I have a form that submits check boxes to a PHP PDO script. I have code that is as follows to store the values into a mysql table
$stmt = $dbPDO->prepare("INSERT INTO group_members(g_id, em_id)
VALUES(:g_id,:em_id)
ON DUPLICATE KEY UPDATE g_id = :g_id, em_id = :em_id");
foreach ($_POST['id'] as $email) {
$stmt->bindParam(':g_id', $gid , PDO::PARAM_INT);
$stmt->bindParam(':em_id', $email , PDO::PARAM_STR);
$stmt->execute();
}
PHP Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number'
This generates an error. What is the best way to insert multiple values into a mysql table with different values?
Every named placeholder have to be unique!
$stmt = $dbPDO->prepare("INSERT INTO group_members(g_id, em_id) VALUES(:g_id,:em_id) ON DUPLICATE KEY UPDATE g_id = :g_id2, em_id = :em_id2");
$email=null;
//just bind once, that the logic behind 'bind()'
$stmt->bindParam(':g_id', $gid , PDO::PARAM_INT);
$stmt->bindParam(':em_id', $email , PDO::PARAM_STR);
$stmt->bindParam(':g_id2', $gid , PDO::PARAM_INT);
$stmt->bindParam(':em_id2', $email , PDO::PARAM_STR);
foreach ($_POST['id'] as $email) {
$stmt->execute();//write your rows
}
$stmt->close();
You can't reuse placeholder names. You have to create new ones, or use VALUES in your update portion:
$stmt = $dbPDO->prepare("INSERT INTO group_members(g_id, em_id) VALUES(:g_id,:em_id) ON DUPLICATE KEY UPDATE g_id = VALUES(g_id), em_id = VALUES(em_id)");
You can't reuse a placeholder unless you have emulation mode turned on.
Generally speaking, PDO_MYSQL should have emulation on by default. The reason being that MySQL performs poorly with prepared statements. Emulation works significantly faster.
That said, if it is not on for whatever reason, you can set it manually using:
$dbc->setAttribute(PDO::ATTR_EMULATE_PREPARES,true);
In fact, if you are not sure, just set it anyway.
Related
I have the following update statement which does execute successfully but with no value change in the table.
$name = "John Doe"; //to update into John Stack
$chenna = "Mz"; $reg = 25; $km = 3;
$dbh = PDO Object
$stmt = $dbh->prepare("UPDATE `hl_customer` SET `name`=:hming, `address`=:chenna
WHERE `regd`=:regd AND `kum`=:km");
$stmt->bindParam(':hming', $name, PDO::PARAM_STR);
$stmt->bindParam(':chenna', $hmun, PDO::PARAM_STR);
$stmt->bindParam(':regd', $reg, PDO::PARAM_INT);
$stmt->bindParam(':km', $km, PDO::PARAM_INT);
$stmt->execute();
$affected = $stmt->rowCount();
Another tested code:
$stmt = $dbh->prepare("UPDATE `hl_customer` SET `name`=?, `address`=?
WHERE `regd`=? AND `kum`=?");
$stmt->execute([$name, $hmun, $reg, $km]);
$affected = $stmt->rowCount();
$stmt = $dbh->query("UPDATE `hl_customer` SET `name`='$name', `address`='$chenna'
WHERE `regd`='$reg' AND `kum`='$km'");
In order to update I kept changing the $name variable, yet there was no affected row. The row count always return 0. I did tested in both phpmyadmin(latest version) and mysql Workbench(latest) and the problem is still there. Then I tested again in mysql console, and it works as expected. But why is it not working in the code shown above, phpmyadmin and workbench. What could be the problem? Is my code wrong? I used mysql 8.0.12, php 5.6.* and php 7.1.*.
I did test it again without parameterized query, still it did not work. Now I begin to think that it is a kind of bug in php.
