I am inserting data to my db using this:
$insertPlayerFix = "INSERT INTO playerfixtures (fixture_id, player_id, goals_scored) VALUE (?,?,?)";
$stmt = $conn->prepare($insertPlayerFix);
$stmt->bind_param('sss', $fixtureFix_ID,$playerFix_ID,$goalsScored);
$stmt->execute();
$stmt->store_result();
This works fine until I have data for each of the fixtureID's. It then seemingly inserts data and gives me the success message but nothing new is stored.
It is like I am telling it to check for fixtureID and if > 0 to not do anything(which I am not, obviously).
could be you have an autoincrement column for fixture_id
in this case you should not use this column in you insert clause
eg:
$insertPlayerFix = "INSERT INTO playerfixtures ( player_id, goals_scored) VALUE (?,?)";
$insertPlayerFix = "INSERT INTO playerfixtures ( player_id, goals_scored) VALUE (?,?)";
$stmt = $conn->prepare($insertPlayerFix);
$stmt->bind_param('ss', $fixtureFix_ID,$playerFix_ID,$goalsScored);
$stmt->execute();
$stmt->store_result();
and id normally are integer so check for the correct data type and eventually modify you binding
Related
I have a database set up and there are 2 different columns and I want to insert values into one of those two columns dynamically based on an ID that is passed in from $_GET. I have the bindParam variable part working, but I'm not sure how to use a variable in the INSERT INTO portion of the statement.
One column is called product1_vote and the other is product2_vote. I am getting the 1 or 2 from $_GET and I want to pass that into the prepare call to determine which column to update.
$productID = $_GET['id'];
$stmt = $pdo->prepare('INSERT INTO products (id, title, product1_vote)
VALUES(:id, :title, :product1_vote);
$id = $pdo->lastInsertId();
$title = 'Test';
$date = date('m/d/Y h:i:s', time());
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':title', $title, PDO::PARAM_STR);
$stmt->bindParam(':product1_vote', $date, PDO::PARAM_STR);
How would I go about changing the INSERT INTO part to work dynamically instead of the current hardcoded product1_vote.
Something like this to give you an idea of what I'm after:
$stmt = $pdo->prepare('INSERT INTO products (id, title, product.$productID._vote)
VALUES(:id, :title, :product.$productID._vote);
$id = $pdo->lastInsertId();
$title = 'Test';
$date = date('m/d/Y h:i:s', time());
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':title', $title, PDO::PARAM_STR);
$stmt->bindParam(':product.$productID._vote', $date, PDO::PARAM_STR);
You can't parameterise a column name, but also, to guard against SQL injection you don't want to allow direct user input into the query without validation.
A common solution to this is to make a "whitelist" of allowed values and ensure that the user-provided value matches one of them before including it in the query.
For example:
$productID = $_GET['id'];
$voteIDs = ["1", "2"];
if (!in_array($productID, $voteIDs)) {
echo "invalid input value";
die();
};
$stmt = $pdo->prepare('INSERT INTO products (id, title, product'.$productID.'_vote)
VALUES(:id, :title, :product1_vote);
P.S. It's possible this has arisen because your database could be better normalised. If you have multiple votes per product, consider storing them in a separate "productVotes" table with a foreign key back to the products table. Then you wouldn't need to vary the column names in your query.
I have two tables which store the same data. One is for active users and the other for inactive users. When a user comes, it is searched in the active table and if not found, it is searched in the inactive table. If the user info is found in the inactive table, then it should be moved to active table and deleted from inactive table.
The tables have a column that stores a photograph. When I try to insert the information to active table, I get the following error:
SQLSTATE[22018]: [Microsoft][SQL Server Native Client 11.0][SQL Server]Operand type clash: nvarchar(max) is incompatible with image
I am sure it is caused by the photo because if the user info does not have a photo, the move is successful. But when there is a photo, it fails with the above error.
The SQL that creates the table:
CREATE TABLE [dbo].[tblBackup](
[Id] [int] IDENTITY(1,1) NOT NULL,
[DriverId] [int] NULL,
[FirstNameAmh] [nvarchar](100) NULL,
[FatherNameAmh] [nvarchar](100) NULL,
[GrandNameAmh] [nvarchar](100) NULL,
[Photo] [image] NULL
)
Here is the code:
$dbc->beginTransaction();
$sql = "select * from tblBackup where Id=?";
$stmt = $dbc->prepare($sql);
$stmt->bindParam(1, $_GET["gid"]);
$stmt->execute();
$row = $stmt->fetch();
$ins = "insert into tblActive(Id, DriverId, FirstNameAmh, FatherNameAmh, GrandNameAmh, Photo) values(?, ?, ?, ?, ?, ?)";
$st = $dbc->prepare($ins);
$val = array($row['Id'], $row['DriverId'], $row['FirstNameAmh'], $row['FatherNameAmh'], $row['GrandNameAmh'], $row['Photo']);
$st->execute($val);
$sql = "delete from tblBackup where Id=?";
$stmt = $dbc->prepare($sql);
$stmt->bindParam(1, $_GET["gid"]);
$stmt->execute();
$dbc->commit();
Edit:
I concluded that the photo data retrieved by PHP is being treated as nvarchar(max) type rather than image type by SQL server. Because of this, SQL server is complaining that it could not insert nvarchar(max) in image data type column. Is there a way to solve this?
