
$error = \mysqli_connect_error();
$errno = \mysqli_connect_errno();
print "$errno: $error\n";
exit();
}
$query = "SELECT * FROM tblSchools WHERE systemName LIKE ?";
$stmt = \mysqli_stmt_init($link);
if (!\mysqli_stmt_prepare($stmt, $query)) {
print "Failed to prepare statement\n";
exit;
} else {
$sysName = 'sys%';
\mysqli_stmt_bind_param($stmt, "s", $sysName);
\mysqli_stmt_execute($stmt);
$result = \mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_array($result);
var_dump($row);
}
it works for me
Related
This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
Closed 5 years ago.
I try to prepare statement to sql (mysqli) in php, but there is an error code as written above. This is the code I wrote:
if (!$this->isUserExist($username, $token)) {return false;}
$tables = array();
$tables[0] = "faculty";
$tables[1] = "department";
$tables[2] = "teacher";
$tables[3] = "announcement";
$ttable = $tables[$table];
var_dump($ttable); // faculty
var_dump($id); // 6
echo "DELETE FROM ".$ttable." WHERE ".$ttable.".id = ".$id.""; //returns DELETE FROM faculty WHERE faculty.id = 6
$stmt = $this->con->prepare("DELETE FROM ? WHERE ?.id = ?"); //Fatal error occurs here
$stmt->bind_param("sss",$ttable,$ttable,$id);
//$stmt->execute();
if ($stmt->num_rows> 0) {
return "true";
} else {
return "false";
}
However if i insert exact statement without any placeholders that is shown in echo my i get no errors, and MySQL database successfully deletes row.
$stmt = $this->con->prepare("DELETE FROM faculty WHERE faculty.id = 6"); //no errors occur, executing this statement does affect row in MySQL database
The system doesn't allow to 'prepare' table names, You should do it this way
$stmt = $this->con->prepare("DELETE FROM ".$ttable." WHERE ".$ttable.".id = ?"); //Fatal error occurs here
$stmt->bind_param("s",$id);
please read this http://us3.php.net/manual/en/book.pdo.php#69304
Table and Column names cannot be replaced by parameters in PDO.
Do something like this:
$query = "DELETE FROM ".$ttable." WHERE ".$ttable.".id = ?";
$stmt = $this->con->prepare($query);
$stmt->bind_param("s",$id);
This question already has answers here:
How do I escape reserved words used as column names? MySQL/Create Table
(4 answers)
Closed 2 years ago.
I am making a prepared statement in PHP and my code is fine until I add in 'id' and 'key' to my parameters. They are definitely in the table that I am requesting too. What is wrong? Thanks in advance!
ERROR: Call to a member function bind_param() on boolean
if($_POST['userx']){
echo '<div id="div2"><div id="font2">Dashboard</div>';
$queryA = "SELECT name,profo,password,id,key FROM collegestudents WHERE email = ?";
$stmt = $connection->prepare($queryA);
$stmt->bind_param('s',$_POST['userx']);
$stmt->bind_result($name1,$profo,$password1,$key,$id);
$stmt->execute();
$stmt->fetch();
$stmt->close();
Key is a reserved keyword in mysql.
It's a good habit to enclose field names and table names in backticks in queries but also to check for errors.
$queryA = "SELECT `name`,`profo`,`password`,`id`,`key` FROM `collegestudents` WHERE `email` = ?";
$stmt = $connection->prepare($queryA);
if ($stmt) {
$stmt->bind_param('s',$_POST['userx']);
...
