I have a class in php that needs to send data from a form to a database. The query is split up in 2 queries bcs half the data needs to be send to an other table in the same database.
Now the problem: When I confirm the form then only the data of the sec query have been send to the database but not the data of the first query.
this is what I have:
(database connection) ...
if (something is empty)
{
Give error.
}
else {
$query = $this->db->prepare("INSERT INTO Table1(coloumn1, coloumn2, coloumn3, coloumn4, coloumn5, coloumn6, coloumn7, coloumn8) VALUES(?, ?, ?, ?, ?, ?, ?, ?)");
$query->bindParam(1, $Val1);
$query->bindParam(2, $Val2);
$query->bindParam(3, $Val3);
$query->bindParam(4, $Val4);
$query->bindParam(5, $Val5);
$query->bindParam(6, $Val6);
$query->bindParam(7, $Val7);
$query->bindParam(8, $Val8);
$query->execute();
$query = $this->db->prepare("INSERT INTO Table2(coloumn1, coloumn2, coloumn3, coloumn4, coloumn5) VALUES(?, ?, ?, ?, ?)");
$query->bindParam(1, $Val1);
$query->bindParam(2, $Val9);
$query->bindParam(3, $Val10);
$query->bindParam(4, $Val11);
$query->bindParam(5, $Val12);
$query->execute();
}
What I have done:
checked database connection
checked table name
some error checks
trying to make a different function for the sec query (but then he
doesn't send anything anymore)
delete the sec query (but it still wont send the first query)
and ofc googling
I think i am doing something wrong with my first query but I don't know what.
Found it misspelled a column name (yes i did check it 2 times but still didn't saw it).
bind_param isn't supposed to be used the way you were using it for mysqli:
mysqli_stmt_bind_param documentation
The first parameters is a hint to PHP about what type of variable you are dealing with (i=>integer, s=> string, etc.)
You basically have to give ALL parameters in one line, using VARIABLES (you can't use constants).
--- SIDE NOTE: ADVANCED ---
If your code doesn't know how many parameters to pass at compile time, you might need to use:
call_user_func_array(array($query,'bind_param'), $all_prm );
where $all_prm is a an array of references to the values, first element being the types.
I believe you used the bind_param method in the wrong way. As stated in http://php.net/manual/en/mysqli-stmt.bind-param.php:
bool mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] )
So, assuming all your variables are integers, you could bind them in the following way:
$query->bind_param('iiiiiiii', $Val1, $Val2, $Val3, $Val4, $Val5, $Val6, $Val7, $Val8);
Here are the type specification chars:
'i': corresponding variable has type integer
'd': corresponding variable has type double
's': corresponding variable has type string
'b': corresponding variable is a blob and will be sent in packets
Therefore the solution I propose you is:
$query = $this->db->prepare("INSERT INTO Table1(coloumn1, coloumn2, coloumn3, coloumn4, coloumn5, coloumn6, coloumn7, coloumn8) VALUES(?, ?, ?, ?, ?, ?, ?, ?)");
$query->bind_param('iiiiiiii', $Val1, $Val2, $Val3, $Val4, $Val5, $Val6, $Val7, $Val8);
$query->execute();
$query = $this->db->prepare("INSERT INTO Table2(coloumn1, coloumn2, coloumn3, coloumn4, coloumn5) VALUES(?, ?, ?, ?, ?)");
$query->bind_param('iiiii', $Val1, $Val9, $Val10, $Val11, $Val12);
$query->execute();
Related
Testing the statement from all side, but failed to find a solution for it.
// Insert the new user into the database
if( $insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)")){
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2,
$reg_ip, $random_salt, $countryname, $ref_code, $hashed_pin, $user_id3,
$user_id4);
$insert_stmt->execute();
This never executes or gets inside the if statement.
I debugged it by removing the if part, that shows bind_param() is boolean error.
$insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)");
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2, $reg_ip,
$random_salt, $countryname, $ref_code, $hashed_pin, $user_id3, $user_id4);
if($insert_stmt->execute()){
Fatal error: Call to a member function bind_param() on boolean
I have done following test:
All 10 variables data type test = OK (with gettype() function)
Variables data value = OK (printed all data value for checking)
Mysql query statement = OK (tested on MYSQL directly with inputted data, mysql is inserting values)
There is no syntax error either.
Variable alignment is = Ok
Data connection is = ok (as it runs other prepare statements without errors on same page)
Then where is the mistake?
