Trying to get the id of the last insert using a prepared statement. mysqli_insert_id always returns zero.
$sql = "INSERT INTO classes (id_course, id_organization, start_date, end_date, status, id_creator, assign_interval) VALUES (?, ?, ?, ?, ?, ?, 'monthly')";
if ($stmt = mysqli_prepare($link, $sql)) {
if (!mysqli_stmt_bind_param($stmt, "ssssss", $course, $idOrg, $thisClass["startDate"], $endDate, $thisClass["status"], $idUser)) {
echo "Error:could not bind parameters";
}
# CODE MISSING...
{
mysqli_stmt_execute($stmt);
$idClass = mysqli_insert_id($stmt);
}
}
else
{
echo 'ERROR: Could not prepare statement';
}
$sql = "INSERT INTO class_modules (id_class, id_module) select ?,id_module from modules m where m.id_course = ?";
if ($stmt = mysqli_prepare($link, $sql)) {
if (!mysqli_stmt_bind_param($stmt, "ss", $idClass, $course)) {
echo "Error:could not bind parameters";
}
if (!mysqli_stmt_execute($stmt)) {
echo "Error: could not update class modules:";
}
}
else
{
echo 'ERROR: Could not prepare statement';
}
I strogly recommend to use object-oriented approach. The reason for this is that you have confused two functions are mixed their parameters. If you used OOP, this mistake would be less likely to happen.
There are 4 ways to get the auto-generated ID from MySQLi prepared statement:
var_dump($stmt->insert_id);
var_dump($mysqli->insert_id);
var_dump(mysqli_stmt_insert_id($stmt));
var_dump(mysqli_insert_id($mysqli));
As you can see the first two are much cleaner and easier to understand and spot a mistake. What you have done is confused the last two. You used mysqli_insert_id() but you passed in the statement as an argument. Either change the function name or pass the mysqli object instead. The best option would be to use OOP and get the property value.
Related
I am creating a user registration system, and I am at the point where I start modifying the database i get the error
"Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in /opt/lampp/htdocs/Projectss/01_sarah/index.php on line 41
"
I have tried using every single method in php documentation concerning adding data to the database
here is some code
$hash_password = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (first_name,last_name,email,password) VALUES('$first_name','$last_name','$email','$hash_password')";
$stmt = $conn->prepare($query);
if (!$stmt) {
echo mysqli_error($conn);
}
$stmt->bind_param('ssss', $query);
$stmt->execute(); // execute prepared statement
$conn->close(); // close connection
}
The expected result should is to not receive any warning after saving the information to the database
You're passing complete query in the bindParam and also passing the values in the query instead of this you need to pass the parameters in the bindParam like this..
$hash_password = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (first_name,last_name,email,password) VALUES(?, ?, ?, ?)";
$stmt = $conn->prepare($query);
$stmt->bind_param('ssss', $first_name, $last_name, $email, $hash_password);
$stmt->execute(); // execute prepared statement
$conn->close(); // close connection
I'm trying to figure out how to use sql transactions with mysqli prepared statements. I haven't been able to find any examples that use multiple prepared statements (that aren't OO), so I'm not really sure how to use transactions with them.
This is the closest I could figure:
mysqli_autocommit($database, FALSE);
$transferq = 'INSERT INTO money (user_id, bank, onhand, type, amount, source) VALUES (?, ?, ?, ?, ?, ?)';
$transferstmt = mysqli_stmt_init($database);
mysqli_stmt_prepare($transferstmt, $transferq);
mysqli_stmt_bind_param($transferstmt, 'iiisis', $userid, $newbank, $newmoney, $type, $amount, $source);
mysqli_stmt_execute($transferstmt);
$insertq = 'UPDATE users SET money=?, bank=? WHERE user_id=' . $userid . ' LIMIT 1';
$insertstmt = mysqli_stmt_init($database);
mysqli_stmt_prepare($insertstmt, $insertq);
mysqli_stmt_bind_param($insertstmt, 'ii', $newmoney, $newbank);
mysqli_stmt_execute($insertstmt);
mysqli_commit($database);
But, I have no idea if that would even work. My biggest issue, though, is I'm not sure how to check if the queries failed or not (and therefore whether or not to commit). I saw an example that I think did something like
if(mysqli_stmt_execute($stmt)){
mysqli_commit($database);
}else{
mysqli_rollback($database);
}
But I can't really do that since I have multiple prepared statements to execute.