}
else {
echo "MySQL ERROR: " . $connection->error;
}
$stmt = $connection->prepare($queryA);
returns boolean(false)
make sure your query is correct
you can do a simple check like this
$stmt = $connection->prepare($queryA);
if (!$stmt) {
echo "failed to run";
} else {
$stmt->bind_param('s',$_POST['userx']);
$stmt->bind_result($name1,$profo,$password1,$key,$id);
$stmt->execute();
$stmt->fetch();
}
Edit:
if you are using PDO you were doing it wrong it should be like this
$stmt = $conn->prepare("SELECT name,profo,password,id,key FROM
collegestudents WHERE email = :email");
$stmt->bindParam(':email', $email);
Change your database connection file with
<?php $con = new PDO('mysql:host=127.0.0.1;dbname=yourdatabasename;','username',''); ?>
Then change below line
$queryA = "SELECT name,profo,password,id,key FROM collegestudents WHERE email = ?";
$stmt = $connection->prepare($queryA);
$stmt->bind_param('s',$_POST['userx']);
$stmt->bind_result($name1,$profo,$password1,$key,$id);
$stmt->execute();
with
$queryA = "SELECT name,profo,password,id,key FROM collegestudents WHERE email = :v";
$stmt = $connection->prepare($queryA);
$stmt->execute( array('v' => $_POST['userx']) );
This question already has answers here:
SELECT statement with fetch_array in mysqli prepared statements
(3 answers)
Closed 1 year ago.
How do i get mysqli_fetch_array with prepared statements? i tried fetch_assoc() but i always get an error telling me that fetch_assoc() is not defined. How do i make it work?
$query = "SELECT * FROM users WHERE
username = ? AND
pass = ? LIMIT 1";
$stmt = $_SESSION['connessione']->prepare($query);
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$stmt->store_result();
if($stmt->num_rows == 1){
$row = $stmt->fetch_assoc();
// originally it was like this $row = mysqli_fetch_array($result);
// where $result was the query result
$this->login_iduser = $row['id'];
$this->login_profile_pic = $row['pic'];
$this->login_privileges = $row['admin'];
return TRUE;
}
return FALSE;
As you can see above i need to find the $row array.
You'll have to have MySQLND installed to do this. mysqli prepared statements don't result a mysqli_result object natively. You'll need to use get_result
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows == 1){
$row = $result->fetch_assoc();
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I'm new to prepared statements so I apologise in advance if this is a basic question but how would I turn the following code into a prepared statement and execute it later on?
<?php
$myQuery = "SELECT * FROM test WHERE ID=" . $_GET['ID'];
//run query
$result = $con->query($myQuery);
if (!$result) die('Query error: ' . mysqli_error($con));
?>
Take a look to http://www.w3schools.com/php/php_mysql_prepared_statements.asp, http://php.net/manual/en/mysqli.quickstart.prepared-statements.php (mysqli lib), or http://php.net/manual/en/pdo.prepared-statements.php (PDO lib).
Ex:
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Prepare statement
$stmt = $conn->prepare("SELECT * FROM test WHERE ID=?");
// set parameters
$stmt->bind_param("i", $_GET['ID']);
// execute
$stmt->execute();
// close resources
$stmt->close();
$conn->close();
To do the call you could use somethign like;
$sCompanyCode = 'fkjahj12321';
$con = new PDO("connection string");
$sql = "SELECT CompanyID From Companies WHERE CompanyCode = :CompanyCode";
$st = $con->query( $sql );
$st->bindValue(":CompanyCode", $sCompanyCode, PDO::PARAM_STR);
$st->execute();
To retrieve 1st or singular result;
if($row = $st->fetch()){
return (int)$row[0];
}
For multiple results;
$aResults = array();
while ($row = $st->fetch()){
$aResults[] = $row;
}
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I am making a login form and I am quite confused with how to use bind parameters to select data.
My current code looks like this:
$stmt = $mysqli_conn->query('SELECT * FROM user WHERE email = ? AND password = ?');
$stmt->bind_param('ss', $emailclean, $passwordclean);
$stmt->execute();
$result = $stmt->get_result();
if ($row = $result->fetch_assoc()) {
$finalmessager['success'] = 'You are logged in';
$_SESSION['finalmessagelog']= $finalmessager;
$_SESSION['authenticateduser']= $emailclean;
header('location:../index.php');
unset($_SESSION['logErrors']);
}
I don't understand why this isn't working
i let you a little example:
<?php
$query = "SELECT * FROM user WHERE email = ? AND password = ?";
$stmt = $this->db->prepare($query);
$stmt ->bind_param("ss", $emailclean, $passwordclean); //both are strings
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($column1, $column2); //you have to assign every column
while($stmt->fetch())
{
if($column1 == 1){ //first column is id? just guessing
echo "its the id 1 yeah!";
}
echo "col1: $column1, col2: $column2 \n";
}
$stmt->close();