Thanks
Well i don't see anything wrong with your code try and verify if the number of columns in your table matches the number of paramaters you have because you said it works when you drop the last parameter
I'm trying to prevent SQL Injection using PHP with PDO. I've used this as a reference. http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers . My code doesn't give me any error but the values that are getting in are all null.
The vlaues I'm trying to insert are not null. I know this because I've echo'ed them out:
echo "\nDate: ".$date." Name: ".$name." mail: ".$mail."Comment: ".$comment." website: ".$website;
$sql = "INSERT post SET timeDate = :timeDate and name = :name and mail = :mail and comment = :comment and website = :website";
$stmt = $db->prepare($sql);
$stmt->bindParam(":timeDate", $date);
$stmt->bindParam(":name", $name);
$stmt->bindParam(":mail", $mail);
$stmt->bindParam(":comment", $comment);
$stmt->bindParam(":website", $website);
$stmt->execute();
Don't use AND in between your assignments—use commas.
$sql = "INSERT post
SET timeDate = :timeDate,
name = :name,
mail = :mail,
comment = :comment,
website = :website";
Your statement using AND between the terms is no error, because the statement is actually valid. It just doesn't do what you thought it would.
It's as if you did this:
SET timeDate = (:timeDate and name = :name and mail = :mail and comment = :comment and website = :website")
This sets only timeDate to the result of one long boolean expression.
The other columns are not getting assigned anything, they're just being compared to parameterized values. Since this is a new row you haven't inserted yet, all the other columns are naturally NULL, so the comparisons will be NULL. Therefore AND-ing them together will be NULL, and that's the ultimate value that will be assigned to your timeDate column.
The other columns are not assigned any value in this statement, and their default is presumably NULL.
This is a weird and useless statement, but strictly speaking, it's not an error.
I also encourage you to use PDO more simply. Instead of using bindParam() for everything, you can pass an array to execute(). This does the same thing as if you had done bindValue() for each of the parameters. You can do this with named parameters or positional parameters.
$stmt = $db->prepare($sql);
$stmt->execute([
"timeDate" => $date,
"name" => $name,
"mail" => $mail,
"comment" => $comment,
"website" => $website]);
This is especially handy if you already have your parameter values stored in an array.
The protection against SQL injection is just as good as using bindParam().
I know of two ways to use PDO in PHP to update a MySQL database record. Please could someone explain which one I should use for better security and the difference and I am a little confused.
Method One:
$user = "root";
$pass = "";
$dbh = new PDO('mysql:host=somehost;dbname=somedb', $user, $pass);
$sql = "UPDATE coupons SET
coupon_code = :coupon_code,
valid_from = :valid_from,
valid_to = :valid_to,
discount_percentage = :discount_percentage,
discount_amount = :discount_amount,
calculationType = :calculationType,
limit = :limit
WHERE coupon_code = :coupon";
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':coupon_code', $_POST['coupon_code'], PDO::PARAM_STR);
$stmt->bindParam(':valid_from', $_POST['$valid_from'], PDO::PARAM_STR);
$stmt->bindParam(':valid_to', $_POST['valid_to'], PDO::PARAM_STR);
$stmt->bindParam(':discount_percentage', $_POST['discount_percentage'], PDO::PARAM_STR);
$stmt->bindParam(':discount_amount', $_POST['discount_amount'], PDO::PARAM_STR);
$stmt->bindParam(':calculationType', $_POST['calculationType'], PDO::PARAM_STR);
$stmt->bindParam(':limit', $_POST['limit'], PDO::PARAM_STR);
$stmt->bindParam(':coupon', $_POST['coupon_code'], PDO::PARAM_STR);
$stmt->execute();
Method Two:
$dbtype="somedbtype";
$dbhost="somehost";
$dbname="somedb";
$dbuser="someuser";
$dbpass= "somepass";
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$title = 'PHP Pattern';
$author = 'Imanda';
$id = 3;
$sql = "UPDATE books
SET title=?, author=?
