MySQLi prepared statement not binding integer - php

I'm new to prepared statements. Sql query is working fine if i insert dummy data and it is working without binding the integer($id).
Where am i wrong?
sql = "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?;";
$stmt = mysqli_stmt_init($conn);
mysqli_stmt_prepare($stmt, $sql));
mysqli_stmt_bind_param($stmt, "ssi", $type, $desc, $id);
mysqli_stmt_execute($stmt);


I found the error which cause the integer parameter to not bind. I didn't know that disabled input fields cannot post data, therefore i found a solution to replace the 'disabled' attribute with 'readonly'.


Before binding parameters you have to Prepare an SQL statement with parameters in it.
$sql = "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?;";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ssi", $type, $desc, $id);
$stmt->execute();


You have to Prepare Statement first
**Procedural style**
$stmt = mysqli_prepare($conn, "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?");
mysqli_stmt_bind_param($stmt, "ssi", $type, $desc, $id);
mysqli_stmt_execute($stmt);
check http://php.net/manual/en/mysqli-stmt.bind-param.php


Try this
$sql= $con->prepare("update staff_type set s_type=?, description=? WHERE s_type_id = ?");
if ($result){
$sql->bind_param('ssi', $s_type, $desc, $s_type_id );
$sql->execute();
}
side note: s represents string while i represents integer
Hope this helps you

Related

How to prepare number of bind variables to match the number of fields in prepared statement [duplicate]

This question already has answers here:
bind_param Number of variables doesn't match number of parameters in prepared statement
(1 answer)
mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement
(2 answers)
Closed 1 year ago.
Firstly, I know that this is a repeating question and I'm asking the same question. But I have read all the solution provided that linked to the same problem, but when I followed the suggested solution, it will trigger more warnings to appear.
This is what I have in my code
if($stmt = $mysqli->prepare("SELECT * FROM emergency WHERE id=?"))
{
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($id, $patient_seen_u, $patient_seen_a);
$stmt->fetch();
// show the form
renderForm($patient_seen_u, $patient_seen_a, NULL, $id);
$stmt->close();
to get the
Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't
match number of fields in prepared statement in
C:\xampp\htdocs\gsd\emergency\records.php on line 122
so I change the codes into
if($stmt = $mysqli->prepare("SELECT date, patient_seen_u, patient_seen_a FROM emergency WHERE id ='?'"))
{
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($id, $date, $patient_seen_u, $patient_seen_a);
$stmt->fetch();
// show the form
renderForm($date, $patient_seen_u, $patient_seen_a ,NULL, $id);
$stmt->close();
}
only to get these warning;
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match
number of parameters in prepared statement in
C:\xampp\htdocs\gsd\emergency\records.php on line 119
Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't
match number of fields in prepared statement in
C:\xampp\htdocs\gsd\emergency\records.php on line 122
and also try to do this;
if($stmt = $mysqli->prepare("SELECT `date`, `patient_seen_u`,`patient_seen_a` FROM `emergency` WHERE `id` = '?'"))
{
$stmt->bind_param("iii", $id);
$stmt->execute();
$stmt->bind_result($id, $date, $patient_seen_u, $patient_seen_a);
$stmt->fetch();
// show the form
renderForm($date, $patient_seen_u, $patient_seen_a ,NULL, $id);
$stmt->close();
}
but the code is not working either. How can I solve this?

Remove the quotes surrounding the placeholder and also add the id column to match the arrangement order for bind_result
if($stmt = $mysqli->prepare("SELECT id, date, patient_seen_u, patient_seen_a FROM emergency WHERE id =?")) {
$stmt->bind_param("i", $id);// bind as integer
$stmt->bind_result($id, $date, $patient_seen_u, $patient_seen_a);

if($stmt = $mysqli->prepare("SELECT id, date, patient_seen_u, patient_seen_a FROM emergency WHERE id =?"))
{
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($id, $date, $patient_seen_u, $patient_seen_a);
$stmt->fetch();
// show the form
renderForm($date, $patient_seen_u, $patient_seen_a ,NULL, $id);
$stmt->close();
}
and now it's working fine. Thank you.

Preventing SQL injection insert into

I am having trouble inserting data into my database. This is my first time dealing with SQL injection.
$stmt = $dbConnection->prepare('INSERT INTO users(name) VALUES('name = ?')');
$stmt->bind_param('s', $name);
$stmt->execute();
But that doesn't work. Any help would be appriciated!

