I am in the process of converting some old MySQL code into MySQLI Prepared Statements and hit a snag:
If I run the same SQL code as prepared statement, I get a "Malformed Package" error. This happens even with extremely simple queries like "SELECT * FROM [TableName]".
I have the creation of the connection and setting of the Report level in a Seperate file altogether. So that code must be identicaly by definition.
As specific example, this code works:
$sql = "SELECT * FROM AngebotsDB";
$result = mysqli_query($link, $sql);
But this code:
$sql = "SELECT * FROM AngebotsDB";
// $result = mysqli_query($link, $sql);
$stmt = mysqli_stmt_init($link);
mysqli_stmt_prepare($stmt,$sql);
mysqli_execute($stmt);
$resultReference = mysqli_store_result($link); //throws exception
$result = mysqli_fetch_array($resultReference);
ends in:
Fatal error: Uncaught exception 'mysqli_sql_exception' with message
'Malformed packet' in /home/cgroschupff/public_html/custom_code/DB
structure.php:16 Stack trace: #0 /home/cgroschupff/public_html/custom_code/DB structure.php(16):
mysqli_store_result(Object(mysqli)) #1 {main} thrown in
/home/cgroschupff/public_html/custom_code/DB structure.php on line 16
All I could really find is some old information of this happening when Connecting to the DB.
Note that the used MySQLi/PHP version is rather old (5.2.17?). So this could be a "long ago fixed" bug?
If you initialize a statement than you have to call other functions according to mysqli_stmt class so your code should be .
$sql = "SELECT * FROM AngebotsDB";
$stmt = mysqli_stmt_init($link);
mysqli_stmt_prepare($stmt,$sql);
mysqli_stmt_execute($stmt);
$resultReference = mysqli_stmt_store_result($link);
Now if you try var_dump($resultReference) than return true or false .
if you want to show result with mysqli_fetch_array so you have to pass mysqli_result parameter so for this you have to use mysqli_stmt_get_result .
$sql = "SELECT * FROM AngebotsDB";
$stmt = mysqli_stmt_init($link);
mysqli_stmt_prepare($stmt,$sql);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt) ;
$output = mysqli_fetch_array($result) ;
Now you can see var_dump($output) than you have result .
Related
This question already has answers here:
You have an error in your SQL syntax error?
(2 answers)
Closed 12 days ago.
I'm experimenting with joining databases in php using prepared statements.
I got this error:
Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '? OR users.class LIKE ? OR users.email LIKE ?' at line 3 in C:\xampp\htdocs\Burza\includes\functions.inc.php:335
Stack trace: #0
#0 C:\xampp\htdocs\Burza\includes\functions.inc.php(335): mysqli_query(Object(mysqli), 'SELECT * FROM p...')
#1 C:\xampp\htdocs\Burza\buy.php(20): getProductsBySearch(Object(mysqli), '%summer%')
#2 {main}
thrown in C:\xampp\htdocs\Burza\includes\functions.inc.php
I think it's because of the LIKE keyword, but I don't know what to do about it.
All of the names of the tables and rows are correct
My code looks like this:
function getProductsBySearch($conn, $search){
$sql = "SELECT * FROM products
JOIN users ON products.userid = users.id
WHERE users.name LIKE ? OR users.surname LIKE ? OR users.class LIKE ? OR users.email LIKE ?;";
$stmt = mysqli_stmt_init($conn);
if(!mysqli_stmt_prepare($stmt, $sql)){
header("location: ../index.php?error=stmtfailed");
exit();
}
$search = "%".$search."%";
mysqli_stmt_bind_param($stmt, "ssss", $search, $search, $search, $search);// s = string
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$result = mysqli_query($conn, $sql);
$products = mysqli_fetch_all($result, MYSQLI_ASSOC);
mysqli_stmt_close($stmt);
return $products;
}
Can somebody explain to me why it's happening and how to fix it?
I tried changing the * symbol to more specific part in my database - products.id and it didn't help. And I tried using '%".?."%' and it didn't work as well.
This is the problem:
$result = mysqli_query($conn, $sql);
mysqli_query() is used when your query has no query parameters.
If your query has parameters, then use only mysqli_prepare() and mysqli_stmt_execute().
I suggest the following sequence:
try {
$stmt = $conn->prepare($sql);
$search = "%$search%";
$stmt->bind_param("ssss", $search, $search, $search, $search);
$stmt->execute();
$result = $stmt->get_result();
$products = $result->fetch_all(MYSQLI_ASSOC);
catch (mysqli_sql_exception $e) {
error_log($e);
header("location: ../index.php?error=stmtfailed");
exit();
}
I have following lines of code to fetch multiple records using PHP 7.3
$query = "Select * from tblorders";
$stmt = $connection->prepare($query);
$stmt->execute();
$result = $stmt->fetchAll();
The last line issues as error.