I figure it out.
Solution:
It was not working because of the previous prepare statement $stmt_aff connection was not closed.
Once I closed it. Next Prepare statement $insert_stmt started working.
A good lesson learned why bind_param boolean error get produced if there are multiple prepare statement on the same page.
$stmt_aff->close();
I am switching from mysqli syntax to PDO and having some doubts:
Before I used this (example of binding int, string, decimal values):
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, id, value) VALUES (?, ?, ?)");
$stmt->bind_param("sid", $firstname, $id, $value);
$stmt->execute();
With PDO I should use this: (here param decimal already doesnt exist, not to mention that I have to write multiple lines for binging)
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, id, value) VALUES (?, ?, ?)");
$stmt->bindParam(1, $firstname, PDO::PARAM_STR);
$stmt->bindParam(2, $id, PDO::PARAM_INT);
$stmt->bindParam(3, $value, PDO::PARAM_STR);//no decimal type!
$stmt->execute();
Should I just 'forget' about types and do this?
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, id, value) VALUES (?, ?, ?)");
$stmt->execute([$firstname, $id, $value]);
How can int and decimal fail in this situation?
Yes, most of time you should.
There are only few extremely rare cases where you would have to fall bфck to separate binding. While for the both INT and DECIMAL string binding is all right.
Note that for the decimal type you should be using "s" in mysqli as well.
This is my current statement. Everything was working fine until I added the key
Key is just a generated hash for the user to activate the account.
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey) VALUES (?, ?, ?,?,?)");
$stmt->bind_param('sssiss', $username, $newPassword, $email,0,$key,time());
When I'm doing this code I'm getting an error.
Cannot pass parameter 5 by reference
Do you know what could be the issue?
Thanks!
Edit Code:
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey,accountCreated) VALUES (?, ?, ?,?,?,?)");
$stmt->bind_param('sssisi', $username, $newPassword, $email,0,$key,$time);
http://i.stack.imgur.com/Th5tl.png
If you use bind_param that 0 needs to be in a variable since bind_param passes by reference.
$somevar=0;
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey) VALUES (?, ?, ?, ?,?,?)");
$stmt->bind_param('sssiss', $username, $newPassword, $email,$somevar,$key,$time);
Im currently using mysqli, and I want a way to properly sanitize every single user input. Im looking for the most simple lightweight way to do this, as I understand that Im NOT supposed to use mysql_real_escape....
my query is like so
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
as i understand i'm supposed to use the function bindParam... If i use it like so, am i completley securing my user inputs?
$stmt->bind_param('sssssssss', $_POST[msg], ('$ip'), ('$date'), '$_POST[main]', '$_POST[twit]', ('$cit'), ('$lat'), ('$lon'), '$_POST[lang]');
$stmt->execute();
$stmt->close();
If this isn't securing my user inputs how do i properly do so?
You need to prepare the statement to be safe. Something like below (its probably not 100% but gives you an idea)
$sql = new mysqli("localhost", "my_user", "my_password", "world");
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssssss",$_POST[msg], $ip, $date, $_POST[main], $_POST[twit], $cit, $lat, $lon, $_POST[lang]);
$stmt->execute();
First of all you have to follow basic PHP syntax
'$_POST[msg]' would be inserted as a literal $_POST[msg] string, while you expecting a value for $_POST['msg'] variable.
I'm getting obsessed. I'm working for the first time with prepared statement and I am sure I have read somewhere that you could prepare a statement like:
$stmt = $db->prepare("INSERT INTO {$table} (:var1, :var2) VALUES (:val1, :val2)");
$stmt->bind_param(':var1', $var1);
$stmt->bind_param(':var2', $var2);
$stmt->bind_param(':val1', $val1);
$stmt->bind_param(':val2', $val2);
$stmt->execute();
Or something like that. I remember that I have read that you could call the vars with a specific name with ':' as prefix. But I really can't find an example of that. I read the php manual and I couldn't find any sample of this thing.
Is it right or have I dreamed it?
Faq
If you are wondering why I can't use simply the '?' method:
$stmt = $db->prepare("INSERT INTO {$table} (?, ?, ?, ?, ?, ?) VALUES (?, ?, ?, ?, ?, ?)");
this gets hard to write.
You can't do :var1,:var2,:varX in both the column names list and the VALUES list for one thing. Secondly, PDO accepts named parameter binding.
See PHP Data Objects and examples in PDO::prepare.