I am updating my current unprotected queries to parameterized ones to protect from SQL Injection.
I have spent a few hours trying to sort this however cant find the issue, any help much appreciated.
BEFORE (echo $row['storeID'];) works before
$storeName = mysqli_real_escape_string($conn,$_GET['store']);
$query = "SELECT * FROM stores WHERE storeName = '$storeName'";
$results = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($results);
AFTER
$storeName = $_GET['store'];
$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");
mysqli_stmt_bind_param($stmt, "s", $storeName);
mysqli_stmt_execute($stmt);
$row = mysqli_stmt_fetch($stmt);
This echo should work but using statements it does not
echo $row['storeID'];
If you look at the documentation for mysqli_stmt_fetch you'll see this description:
Fetch results from a prepared statement into the bound variables
So if you want to go this route, you'll need to ue mysqli_stmt_bind_result as well:
$storeName = $_GET['store'];
$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");
mysqli_stmt_bind_param($stmt, "s", $storeName);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $col1, $col2, $col3,...);
while (mysqli_stmt_fetch($stmt)) {
// do stuff with $col1, $col2, etc.
}
Now, with each iteration of the loop, the bound result variables are given the value from the result set.
However, I'd strongly suggest moving to PDO, which is far less verbose:
$storeName = $_GET['store'];
$stmt = $db->prepare("SELECT * FROM stores WHERE storeName = ?");
$stmt->execute([$storeName]);
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
// now you have a simple array with all your results
foreach ($rows as $row) {
// do stuff with $row
}
You were missing a call to mysqli_stmt_get_result before fetching the row:
$storeName = $_GET['store'];
$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");
mysqli_stmt_bind_param($stmt, "s", $storeName);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);
echo $row['id'];
Related
Connection is good. I can insert into the database, and check if a row exists by checking if results > 0, but I can not select row data. The $email's being tested are in the database.
Ex 1.
require 'connection/connection.php';
$email = "sample#sample.com";
$sql = "SELECT * FROM users WHERE user_email=?"; // SQL with parameters
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result(); // get the mysqli result
$user = $result->fetch_assoc(); // fetch data
echo $user['user_name'];
Ex. 2
$email = "james#james.com";
$sql = "SELECT * FROM users WHERE user_email=?";
$stmt = mysqli_stmt_init($conn);
mysqli_stmt_bind_param($stmt, "s", $email);
mysqli_stmt_execute($stmt);
After inserting an echo after every line one by one, this is as far as it gets. If an echo statement is placed after the next line it will not appear.
$result = mysqli_stmt_get_result($stmt);
if ($row = mysqli_fetch_assoc($result)) {
$_SESSION['active_user_id'] = $row['user_id'];
} else {
header("Location: https://example.com/");
exit();
}
The problem was fixed through cPanel. I had to switch from "mysqli" to "nd_mysqli." This fixed the problem right away.
I found the instructions to do this here https://www.plus2net.com/php_tutorial/mysqli_mysqlnd.php
I hope this helps others with the same problem.
$stmt = $mysqli->prepare("SELECT `nameData` FROM `accountsDone` WHERE `nameToSearch` = ?");
$stmt->bind_param("s", $query);
$stmt->execute();
$stmt->store_result();
if ($stmt->affected_rows > 0) {
echo "Exists";
}
Instead of echoing out Exists, I want it to echo out nameData. How can I go about doing that?
First of all, if you want only one row then append LIMIT 1 to your SELECT query, like this:
$stmt = $mysqli->prepare("SELECT `nameData` FROM `accountsDone` WHERE `nameToSearch` = ? LIMIT 1");
So there are two approaches to display nameData:
Method(1):
First bind the variable $nameData to the prepared statement, and then fetch the result into this bound variable.
$stmt = $mysqli->prepare("SELECT `nameData` FROM `accountsDone` WHERE `nameToSearch` = ? LIMIT 1");
$stmt->bind_param("s", $query);
$stmt->execute();
$stmt->store_result();
if($stmt->num_rows){
$stmt->bind_result($nameData);
$stmt->fetch();
echo $nameData;
}else{
echo "No result found";
}
Method(2):
First use get_result() method to get the result set from the prepared statement, and then use fetch_array to fetch the result row from the result set.
$stmt = $mysqli->prepare("SELECT `nameData` FROM `accountsDone` WHERE `nameToSearch` = ? LIMIT 1");
$stmt->bind_param("s", $query);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows){
$row = $result->fetch_array()
echo $row['nameData'];
}else{
echo "No result found";
}
I think you can below code i hope your query is working fine it returns result properly then you can use below code.
