I am a bit confused about MYSQLI prepared statements. If you use prepared statements is the data automatically escaped or do you still have to do that.
I have attached some code below - based on this example is the data automatically escaped or do I have to do that also ?
include("configi.php");
$stmt = $conn->prepare("INSERT INTO phx_userid (comp_name, email, password, user_sec_level, user_status, username, contact_name, comp_type, comp_system_option) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssiissss", $comp_name, $email_address, $password, $user_sec_level, $user_status, $email_address, $contact_name, $comp_type, $comp_system_option);
// set parameters and execute
$comp_name = $comp_name;
$email_address = $email_address;
$password = password_hash($password, PASSWORD_DEFAULT);
$user_sec_level = 600;
$user_status = 0;
$contact_name = $first_name . " " . $last_name;
$comp_type = "fintrack";
$comp_system_option = "standard";
$stmt->execute();
No errors - I just want to check if I am doing this right.
Related
I'm writing PHP code to send user input to the database. And http://fwtest.ga/register.php is my URL. every time I click the URL or check the JSON data in JSONLint website I get "mysqli_stmt_bind_param(): "Number of variables doesn't match a number of parameters in prepared statement" here is Mycode
<?php
$con = mysqli_connect("hostname", "username", "password", "dbname");
$first_name = $_POST["first_name"];
$last_name = $_POST["last_name"];
$email = $_POST["email"];
$password = $_POST["password"];
$user_id = $_POST["user_id"];
$statement = mysqli_prepare($con, "INSERT INTO `user` (first_name, last_name, email, password) VALUES
('$first_name', '$last_name', '$email', '$password')");
mysqli_stmt_bind_param($statement, 'ssss', $first_name, $last_name, $email, $password);
mysqli_stmt_execute($statement);
$response = array();
$response["success"] = true;
echo json_encode($response);
?>
You are injecting the params and you are preparing the query at the same time, use ? to tell mysql where to place the data,remove the variables from the sql string
$statement = mysqli_prepare($con, "INSERT INTO `user` (first_name, last_name, email, password) VALUES
(?, ?, ?, ?)");
I declared the five variables after a $con, and use only four of them mysqli_prepare function. Now it's working.
I encountered a problem while making a prepared statement using php and mysql. For some reason my variables aren't right.
Note: - $mysqli = $conn
$stmt = $mysqli->prepare("INSERT INTO `inschrijving` (`id`, `bezoeker_naam`, `bezoeker_voornaam`, `bezoeker_email`, `bezoeker_straat`, `bezoeker_huisnummer`, `bezoeker_postnummer`, `bezoeker_plaats`) VALUES (NULL, '{$mysqli->real_escape_string('?')}', '{$mysqli->real_escape_string('?')}', '{$mysqli->real_escape_string('?')}', '{$mysqli->real_escape_string('?')}', '{$mysqli->real_escape_string('?')}', '{$mysqli->real_escape_string('?')}', '{$mysqli->real_escape_string('?')}');");}
$stmt->bind_param("sssssss", $naam, $voornaam, $email, $straat, $huisnummer, $postcode, $plaats);
$naam = $_POST['naam'];
$voornaam = $_POST['voornaam'];
$email = $_POST['email'];
$straat = $_POST['straat'];
$huisnummer = $_POST['nummer'];
$postcode = $_POST['postcode'];
$plaats = $_POST['plaats'];
$stmt->execute();
The error I got was this:
mysqli_stmt::bind_param(): Number of variables doesn't match number of
parameters in prepared statement
I am new doing prepared statements and I need someone to point my faults out on this. It will really help me get to know more about prepared statements. :)
When working with prepared statements you shouldn't escape the bound variables:
$stmt = $mysqli->prepare("INSERT INTO `inschrijving` (`id`, `bezoeker_naam`, `bezoeker_voornaam`, `bezoeker_email`, `bezoeker_straat`, `bezoeker_huisnummer`, `bezoeker_postnummer`, `bezoeker_plaats`) VALUES (NULL, ?, ?, ?, ?, ?, ?, ?)");
I would declare your POST variables above the prepare portion like so and remove the $mysqli->real_escape_string() from the statement:
$naam = $_POST['naam'];
$voornaam = $_POST['voornaam'];
$email = $_POST['email'];
$straat = $_POST['straat'];
$huisnummer = $_POST['nummer'];
$postcode = $_POST['postcode'];
$plaats = $_POST['plaats'];
$stmt = $mysqli->prepare("INSERT INTO `inschrijving` (`id`, `bezoeker_naam`, `bezoeker_voornaam`, `bezoeker_email`, `bezoeker_straat`, `bezoeker_huisnummer`, `bezoeker_postnummer`, `bezoeker_plaats`) VALUES (NULL, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssss", $naam, $voornaam, $email, $straat, $huisnummer, $postcode, $plaats)";
$stmt->execute();
You can put the $mysqli->real_escape_string() around the POST variables instead. For example:
$naam = $mysqli->real_escape_string($_POST['naam']);
Lastly, make sure that all the variables are strings and don't forget to close the $stmt.