How is this supposed to work?
Maybe I did not understand your question, but what about this?
mysqli_autocommit($database, FALSE);
$transferq = 'INSERT INTO money (user_id, bank, onhand, type, amount, source) VALUES (?, ?, ?, ?, ?, ?)';
$transferstmt = mysqli_stmt_init($database);
mysqli_stmt_prepare($transferstmt, $transferq);
mysqli_stmt_bind_param($transferstmt, 'iiisis', $userid, $newbank, $newmoney, $type, $amount, $source);
if (not mysqli_stmt_execute($transferstmt) ){
mysqli_rollback($database);
return;
}
$insertq = 'UPDATE users SET money=?, bank=? WHERE user_id=' . $userid . ' LIMIT 1';
$insertstmt = mysqli_stmt_init($database);
mysqli_stmt_prepare($insertstmt, $insertq);
mysqli_stmt_bind_param($insertstmt, 'ii', $newmoney, $newbank);
if (not mysqli_stmt_execute($insertstmt) ){
mysqli_rollback($database);
return;
}
mysqli_commit($database);
The next level if form of this object-oriented using of mysqli or PDO (without transactions, as example of way of work with database):
class my_database{
private static $inner_link_to_driver;
protected static function factory( ){
if (not static::$inner_link_to_driver){
static::$inner_link_to_driver = new ...(USER, SERVER, PASSWD, PORT);
}
return static::$inner_link_to_driver;
}
public static function do_something($params, &$message ){
$query = "...";
$stmt = static::factory()->prepare($query);
if (not $stmp ){
$message = 'Error prepare query '.$query.PHP_EOL.static::factory()-> ..(get_error);
return FALSE;
}
if (not $stmt->execute($params) ){
$message = 'Error execute query '.$query.PHP_EOL.static::factory()-> ..(get_error);
return FALSE;
}
return TRUE;
}
}
The tablename will get compared against a whitelist of acceptable tables before hand by checking a table that list those tables. That list has to be dynamic which is why I opted out of using an array. Are the variables in the set variables section secure? They are coming user submitted post data.
if ($stmt = $mysqli->prepare("INSERT INTO `" . mysql_real_escape_string($tablename) . "` (item_name, item_price, item_position, item_type, multi_link_id) values (?, ?, ?, ?, ?)")) {
//Build Parameters
$stmt->bind_param('sdiii', $additemnameb, $additempriceb, $itempositionb, $itemtypeb, $linkidb);
//Set Variables
$additemnameb = $additemname;
$additempriceb = $additemprice;
$itempositionb = $itemposition;
$itemtypeb = $itemtype;
$linkidb = $linkid;
//Execute Statement
$stmt->execute();
//Close Statement
$stmt->close();
}else{
//Errors
printf("Prepared Statement Error: %s\n", $mysqli->error);
}
Edited to have an actual question to be clear what I'm concerned about.
To answer your questions YES the variables in the // Set Variables section are secure, or more technically the variables will become secure before the query is executed. Mysqli takes care of it for you.