$stmt->bind_result($nameData);
if ($stmt->fetch()) {
printf ("%s\n", $nameData);
}
Note that affected_rows won't do anything useful here.
However, nor you don't need num_rows as well (and therefore store_result too)
$stmt = $mysqli->prepare("SELECT `nameData` FROM `accountsDone` WHERE `nameToSearch` = ?");
$stmt->bind_param("s", $query);
$stmt->execute();
$stmt->bind_result($nameData);
$stmt->fetch();
echo $nameData;
Considering all that hassle, even without useless functions, you may find PDO a way better approach:
$stmt = $pdo->prepare("SELECT `nameData` FROM `accountsDone` WHERE `nameToSearch` = ?");
$stmt->execute($query);
echo->$stmt->fetchColumn();
This is my simple query in php, using mysqli object oriented style:
$query = "SELECT name FROM usertable WHERE id = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('i', $id);
$id= $_GET['id'];
$stmt->execute();
$stmt->bind_result($name);
while($stmt->fetch()){
echo $name." ";
}
$stmt->free_result();
$stmt->close();
This works fine. I obtain the list of name retrieved from the select statement.
Now, inside the while I want use the $name variable as parameter for another query, but mysqli do not allow this, since I have to close the first query and then call the second query.
So I think I have to store the result of the first query and then iterate over the result calling a new query.
I have tried the following:
$query = "SELECT name FROM usertable WHERE id = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('i', $id);
$id= $_GET['id'];
$stmt->execute();
//$stmt->bind_result($name);
$result = $stmt->store_result();
$stmt->free_result();
$stmt->close();
while ($row = $result->fetch_row())
{
echo $row[0]." ";
}
But this does not work. The code inside while is never reached.
N.B.: I want avoid the use of multi_query().
mysqli_stmt::store_result return a boolean. According to the doc it should be something like:
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($name);
while($stmt->fetch()){
//echo $name." ";
// try another statement
$query = "INSERT INTO usertable ...";
$stmt2 = $mysqli->prepare($query);
...
}
$stmt->free_result();
$stmt->close();
If this doesn't work you can fetch all rows first into an array and then looping that array again:
$stmt->execute();
$stmt->bind_result($name);
$names = array();
while($stmt->fetch()){
$names[] = $name;
}
$stmt->free_result();
$stmt->close();
foreach($names as $name) {
$query = "INSERT INTO usertable ...";
$stmt = $mysqli->prepare($query);
...
}
I have solved the problem:
$query = "SELECT name FROM usertable WHERE id = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('i', $id);
$id= $_GET['id'];
$stmt->execute();
$result = $stmt->get_result();
$stmt->free_result();
$stmt->close();
while ($row = $result->fetch_array(MYSQLI_NUM))
{
echo $row[0]." ";
}
Simply using get_result() and fetch_array()
I always find it difficult to write MySQLi prepared statements, because many functions work differently than in the old way. Right now I am facing a problem regarding fetch_array().
$stmt = $db->prepare("SELECT category_id FROM post_items Where user_id = ?");
$stmt->bind_param('i', $userid);
$result = $stmt->execute();
while ($row = $result->fetch_array()) {
// ...
}
you are trying to fetch the results by
$result = $stmt->execute();
which is not the case. as execute will return you only a boolean value.
do it like.
$stmt = $db->prepare("SELECT category_id FROM post_items Where user_id = ?");
$stmt->bind_param('i', $userid);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
//result is in row
}
$stmt->execute(); doesn't return result. You need $stmt->get_result();.
You can rewrite your code like this:
$stmt = $db->prepare("SELECT category_id FROM post_items Where user_id = ?");
$stmt->bind_param('i', $userid);
$stmt->execute();
$result = $stmt->get_result();
foreach($result as $row) {
// ...
}
replace this:
$result = $stmt->execute();
while ($row = $result->fetch_array()) {
by this
$stmt->bind_result($category_id);
while($stmt->fetch()){
$myArray=$category_id;
}
I have this sequence of code:
$connection = new mysqli('localhost','root','','db-name');
$query = "SELECT * from users where Id = ?";
$stmt = $connection->prepare($query);
$stmt->bind_param("i",$id);
$stmt->execute();
$stmt->bind_result($this->id,$this->cols);
$stmt->fetch();
$stmt->close();
$connection->close();
The problem is that the "SELECT" might give a variable number of columns, which i retain in $this->cols. Is there any possibility to use bind_result with a variable number of parameters?...or any alternative to the solution.
if you are lucky enough to run PHP 5.3+, mysqli_get_result seems what you want.
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_array();