$stmt->close();
I'm new to PHP and I'm having a little trouble setting up my code to auto increment IDs for SQL. I'm aware that the method that I am attempting isn't a very good approach and know about the risks of race conditions etc. This will be temporary until I sort the rest of my code out properly.
Could somebody please tell me what I am doing wrong here? Or help me to get valid code?
My Class:
<?php
$user = 'root';
$pass = '';
$db = 'testuser';
$con=mysqli_connect('localhost', $user, $pass, $db) or die('Unable to connect');
$data = json_decode(trim(key($_POST), '[]'), true);
$email = $data['email'];
$name = $data['name'];
$shortDes = $data['shortDes'];
$longDes = $data['longDes'];
$max = mysqli_prepare($con, 'SELECT MAX(society_id) FROM society');
$society_id = $max + 1;
$statement = mysqli_prepare($con, 'INSERT INTO society(society_id, name, email, short_des, long_des) VALUES (?, ?, ?, ?, ?)');
mysqli_stmt_bind_param($statement, 'issss', $societyId, $name, $email, $shortDes, $longDes);
mysqli_stmt_execute($statement);
mysqli_stmt_store_result($statement);
mysqli_stmt_close($statement);
mysqli_close($con);
?>
Focusing on the following snippet:
$max = mysqli_prepare($con, 'SELECT MAX(society_id) FROM society');
$society_id = $max + 1;
$statement = mysqli_prepare($con, 'INSERT INTO society(society_id, name, email, short_des, long_des) VALUES (?, ?, ?, ?, ?)');
mysqli_stmt_bind_param($statement, 'issss', $societyId, $name, $email, $shortDes, $longDes);
Just needed to remove the value for the auto incremented field altogether.
I am having trouble using this prepare and bind. I have tried the same thing with less variables to bind. I have been successful using prepare with just Fname, Lname, Password, $UserID and using sssi with the bind_param object. Can someone explain what I am doing wrong when using more variables in my bind code? With the code below it only prints out the same data from mysqli and doesn't update it.
if ($stmt = $con->prepare("UPDATE users SET Fname = ?, Lname = ?, Password = ?, UserLevel = ?, Email = ?, WHERE UserID= ?"))
{
$stmt->bind_param("ssssssi", $firstname, $lastname, $PW, $UserLevel, $EM, $UserID);
$stmt->execute();
$stmt->close();
}
// show an error message if the query has an error
else
{
echo "ERROR: could not prepare SQL statement.";
}
// redirect the user once the form is updated
header("Location: admin.php");
Although you haven't specified the data types which makes this tricky, I'll hazard a guess.
Fname = s
Lname = s
Password = s
UserLevel = i (?)
Email = s
I count 4 s' there, yet you have 6.
Try this,
$stmt->bind_param("sssisi", $firstname, $lastname, $PW, $UserLevel, $EM, $UserID);
Edit 1
As #Fred-ii- said, your SQL query is wrong.
Change
"UPDATE users SET Fname = ?, Lname = ?, Password = ?, UserLevel = ?, Email = ?, WHERE UserID= ?"
to,
"UPDATE users SET Fname = ?, Lname = ?, Password = ?, UserLevel = ?, Email = ? WHERE UserID= ?"
You had a training ,.
When executing the following code, no Errors occur but the data isn't put into the database!
$zero = 0;
$connection = new mysqli("localhost", "andrewle_me", "*****", "andrewle_velocity");
$stmt = $connection->prepare("INSERT INTO accounts Values(?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("issssssi", $zero, $_POST["username"], password_hash($_POST["password"], PASSWORD_DEFAULT), $_POST["Email"], $_POST["firstname"], $_POST["lastname"], $_POST["nationality"], $zero);
$stmt->execute();
$stmt->close();
$connection->close();
echo "Success";
Define your posts and password hash outside of the param binding. Set the fields in the table that your values are going to be entered into.