WHERE id=?";
$q = $conn->prepare($sql);
$q->execute(array($title,$author,$id));
From what I can see, method two does not bind the data, rather insert it directly into the query as an array type. Does this make the script more susceptible to SQL injection or other security risks?
The only difference between the two is that if you pass the array in to the execute function rather than calling bindParam yourself, it treats all parameters as PDO::PARAM_STR automatically, whereas in calling bindParam yourself you could bind them as integers, etc.
From the docs:
input_parameters
An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR.
You can also see from the examples there that you can use named parameters (e.g. :limit) when passing the array into the execute function. You don't have to just put ?. In that case you give the array a key:
$sth->execute(array(':calories' => $calories, ':colour' => $colour));
It's mostly a matter of preference. Both protect you from injection.
Though I think it's much easier to force data type with bind(), where as using execute(array()) will be using strings.
I am attempting to make a simple system where, once you view forum thread it updates an existing array entry with the current UNIX time in the DB table that holds the user's account information. The column is set to accept MEDIUMTEXT and is set as NOT NULL.
However, while the first prepared statement works as intended and I receive the correct value, and the json_table is correctly re-encoded, the second query does not update the column data. No errors (no matter what error level I set mysqli to). Neither of the parameters I am binding are NULL and are correct.
I am stumped as to why this is happening. MySQLi magic that I haven't learned? Restrictions somewhere?
$DB = GetDatabaseConnection();
$Statement = $DB->prepare("SELECT `forum_newpost_icondata` FROM `user_accounts` WHERE `id` = ?");
print(mysqli_error($DB));
$Statement->bind_param("i", $UserLoggedIn['id']);
$Statement->bind_result($JSONTable);
$Statement->execute();
$PostData = json_decode($JSONTable);
$PostData[$ThreadID] = time();
$PostData = (string)json_encode($PostData);
$Statement->free_result();
$Statement->close();
$Reinsertion = $DB->prepare("UPDATE `user_accounts` SET `forum_newpost_icondata` = ? WHERE `id` = ?");
print(mysqli_error($DB));
$Reinsertion->bind_param("si", $PostData, $UserLoggedIn['id']);
$Reinsertion->execute();
print(mysqli_error($DB)); // Checking after execute is still blank
$DB->close();
I have been using prepared insert statements for some years and assumed it was binding parameters properly or would give an error but it seems not as the following php binds and inserts a record without any errors but changes a string which should be an int to a zero. So it may be ok for preventing SQL injection attacks but you would end up with a spurious record in the table. e.g.:
$q = "INSERT INTO `table` (id1, id2) VALUES (?, ?)";
$stmt = mysqli_stmt_init($dbc);
$stmt->prepare($q);
$id1 = 'aaaaaaa';
$id2= 'aaaaaaa';
$result = $stmt->bind_param('ii', $id1, $id2);
echo '<p>' . $result . '</p>'; // Trying to bind a string to an int returns true!
echo $dbc->error; // nothing
$stmt->execute(); // inserts record changing $id2 to zero but auto-increments primary key $id1
echo $dbc->error; // nothing
This is running in an Xampp environment with Apache/2.2.14, PHP/5.3.1 and MySQL 5.1.41. Can anyone tell me what is going on?
$stmt->bind_param() doesn't check the given variables for a certain type, it only converts them into the specified type. And your string 'aaaaaaa' is converted into an int-value: 0. That's the way php does it.
The database insert statement is the wrong place to check, if your variables contain useful/correct values. Do that before and only try to insert them, if your validations work.
To do the validation for an int, you could use the php-function is_numeric() or is_int().
I'm not an expert for sure, but at first look.
You have:
$id1 = 'aaaaaaa';
$id2= 'aaaaaaa';
$result = $stmt->bind_param('ii', $id1, $id2);
Thing is your 'ii' parameter says that you will be binding integers! And in fact your $id1 and $id2 are strings. For strings you should go with:
$result = $stmt->bind_param('ss', $id1, $id2);