I wrote a code that protects me from sql injections, but now it doesn't even create users. Here is the my code:
<?php
$user = $_GET['username'];
$pass = $_GET['password'];
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test123";
$conn = new mysqli($servername, $username, $password, $dbname);
function selectInfo($user, $pass){
global $conn;
$stmt = $conn->prepare("INSERT INTO users (username, password) VALUES (?, ?)");
$stmt->bind_param("ss", $user, $pass);
$stmt->execute();
$stmt->close();
}
?>
i get no error when executing but it doesn't create users that i need.
Sorry for bad code. Im new at this.
the real reason is you are not calling the function
either do this
<?php
$user = $_GET['username'];
$pass = $_GET['password'];
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test123";
$conn = new mysqli($servername, $username, $password, $dbname);
function selectInfo($user, $pass){
global $conn;
$stmt = $conn->prepare("INSERT INTO users (username, password) VALUES (?, ?)");
$stmt->bind_param("ss", $user, $pass);
$stmt->execute();
$stmt->close();
}
selectInfo($user, $pass);
?>
or
<?php
$user = $_GET['username'];
$pass = $_GET['password'];
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test123";
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("INSERT INTO users (username, password) VALUES (?, ?)");
$stmt->bind_param("ss", $user, $pass);
$stmt->execute();
$stmt->close();
?>
Related
There is an html form which I want to store data from in a database. After filling the form, it returns the php script instead of success message. And no data is getting stored in the database. Can you please help?
<?php
if (isset(['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$gender = $_POST['gender'];
$email = $_POST['email'];
}
if (!empty($username) || !empty($password) || !empty($gender) || !empty($email) {
$host = "localhost";
$dbUsername = "root";
$dbPassword = "";
$dbname = "cakeshop";
$conn = new mysqli($host, $dbUsername, $dbPassword, $dbname);
if (mysqli_connect_error()) {
die('Connect Error('. mysqli_connect_error().)')'. mysqli_connect_error());
}else {
$SELECT = "SELECT email From register Where email = ? Limit 1"
$INSERT = "INSERT INTO register (username, password, gender, email) values(?, ?, ?, ?)";
$stmt = $conn->prepare($SELECT);
$stmt->bind_param("s", $email);
$stmt->execute();
$stmt->bind_result($email);
$stmt->store_result();
$rnum = $stmt->num_rows;
if ($rnum==0){
$stmt->close();
$stmt = $conn->prepare($INSERT);
$stmt->bind_param("ssss", $username, $password, $gender, $email);
$stmt->execute();
echo "New record inserted successfully"
}else {
echo "Someone already registered";
}
$stmt->close();
$conn->close();
}
}
?>
The below query wont insert to database, I had tried this query on my database so I am quite sure that the query is working. I also added the dbcon.php below.
<?php
require '../api/dbcon.php';
$stmt=$conn->prepare("INSERT INTO joborder (AirCondition,
CarpentryMasonry,
ElectricalWorks,
Plumbing,
Welding,
Campus,
priorityId,
RequestorName,
UserJobDescription,
SerialCode
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)" );
$stmt->bind_param('ssssssssss',
$airConditioning,
$masonryCarpentry,
$electrical,
$plumbing,
$welding,
$campus,
$priority,
$requester,
$userJobDescription,
$serialCode);
$airConditioning = "check";
$masonryCarpentry = "check";
$electrical = "check";
$plumbing = "check";
$welding = "check";
$campus = 'NA';
$priority = '1';
$requester = "m";
$userJobDescription ="test";
//create serial code
$serialCode= "na12321";
?>
dbcon.php
<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
$dbtable = "table";
$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbtable);
if(!$conn ){
die('Could not connect: ' . mysqli_error());
}
?>
you're using a bad error reporting mode, and thus need to meticulously check for errors everywhere, but you're not.
on not-dbcon.php on line 4 you're not checking that $conn->prepare succeeded, do that, it returns bool(false) if there was an error. on line 16 you're not checking that $stmt->bind_param succeeded, do that, it returns bool(false) if there was an error. or better yet, don't do that, just convert return-value-error-reporting into exception-error-reporting, by running $conn->report_mode = MYSQLI_REPORT_ALL; immediately after creating the object.
... and most importantly, seems you forgot to run $stmt->execute(), which actually executes the query, which obviously explains why you're not inserting anything.
