I've wrote this function to read from my MySQL database. This works in most cases, but if it comes to a row with umlauts or characters like "" it returns "0 results".
function leseAntwort($FrageID, $AntwortID){
$sql = "SELECT antwort_text FROM antwort WHERE frage_id=$FrageID AND id=$AntwortID";
$result = connect()->query($sql);
if ($result->num_rows > 0) {
$antwort = $result->fetch_row();
connect()->close();
return $antwort[0];
} else {
connect()->close();
return "0 results";
}
}
[UPDATE]
I tried this, but there is no difference between the results.
function leseAntwort($FrageID, $AntwortID){
$frage=$FrageID;
$antwort=$AntwortID;
global $mysqli;
if ($stmt = $mysqli->prepare("SELECT antwort_text FROM antwort WHERE frage_id=? AND id=?")){
$stmt->bind_param("ii", $frage, $antwort);
$stmt->execute();
$stmt->bind_result($d);
$stmt->fetch();
return $d;
$stmt->close();
$mysqli->close();
} else {
echo "Error";
}
}
you have an SQL Injection in your SQL Statement.
PLZ use Prepared Statements http://php.net/manual/de/mysqli.quickstart.prepared-statements.php
After that you can use utf-8 Chars in your Params.
Related
I have the following normal User class statement that I'm trying to convert to a prepared statement.
public function didReceiveRequest($user_from) {
$user_to = $this->user['username'];
$check_request_query = mysqli_query($this->con, "SELECT * FROM friend_requests WHERE user_to='$user_to' AND user_from='$user_from'");
if (mysqli_num_rows($check_request_query) > 0) {
return true;
}
else {
return false;
}
}
I'm new to prepared statements and have been doing pretty well throughout the User class, but am still having trouble with a few. Being new, I don't follow the logic as well, so please go easy. Here is what I have so far:
public function didReceiveRequest($user_from){
$user_to = $this->user['username'];
$check_request = $this->con->stmt_init();
$check_request->prepare('SELECT * FROM friend_requests WHERE user_to=? AND user_from=?');
$check_request->bind_param('ss', $user_to, $user_from);
$check_request->execute();
$result = check_request->get_result();
$data = $result->fetch_assoc();
$check_request->free_result();
$check_request->close();
if($data > 0){
return true;
}else{
return false;}
}
So a couple things abt this: 1)I know there is probably a better and more efficient way to do this. And 2) Will what I have return the same result as what was there (with normal statement) previously. I don't want to mix up calls from my dependent pages.
Here is how you would use MySqli prepared statements for your case example.
public function didReceiveRequest($user_from) {
$query = "SELECT *
FROM friend_requests
WHERE user_to = ? AND user_from = ?";
$user_to = $this->user['username'];
$stmt = $this->con->prepare($query);
$stmt->bind_param(ss, $user_to, $user_from); //set your bindings
$stmt->execute();
//$results = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);//Use if you want to see results.
if($stmt->num_rows !== 0) {
return TRUE;
}else{
return FALSE;
}
}
Here is a really good link to read that teaches you how to use prepared statements with MySqli. I would bookmark this link and refer to it often. MySqli prepared statements
Using prepared statements does not affect how you receive the results from you query.
The difference I see in what was provided as an answer is $result = $stmt->get_result(); Again being new to prepared statements I'm not 100% that this is the reason above code throws an error, but this code works.
public function didReceiveRequest($user_from) {
$user_to = $this->user['username'];
$stmt = $this->con->stmt_init();
$stmt->prepare('SELECT * FROM friend_requests WHERE user_to=? AND user_from=?');
$stmt->bind_param('ss', $user_to, $user_from);
$stmt->execute();
$result = $stmt->get_result();
$qty = $result->num_rows;
$stmt->free_result();
$stmt->close();
if($qty > 0) {
return true;
}else{
return false;
}
}
I have a table tag. In this table there are only 2 fields id & tag. I am using mysqli prepared statement to insert in the database.
Here is the code:
$search='test';
// Do Prepared Query
$result = $mysqli->prepare("SELECT tag FROM tag where tag= ?");
$result ->bind_param("s", $search);
$result->execute();
$result->store_result();
$result->bind_result($search);
while ($result->fetch()) {
$tag = $tag;
}
if($result->num_rows != 1){
echo "Test";
$result1 = $mysqli->prepare("INSERT INTO tag (tag) VALUES (?)");
$result1 ->bind_param("s", $search);
$result1->execute();
$result1->store_result();
if($result1->affected_rows == 1){
//$res['success'] = true;
$data[] = "Added Successfully";
}
}
// return the result in json
echo json_encode($data);
For some reason it is not working. I have added the db.php file.
