Testing the statement from all side, but failed to find a solution for it.
// Insert the new user into the database
if( $insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)")){
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2,
$reg_ip, $random_salt, $countryname, $ref_code, $hashed_pin, $user_id3,
$user_id4);
$insert_stmt->execute();
This never executes or gets inside the if statement.
I debugged it by removing the if part, that shows bind_param() is boolean error.
$insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)");
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2, $reg_ip,
$random_salt, $countryname, $ref_code, $hashed_pin, $user_id3, $user_id4);
if($insert_stmt->execute()){
Fatal error: Call to a member function bind_param() on boolean
I have done following test:
All 10 variables data type test = OK (with gettype() function)
Variables data value = OK (printed all data value for checking)
Mysql query statement = OK (tested on MYSQL directly with inputted data, mysql is inserting values)
There is no syntax error either.
Variable alignment is = Ok
Data connection is = ok (as it runs other prepare statements without errors on same page)
Then where is the mistake?
I figure it out.
Solution:
It was not working because of the previous prepare statement $stmt_aff connection was not closed.
Once I closed it. Next Prepare statement $insert_stmt started working.
A good lesson learned why bind_param boolean error get produced if there are multiple prepare statement on the same page.
$stmt_aff->close();
Related
I have this prepared statement and it isn't inserting into the table at all. The connection to my database is working. I am still new to this so I am unsure on what is wrong. The spelling of my table is correct also. My network tab on inspect element doesn't show any errors as if it did insert the data but the table doesn't update with said data.
$stmt = $conn->prepare("INSERT INTO usersreports (DateOfReport,Username,ReportedPostId,ReportedUser,ReportedUserId,ReportedReason,ReportedTopic,Resolved,Response,ActionTaken) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("ssssssssss", $DateOfReport,$YourUsername,$UsersPostId,$ReportedUsername,$ReportedUserId,$ReportReason,$ReportTopic,$Resolved,$Response,$ActionTaken);
if ( $stmt === false ) {
echo $conn->error;
exit;
}
$stmt->execute();
$stmt->close();
$conn->close();
This is my current statement. Everything was working fine until I added the key
Key is just a generated hash for the user to activate the account.
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey) VALUES (?, ?, ?,?,?)");
$stmt->bind_param('sssiss', $username, $newPassword, $email,0,$key,time());
When I'm doing this code I'm getting an error.
Cannot pass parameter 5 by reference
Do you know what could be the issue?
Thanks!
Edit Code:
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey,accountCreated) VALUES (?, ?, ?,?,?,?)");
$stmt->bind_param('sssisi', $username, $newPassword, $email,0,$key,$time);
http://i.stack.imgur.com/Th5tl.png
If you use bind_param that 0 needs to be in a variable since bind_param passes by reference.
$somevar=0;
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey) VALUES (?, ?, ?, ?,?,?)");
$stmt->bind_param('sssiss', $username, $newPassword, $email,$somevar,$key,$time);
Im currently using mysqli, and I want a way to properly sanitize every single user input. Im looking for the most simple lightweight way to do this, as I understand that Im NOT supposed to use mysql_real_escape....
my query is like so
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
as i understand i'm supposed to use the function bindParam... If i use it like so, am i completley securing my user inputs?
$stmt->bind_param('sssssssss', $_POST[msg], ('$ip'), ('$date'), '$_POST[main]', '$_POST[twit]', ('$cit'), ('$lat'), ('$lon'), '$_POST[lang]');
$stmt->execute();
$stmt->close();
If this isn't securing my user inputs how do i properly do so?
You need to prepare the statement to be safe. Something like below (its probably not 100% but gives you an idea)
$sql = new mysqli("localhost", "my_user", "my_password", "world");
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssssss",$_POST[msg], $ip, $date, $_POST[main], $_POST[twit], $cit, $lat, $lon, $_POST[lang]);
$stmt->execute();
First of all you have to follow basic PHP syntax
'$_POST[msg]' would be inserted as a literal $_POST[msg] string, while you expecting a value for $_POST['msg'] variable.
I'm trying to perform a mysql insert operation but for some reasons I get the ugly error:
Call to a member function bind_param() on a non-object in info.php on line 59
the code is:
<?php
$db_usag_down = new mysqli("127.0.0.1","user","XXXXXXXX","down");
$db_usag_full = new mysqli("127.0.0.1","user","XXXXXXXXXX","full");
$insert_query = $db_usag_down->prepare("INSERT INTO Applicant VALUES(?, ?, ?, ?, ?, ?)");
$insert_query->bind_param('issssi', $account_id, $first_name, $last_name, $email, $country, $full_status);
$insert_query->execute();
if ($insert_query->errno) {
echo "FAILURE!!! " . $insert_query->error();
?>
Sample values:
23232, Michael K, Boli Gnawaboli#example.com, Cote D'Ivoire (ivory Coast), 1
Two things I see:
First, and actual error, your INSERT syntax is incorrect. It needs to include a column list and/or VALUES before (?, ?, ...).
Second, your parameter count for bind_param() is incorrect based on your query.
Your mysqli statement object was not correctly created, because the INSERT statement is invalid. You're missing the VALUES keyword:
$insert_query = $db_usag_down->prepare("INSERT INTO Applicant VALUES (?, ?, ?, ?, ?, ?)");
//
Check the error status of your `mysqli` object with `mysqli->error();`
if (!$insert_query) {
echo $db_usag_down->error();
}
You will have other problems too. You have more data types listed in your bind_param than you have variables to bind.
// You have six params, so you should have only six characters in the data types:
// Assumes $full_status is an integer
$insert_query->bind_param('issssi', $account_id, $first_name, $last_name, $email, $country, $full_status);
I'm getting obsessed. I'm working for the first time with prepared statement and I am sure I have read somewhere that you could prepare a statement like:
$stmt = $db->prepare("INSERT INTO {$table} (:var1, :var2) VALUES (:val1, :val2)");
$stmt->bind_param(':var1', $var1);
$stmt->bind_param(':var2', $var2);
$stmt->bind_param(':val1', $val1);
$stmt->bind_param(':val2', $val2);
$stmt->execute();
Or something like that. I remember that I have read that you could call the vars with a specific name with ':' as prefix. But I really can't find an example of that. I read the php manual and I couldn't find any sample of this thing.
Is it right or have I dreamed it?
Faq
If you are wondering why I can't use simply the '?' method:
$stmt = $db->prepare("INSERT INTO {$table} (?, ?, ?, ?, ?, ?) VALUES (?, ?, ?, ?, ?, ?)");
this gets hard to write.
You can't do :var1,:var2,:varX in both the column names list and the VALUES list for one thing. Secondly, PDO accepts named parameter binding.
See PHP Data Objects and examples in PDO::prepare.