<?php
$servername = "localhost";
$username = "root";
$password = "123456";
$database = "inventory";
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
$stat = $conn->prepare("INSERT INTO salary (name, salary, job) values (?, ?, ?)");
$name = 'test';
$salary = '21123';
$job = 'demo';
$stat->bind_param($name,$salary, $job );
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("INSERT INTO salary (name, salary, job) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// set parameters and execute
$firstname = "Johnqqq";
$lastname = "123123";
$email = "sdadsad";
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();
?>
i want to insert with foreign key resident_id using prepared statement in table_complaints.
here is my picture of :
also i get the $ides = $_POST["resident_id"]; in view page
$servername = "localhost";
$username = "root";
$password = "";
$database = "myDb";
$conn = mysqli_connect($servername, $username, $password, $database);
if(!$conn){
die("Connection Failed: " . mysqli_connect_error());
}
if(isset($_POST["submits"])){
$comp_text = $_POST["comp"];
$complaints = $_POST["complaints"];
$ides =$_POST["resident_id"];
$statementi = mysqli_stmt_init($conn);
mysqli_stmt_prepare($statementi, "INSERT INTO table_complaint (nature_of_complaints, status)
VALUES (?, ?) WHERE resident_id = ?");
mysqli_stmt_bind_param($statementi, "ssi", $comp_text, $complaints);
mysqli_stmt_execute($statementi);
mysqli_stmt_close($statementi);
}
mysqli_close($conn);
Your insert query is incorrect.
You can use this:
INSERT INTO table_complaint (resident_id,nature_of_complaints, status) VALUES (?,?,?)
and then bind the parameters:
mysqli_stmt_bind_param($statementi, "iss", $ides,$comp_text, $complaints);
What am I missing?
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
$name = 'Samuel "L" Jackson';
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("INSERT INTO test2 (id, name) VALUES (?,
?)");
$stmt->bind_param("is",'600' , $name);
$stmt->execute();
$stmt->close();
$conn->close();
?>
I'm getting the following error:
Cannot pass parameter 2 by reference in C.... on line ...
bind_param accepts two or more arguments. The first must be a string identifying the data types for the SQL parameters. The rest of the arguments must be variables that can be passed by reference. '600' is a constant, so you cannot pass it by reference.
Just use a temporary variable to work around that limitation, like this:
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
$id = 600;
$name = 'Samuel "L" Jackson';
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("INSERT INTO test2 (id, name) VALUES (?, ?)");
$stmt->bind_param("is", $id, $name);
$stmt->execute();
$stmt->close();
$conn->close();
?>
I have decided for security to convert my simple php with mysql code to PDO,since it will tighten my security.My old code:
$host = "localhost";
$user = "username";
$pass = "pass";
$database = "mydatabase";
$linkID = mysql_connect($host, $user, $pass) or die("Could not connect to host.");
mysql_select_db($database, $linkID) or die("Could not find database.");
$name=$_POST['name'];
$message=$_POST['message'];
$ip = $_SERVER['REMOTE_ADDR'];
$query="INSERT INTO table (date_time, name, message,ip) VALUES (NOW(),'$name','$message','$ip')";
If (mysql_query($query,$linkID)){
//Success
}else{
//Failure
}
My new code is:
$hostname = 'localhost';
$username = 'username';
$password = 'pass';
$dbname = 'mydatabase';
$dbh = new PDO("mysql:host=$hostname;dbname=$dbname", $username, $password);
if($_POST['name'] && $_POST['message']) {
$name = $_POST['name'];
$message = $_POST['message'];
$ip = $_SERVER['REMOTE_ADDR'];
$sql = "INSERT INTO table (date_time, name, message,ip)VALUES (NOW(), :name, :message,'$ip')";
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
$stmt->bindParam(':message', $message, PDO::PARAM_STR);
if ($stmt->execute()) {
echo "OK";
}
}
It's very strange that when i point my browser to index.php?name=someName&message=someMessage my PDO code won't echo a single thing(even echo "ok" ) or an error so i can fugure out where is the problem.
I can confirm that no data is inserted to the database.
I've even added try catch but nothing changed. My php is supporting PDO and the simple Mysql code is working.
Any ideas? Thanks
In your case,
if($_POST['name'] && $_POST['message']) {
Should be:
if($_GET['name'] && $_GET['message']) {