You have a few syntax errors in your code. Try this:
$stmt = $dbConnection->prepare('INSERT INTO users (name) VALUES (:s)');
$stmt->bindParam(':s', $name);
$stmt->execute();
If you want to insert and define more values, do it like this:
$stmt = $dbConnection->prepare('INSERT INTO users (name, email) VALUES (:s, :email)');
$stmt->bindParam(':s', $name);
$stmt->bindParam(':email', $email);
$stmt->execute();
If you're using mysqli, your code will look like this:
$stmt = $dbConnection->prepare('INSERT INTO users (name) VALUES (?)');
$stmt->bind_param('s', $name);
$stmt->execute();

You don't need name = in the SQL, the column name is specified in the list (name) after the table name. Just put a ? where you would normally put the value.
$stmt = $dbConnection->prepare('INSERT INTO users(name) VALUES(?)');
$stmt->bind_param('s', $name);
$stmt->execute();

PHP Session with MySQL Insert Into using bind_parm

I am simply trying to insert the variable from a session into a MySQL database and it causes it to fail. var_dump shows SESSIONS all there. No problem there. Why doesn't this work?
$job = $_SESSION['job'];
$user_id = '1';
$name = 'allie';
$stmt = $mysqli->prepare("INSERT INTO
requests(name,job_info,user_id)
VALUES (?,?,?)");
$stmt->bind_param('sss', $name, $job, $user_id);
$stmt->execute();

see pdo bind_param
your parameter is incorrect:
change this:
$stmt->bind_param('sss', $name, $job, $user_id);
with this:
$stmt->bind_param(1, $name, PDO::PARAM_STR);
$stmt->bind_param(2, $job, PDO::PARAM_STR);
$stmt->bind_param(3, intval($user_id), PDO::PARAM_INT);

Is there a difference between mysqli->prepare() and stmt->prepare()?

$sql = 'SELECT * FROM Table WHERE Column = ?';
$stmt = $mysqli->stmt_init();
if ($stmt->prepare($sql)) {
$stmt->bind_param('s', $ColumnValue);
$stmt->execute();
$stmt->bind_result($Col1, $Col2);
$stmt->fetch();
$stmt->close();
}
// or
if ($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param('s', $ColumnValue);
$stmt->execute();
$stmt->bind_result($Col1, $Col2);
$stmt->fetch();
$stmt->close();
}
When dealing with prepared statements, what's the difference? Which should be used?

Looking at the source, they both do the same thing. Personally, I'd go with the one that involves less typing since both are equally readable.

PDO with bound parameters sql query If statement in update

I am attempting to create a 'trigger' not in the sql sense but I want to update the date_added field when the status field is set to 100
$sql='UPDATE table
SET status=:status,
date_added=[PSEUDO CODE :status=100 ? now() : null;]
WHERE id=:id';
$stmt=$conn->prepare($sql);
$stmt->bindParam(':id', $id, PDO::PARAM_STR);
$stmt->bindParam(':status', $status, PDO::PARAM_STR);
$stmt->bindParam(':sign_id', $sign_id, PDO::PARAM_STR);
$stmt->execute();
Would it be better to attempt this in the sql query(unsure how to
perform this) or on the php page (think I could stumble through
that one) prior to issuing the query?
Are there any performance gains one way or the other?
Thanks in advance for any help

date_added = :date
$date = $status == 100 ? date('Y-m-d H:i:s') : null;
$stmt->bindParam(":date", $date);
You can do this comparison in MySQL as well using IF. I don't think that one is particularly faster than the other, but it makes more sense to me to use PHP for the comparison.

This should work:
$sql='UPDATE table
SET status=:status,
date_added=IF(:status=100, NOW(), NULL)
WHERE id=:id';
$stmt=$conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->bindParam(':status', $status);
$stmt->execute();
But using the same parameter name twice in one statement only works if you configure PDO to use emulated prepare. If you use native prepare, then you should make distinct parameter names even for the same value:
$sql='UPDATE table
SET status=:status,
date_added=IF(:status_again=100, NOW(), NULL)
WHERE id=:id';
$stmt=$conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->bindParam(':status', $status);
$stmt->bindParam(':status_again', $status);
$stmt->execute();
Or else it'd be simpler to use positional parameters. You can also skip the bindParam() if you just pass an array of values to execute(). There's an example of the latter two changes together:
$sql='UPDATE table
SET status=?,
date_added=IF(?=100, NOW(), NULL)
WHERE id=?';
$stmt=$conn->prepare($sql);
$stmt->execute([$status, $status, $id]);

Categories