I am trying to insert into a table with Procedural Mysqli. It is not posting any errors nor is it posting the information to the database. Here is my code:
$query = "INSERT INTO Accounts (FirstName, LastName, Username, Password, Access) VALUES ({$_POST['FirstNameTbx']}, {$_POST['LastNameTbx']}, {$_POST['UsernameTbx']}, {$_POST['PasswordTbx']}, {$_POST['AccessDDL']})";
mysqli_query($link, $query);
mysqli_close($link);
$Error .= "$query";
Update:
I changed to prepared statement, now I am getting:
Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of elements in type definition string doesn't match number of bind variables in /home/bryantrx/public_html/ec/add_user.php on line 19
There are only 5 variables that need to be bound, and the UserID auto increments, so it doesn't need to be bound or referenced in the statement..
if ($stmt = $link->prepare("INSERT INTO Accounts (FirstName, LastName, Username, Password, Access) VALUES (?, ?, ?, ?, ?)")){
$stmt->bind_param($_POST['FirstNameTbx'], $_POST['LastNameTbx'], $_POST['UsernameTbx'], $_POST['PasswordTbx'], $_POST['AccessDDL']);
$stmt->execute();
$Error .= "success";
$stmt->close();
} else {
echo $link->error;
}
To get an error message you need to call mysqli_error:
$error = mysqli_error($link);
You would also make life easier (and more secure) for yourself if you built your queries using prepare and parameters:
$query = "INSERT INTO Accounts (FirstName, LastName, Username, Password, Access)
VALUES ( ?, ?, ?, ?, ?)";
if ($stmt = mysqli_stmt_prepare($link, $query)) {
mysqli_stmt_bind_param($stmt, "sssss",
$_POST['FirstNameTbx'],
$_POST['LastNameTbx'],
$_POST['UsernameTbx'],
$_POST['PasswordTbx'],
$_POST['AccessDDL']);
if (!mysqli_stmt_execute($stmt)) {
$error = mysqli_stmt_error($stmt);
}
mysqli_stmt_close($stmt);
} else {
$error = mysqli_error($link);
}
mysqli_close($link);
UPDATE - ok, you've swapped to OO which is fine. When using bind_param the first parameter describes the data you are binding. In this case if it is five strings, you would put 5 "s" like so:
$stmt->bind_param("sssss",
$_POST['FirstNameTbx'],
$_POST['LastNameTbx'],
$_POST['UsernameTbx'],
$_POST['PasswordTbx'],
$_POST['AccessDDL']);
So this is my current code:
function addPage($uniquename, $ordernum, $title, $author, $content, $privilege, $description=NULL, $keywords=NULL){
if (!$description) $description = NULL;
if (!$keywords) $keywords = NULL;
//UPDATE `table` SET `ordernum` = `ordernum` + 1 WHERE `ordernum` >= 2
$query = "UPDATE ".$this->prefix."page SET ordernum = ordernum+1 WHERE ordernum >= ?";
if ($stmt = $this->db->prepare($query)){
$stmt->bind_param("i", $ordernum);
$stmt->execute();
if (!arCheck($stmt)) return false;
} else {
$this->stmtError("addPage", $stmt->error);
}
$query = "INSERT INTO ".$this->prefix."page VALUES (LCASE(?), ?, ?, ?, ?, ?, ?, ?)";
if ($stmt = $this->db->prepare($query)){
$stmt->bind_param("sisisssi", $uniquename, $ordernum, $title, $author, $content, $description, $keywords, $privilege);
$stmt->execute();
return arCheck($stmt);
} else {
$this->stmtError("addPage", $stmt->error);
}
}
It is suppose to add a new page to the datatable. The MySQL is courtesy of Phil Hunt from Store the order of something in MySQL
I know that you can use multiquery to accomplish the same thing, however I was told that prepared statement is better in performance, and security. Is there another way to do this? Like a prepared multi query?
Also, what about doing Transactions? I'm not fully sure of what that is, I assume that it's if, let's say, the INSERT statement fails, it will undo the UPDATE statement as well?
NOTE: the arCheck function will close the statement.
Prepared statements are indeed faster for repeated queries, at least in most cases. They're also safer because they automatically escape input values, preventing SQL injection attacks. If you want to use them in PHP you'll need the MySQLi extension.
You appear to have the right idea about transactions. With MySQLi there are commit and rollback methods, otherwise you can use mysql_query("COMMIT") or mysql_query("ROLLBACK").