Error Details
Uncaught Error: Call to undefined method mysqli_stmt::fetchAll()
I can confirm that the connection is not null and has proper connection details.
Am I missing anything?
This is because there is no such function! You are mixing PDO and mysqli.
If you want to fetch all records from a mysqli prepared statement you need to do it in two steps. First, fetch the result set using mysqli_stmt::get_result() and then use mysqli_result::fetch_all()
$query = "Select * from tblorders";
$stmt = $connection->prepare($query);
$stmt->execute();
$resultSet = $stmt->get_result();
$data = $resultSet->fetch_all(MYSQLI_ASSOC);
However, I would strongly advise learning PDO instead of mysqli as it is much easier and offers more options.
When I try to send the data I want to put in a query from a form, it gives me this message:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':Citta'
Here is the portion of the code from where it gives me the error:
$location = $_POST['Citta'];
$sql = "SELECT * FROM test.cliente WHERE test.cliente.Citta = :Citta";
$statement = $conn->prepare($sql);
$statement->bindParam(':Citta', $location, PDO::PARAM_STR);
$statement->execute();
$result = $statement->fetchAll();
I take the input from a form in another page, then the data goes to $location.
I've changed it all to this:
$location = $_POST['Citta'];
$sql = "SELECT * FROM lgp.cliente WHERE lgp.cliente.Citta = ?";
$statement = $conn->prepare($sql);
$statement->bind_param("s", $location);
$statement->execute();
$result = $statement->fetchAll();
But now, it gives me this error:
Fatal error: Uncaught Error: Call to a member function execute() on bool
I've already added the mysqli report.
I've changed $result = $statement->fetchAll(); into $result = $statement->get_result()->fetchAll();
Now the error is:
Fatal error: Uncaught Error: Call to undefined method mysqli_result::fetchAll()
You seem to have got confused between mysqli and PDO syntax. There are a few similarities, but mainly the way they are used is different.
Your code re-written properly in mysqli would look like this:
$location = $_POST['Citta'];
$sql = "SELECT * FROM test.cliente WHERE test.cliente.Citta = ?";
$statement = $conn->prepare($sql);
$statement->bind_param("s", $location);
$statement->execute();
$result = $statement->get_result()->fetch_all();
See https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php and https://phpdelusions.net/mysqli for more examples.
I made this code to display my user's details if I search for their email.
file.php
$sql = "SELECT * FROM users WHERE email='$email'";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $email);
$stmt->execute();
$result2 = $stmt->get_result();
file.html
while ($row = $result2->fetch_assoc()) { //results }
The problem with this code is that I get always a fatal error.
Fatal error: Uncaught Error: Call to a member function fetch_assoc() on null in ____ Stack trace: #0 {main} thrown in ______
Even though my script works perfectly because when I am searching for my users detail it shows them as expected.
What do they mean with this error? Can I get SQL Injected if I stay it like this? How can I remove this error?
1.) Fix binding your email parameter....
$sql = "SELECT * FROM users WHERE email='?'";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $email);
$stmt->execute();
$result2 = $stmt->get_result();
2.) For error you're getting i assume you get some error, you should check for $result2, if it's false > that means error
My file should get all users with this id (It's only one since id is unique in this table) and prepare a statement to execute later. When I execute it I get this error:
Fatal error: Uncaught Error: Call to a member function execute() on
boolean in C:\xampp\htdocs\Gamanware.ga\Admin\update.php:7 Stack
trace: #0 {main} thrown in
C:\xampp\htdocs\Gamanware.ga\Admin\update.php on line 7.
And I can't see anything wrong with it. The id is alright (I echo it out to be sure), Im not using reserved words and have made sure that it won't matter anyway, but I still get this error. I have been on several forums and many questions have not worked for me. I hope some of you can! My code:
<?php
require '../includes/login_system.dbh.php';
$id = $_GET['id'];
$sql = 'SELECT * FROM `users` WHERE `id`=:id';
$statement = $conn->prepare($sql);
$statement->execute([':id' => $id ]);
Try the code below and see if it helps
require '../includes/login_system.dbh.php';
$sql= "SELECT * FROM users WHERE id = :id";
$statement = $conn->prepare($sql);
$statement->bindParam(':id', $id, PDO::PARAM_INT);
$id = $_GET['id'];
$statement->execute();
You can also do an if else statement with your execute like so to see what it gives you.
require '../includes/login_system.dbh.php';
$sql= "SELECT * FROM users WHERE id = :id";
$statement = $conn->prepare($sql);
$statement->bindParam(':id', $id, PDO::PARAM_INT);
$id = $_GET['id'];
if ($statement->execute()) {
echo "Success";
} else {
echo "Failed";
}