It is working fine until here if($result->num_rows != 1){ because I echo Test there and I am getting the output.
You have to close your connection properly :
$result->close();
When preparing a mySQLi statement do I need to bind parameters?
public function query($sql){
$sql = mysqli_prepare($this-> connect, $sql);
$array= array();
$query=mysqli_query($this->connect, $sql);
if ($query > 0){
$c=mysqli_num_rows ($query);
if($c > 1){
while($fetch = mysqli_fetch_row($query)){
array_push($array, $fetch);
}
}
return $array;
}else ...
exit();
}
the ... is just some more conditions to follow through. It just shows what my question is. The way I prepare is that ok or should I do this better. I've never used the prepare method and i am new to this. Also is it best practice to exit the query at the end?
I am having some trouble with prepared statements. Basically, this query is returning no rows, even though I know for a fact that this query should return multiple rows. I thought this was just a problem due to SQL injections, but maybe I'm doing something else wrong here, I don't know. If I take out the check for how many rows there are, I get an error:
PHP Fatal error: Call to a member function fetch_array()
Any help would be appreciated!
$stmt = $mysqli->prepare("SELECT sid from SDS WHERE uid=? AND dst=?");
$stmt->bind_param('ss',$username,$structureType);
$stmt->execute();
$stmt->bind_result($results);
$stmt->fetch();
if ($results) {
if($results->num_rows == 0) {
print("No results here.");
return 0;
}
$recordnames = array();
while ($next_row = $results->fetch_array()) {
$recordnames[] = $next_row['sid'];
}
return $recordnames;
}
When you use $stmt->bind_result($result); you are binding the sid from the database to the variable $results. So you cannot perform operations like :
if($results->num_rows == 0) { //... }
or
$results->fetch_array();
This is how I would do it :
<?php
$stmt = $mysqli->prepare("SELECT sid from SDS WHERE uid=? AND dst=?");
$stmt->bind_param('ss', $username, $structureType);
$stmt->execute();
$stmt->bind_result($sid);
$stmt->store_result();
if ($stmt->num_rows == 0)
{
print("No results here.");
$stmt->close();
return 0;
}
else
{
$recordnames = array();
while($stmt->fetch())
{
$recordnames[] = $sid;
}
return $recordnames;
}
?>
This way uses a different logic, check if the row count is 0, if so display "No results here", if not put results into the array.
This question already has answers here:
Single result from database using mysqli
(6 answers)
Closed 2 years ago.
I have the following code and where if 1 row is found I would like to set the result to $aPrds, how can I do this?
$stmt = $db->prepare("select * from products where id=?");
$stmt->bind_param("s", $_GET['id']);
if($stmt->execute())
{
$stmt->store_result();
echo $stmt->num_rows;
if($stmt->num_rows==1)
{
//SET RETURNED ROW TO aPrds
}
else
{
echo "no results or too many found";
}
}
else
{
echo "sql invalid";
}
I have also tried the following code which has been unsuccessful (returns (null):
$stmt = $db->prepare("select productid, product_name, description from product where productid=?");
$a=1;
$stmt->bind_param("i", $a);
if($stmt->execute()){
$stmt->store_result();
if($stmt->num_rows==1){
$stmt->bind_result($b, $c, $d);
print_r($b);
print_r($c);
print_r($aPrds);
}else{
echo "no result or more than 1 returned";
}
}else{
echo "invalid sql";
}
Please note that I have tested the SQL and it works, also the $db mysqli connection is definitely working.
I think you are looking for the get_result and fetch_assoc methods:
// ....
$result = $stmt->get_result();
$aPrds = $result->fetch_assoc();
// ....
Edit:
Apparently these functions are not yet available (should have tested this, sorry). So this is tested:
function bind_array($stmt, &$row) {
$md = $stmt->result_metadata();
$params = array();
while($field = $md->fetch_field()) {
$params[] = &$row[$field->name];
}
call_user_func_array(array($stmt, 'bind_result'), $params);
}
// ....
if($stmt->execute()) {
bind_array($stmt, $row);
$stmt->fetch();
print_r($row);
// ....
And you second solution should also work if you added $stmt->fetch() after $stmt->bind_result($b, $c, $d);