If you are in the development phase, I think it would be better to create a stored procedure including "insert select" with "gid" as the parameter and execute it from php. Can't it be a solution for you?
I changed the code a little bit and now it is working. It is seems the problem is cause by prepared statement, though I don't understand why.
$dbc->beginTransaction();
$sql = "select * from tblBackup where Id=?";
$stmt = $dbc->prepare($sql);
$stmt->bindParam(1, $_GET["gid"]);
$stmt->execute();
$row = $stmt->fetch();
$ins = "insert into tblActive(Id, DriverId, FirstNameAmh, FatherNameAmh, GrandNameAmh, Photo) values(?, ?, ?, ?, ?, ".$dbc->quote($row['Photo']).")";
$st = $dbc->prepare($ins);
$val = array($row['Id'], $row['DriverId'], $row['FirstNameAmh'], $row['FatherNameAmh'], $row['GrandNameAmh']);
$st->execute($val);
$sql = "delete from tblBackup where Id=?";
$stmt = $dbc->prepare($sql);
$stmt->bindParam(1, $_GET["gid"]);
$stmt->execute();
$dbc->commit();
So, I have problem with inserting data into 2 tables directly using subquery and last insert id.
i have following codes
if (isset($_POST['recipient']))
$recipient = sanitize($_POST['recipient']);
if (isset($_POST['message']))
$message = sanitize($_POST['message']);
$sql = "INSERT INTO message (senderID, message)
VALUES (?,?)";
if ($stmt = mysqli_prepare($connection, $sql)) {
mysqli_stmt_bind_param($stmt, "is", $userID, $message);
mysqli_stmt_execute($stmt);
$newID = mysqli_insert_id($connection);
$sql2 = "INSERT INTO message_recipient (messageID, recipientID)
SELECT ?, userID
from user
where username = $recipient";
if ($stmt2 = mysqli_prepare($connection, $sql)) {
mysqli_stmt_bind_param($stmt2, "ii", $newID, $recipient);
mysqli_stmt_execute($stmt2);
mysqli_stmt_close($stmt2);
}
}
for the $stmt2 ,it works well in phpmyadmin, but without the prepared statement. The first query works well, it can add data, but can't the second. Also, i dont know why the first query will insert 2 data, with first data correct and second false.
Is the way i get last insert id wrong, or my second query is false?
Any help given really appreciated. thank you so much
I have this following example query, which works - I CAN insert values into my MySQL table, which also includes an unique id column. I want to get the id from the inserted row, after I execute the query. However what I get is 0 every time ($gotId=0).
What am I doing wrong?
$stmt = $conn->prepare("INSERT INTO ....... ");
$stmt-> bind_param("ss", ....);
$stmt->execute();
$gotId = $conn->insert_id;
Full query:
$conn = $db->connect();
$stmt = $conn->prepare("INSERT INTO table(value1, value2) VALUES(?, ?)");
$stmt-> bind_param("ss", $value1, $value2);
$stmt->execute();
$gotId = $conn->insert_id;
After calling the execute() method on the PreparedStatement, the id of the insert row will be in the insert_id attribute Only read it.
$stmt->execute();
$gotId = $stmt->insert_id;
Taken from here
$query = "INSERT INTO .......";
$mysqli->query($query);
printf ("New Record has id %d.\n", $mysqli->insert_id);
More Info
I am using a prepared statement to insert multiple rows into a table using a for loop. What I require is for the same value ($id) to be inserted into all rows of the "id" column. Likewise, the timestamp should be inserted into the "submitted" column over all iterations.
My current code only inserts one column. Here is the code:
if($stmt = $link->prepare("INSERT INTO table (id, alt_ord, alt_id, rank, submitted) VALUES ($id,?,?,?, NOW())")){
$stmt->bind_param('iii', $q_ord, $q_ID, $rating);
for($i=0; $i < count($_POST['alt_ord']); $i++){
$q_ord = $_POST['alt_ord'][$i];
$q_ID = $_POST['alt_id'][$i];
$rating = $_POST['rank_'][$i];
$stmt->execute();
}
$stmt->close();
}
Using a combination of ?s with $id and NOW() in the INSERT statement is clearly incorrect. How would I repeat the ID and timestamp values in the insert as intended?
Assuming $id is an unknown value (from user input, etc), simply bind it along with the others and don't forget to check for errors
// make mysqli trigger useful errors (exceptions)
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$stmt = $link->prepare('INSERT INTO table (id, alt_ord, alt_id, rank, submitted) VALUES (?, ?, ?, ?, NOW())');
$stmt->bind_param('iiii', $id, $q_ord, $q_ID, $rating);
for ($i = 0; $i < count($_POST['alt_ord']); $i++) {
$q_ord = $_POST['alt_ord'][$i];
$q_ID = $_POST['alt_id'][$i];
$rating = $_POST['rank_'][$i]; // you sure about this one? "rank_"?
$stmt->execute();
}