I am building am app that should execute multiple queries that involve insert, delete and update commands. There is no syntax error but I discovered that the delete command did not delete entry but the insert command inserted row and the action did not rollback. If the delete action did not happen, insert and others should be cancelled is the desired result.
<?
try {
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->beginTransaction();
$D = 2;
$Dn = 3;
$dumpi = $pdo->prepare("INSERT INTO `dumpi` .... SELECT .... FROM .... ");
$dumpi->execute();
$matchi = $pdo->prepare("DELETE FROM `marchi` WHERE `id`=....");
$matchi->execute();
$usri = $pdo->prepare("UPDATE `users` SET `status`='0' WHERE `id`='$Dn' ");
$usri->execute();
$donati = $pdo->prepare("UPDATE `dnsn` SET `status`='d' WHERE `id`='$D' ");
$donati->execute();
$donatidel = $pdo->prepare("UPDATE `dnsn` SET `status`='d',`deleted_by`='m' WHERE `dn`='$Dn' AND `status`='1' ");
$donatidel->execute();
$navwal = $pdo->prepare("UPDATE `wlt` SET `status`='0' WHERE `user`='$Dn'");
$navwal->execute();
$navwalt = $pdo->prepare("UPDATE `wlt` SET `status`='0' WHERE `dn`='$Dn' ");
$navwalt->execute();
// dont let te $D and Dn confuse you, its not the one causing any error
$pdo->commit();
// echo 'it works';
} catch (PDOException $e) {
$pdo->rollBack();
echo "Failed: " . $e->getMessage();
}
?>
The code ended here...
my connection to Db is of this script here...(just added for ref. php7)
$pdoOptions = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_EMULATE_PREPARES => true);
try {
$pdo = new PDO(
"mysql:host=" . MYSQL_HOST . ";dbname=" . MYSQL_DATABASE, //DSN
MYSQL_USER, //Username
MYSQL_PASSWORD, //Password
$pdoOptions //Options
);} catch (Exception $e) {
// design this well to make sense
die(
// conmment out in launch
$e->getMessage())
);
}
Well, if a query do not find any data, it is not an error.
If it's important for you that the delete query should necessarily find the the record to delete, then you have to verify that manually and than throw an exception.
$stmt = $pdo->prepare("DELETE FROM `marchi` WHERE `id`=?");
$stmt->execute([....]);
if (!$stmt->rowCount())
{
throw new Exception("Delete didn't find a record")
}
And then catch Exception, not PDOException.
Note that for some reason you aren't using prepared statements while you should
Related
Update query is not reflected into database . This is related to PHP and PDO method of connection. The query I have written is ,
try {
$conn = new PDO('mysql:host=localhost;dbname=***; charset=utf8','root','****[enter image description here][1]');
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM providers WHERE password = '$oldpass'";
$statement = $conn->prepare($sql);
$statement->execute();
$providers = $statement->fetchAll();
if(($providers[0]["password"]=="$oldpass") and ("$pass"=="$cpass")){
$statement = $conn->prepare('update providers set password="$cpass" where password="$oldpass"');
$condition=$statement->execute();
echo '<script>alert("Password changed")</script>';
}
else{
echo '<script>alert("Incorrect old password");</script>';
}
}
catch(PDOException $e) {
echo "Connection failed: " . $e->getMessage();
}
$conn = null;
}
EDIT The message on entering corresponding credentials is Password changed.
Is there anything wrong with the query??
Because it does not show the updated password in database (phpMyAdmin)
The changes you've made will only be visible inside the same transactions, and would be implicitly rolled back when you close the connection. In order to persist them in the database, you need to commit them:
$conn->commit();
I am trying to construct a PDO multiple prepared statement that updates 2 tables.
I am having trouble and getting various errors when I try to get my code working, the latest: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens
When looking on SO I have found various ways of doing this, however I can't figure out how to implement them.
Another concern is not being able use $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);. I've read online that is import to include for security. However I also understand that it doesn't work with Multi Queries PDO (?).
It is possible to do a Multi Update or should I have different scripts?
(Also is my code secure from SQL Injection?)
This is the Code I am working with:
<?php
try {
$conn = new PDO('mysql:host=localhost;dbname=*', '*', '*');
$conn->exec("SET CHARACTER SET utf8"); // Sets encoding UTF-8
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$est_id = $_POST['est_id'];
$known_for = $_POST['known_for'];
$street_address = 'addressToAdd';
$sql = " UPDATE `theList`
SET `known_for` = :known_for
WHERE `id` = :est_id
";
$sql = " UPDATE `est_address`
SET `street_address` = :street_address
WHERE `id` = :est_id
";
$params = array(
':est_id' => $est_id,
':known_for' => $known_for,
':street_address' => $street_address
);
$statement = $conn->prepare($sql);
$statement->execute($params);
$conn = null; // Disconnect
}
catch(PDOException $e) {
echo $e->getMessage();
}
?>
<?php
try {
$conn = new PDO('mysql:host=localhost;dbname=*', '*', '*');
$conn->exec("SET CHARACTER SET utf8"); // Sets encoding UTF-8
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$est_id = $_POST['est_id'];
$known_for = $_POST['known_for'];
$street_address = 'addressToAdd';
$sqlKnown = "UPDATE `theList` SET `known_for` = :known_for WHERE `id` = :est_id";
$stKnown = $conn->prepare( $sqlKnown );
$stKnown->execute([
':est_id' => $est_id,
':known_for' => $known_for,
]);
$sqlStreet = "UPDATE `est_address` SET `street_address` = :street_address WHERE `id` = :est_id";
$stStreet = $conn->prepare( $sqlStreet );
$stStreet->execute([
':est_id' => $est_id,
':street_address' => $street_address
]);
$conn = null; // Disconnect
}
catch(PDOException $e) {
echo $e->getMessage();
}
?>
What is the best way to validate if a record was inserted successfully?
I'm using PDO Statements.
This:
/*******************
Update user picture
********************/
function updateuserpicture($userid, $filename) {
include ("./businesslogic/dbconnection/cfg.php");
try {
$db = new PDO('mysql:host='.$server.';dbname='.$db,$db_user,$db_password);
$sql = $db->prepare("Update usersdata set userpicture=:filename where userid=:userid");
$sql->bindParam(':filename',$filename);
$sql->bindParam(':userid',$userid);
$sql->execute();
$sqlresult = $sql->rowCount();
$db = null;
return $sqlresult; //Then validate if result is greater than 0.
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
}
}
or this:
/*******************
Update user picture
********************/
function updateuserpicture($userid, $filename) {
include ("./businesslogic/dbconnection/cfg.php");
try {
$db = new PDO('mysql:host='.$server.';dbname='.$db,$db_user,$db_password);
$sql = $db->prepare("Update usersdata set userpicture=:filename where userid=:userid");
$sql->bindParam(':filename',$filename);
$sql->bindParam(':userid',$userid);
if ($sql->execute()) {
$db = null;
return TRUE;
} else {
$db = null;
return FALSE;
} //Then validate if result is TRUE or FALSE.
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
}
}
Both ways works fine but im not sure what is the best, can you please help me?
PDO won't actually throw exceptions unless you tell it to. So your try..catch is entirely superfluous and will never do anything.
If the statement was executed without error, that means the data was inserted/updated successfully. No need to count rows, unless you are interested in the specific details of how many rows were altered (which is a different topic than "is the data in my database now?").
Given this, I'd recommend to set PDO to throw exceptions in case of errors and not do any further explicit checking:
$db = new PDO("mysql:host=$server;dbname=$db", $db_user, $db_password);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = $db->prepare('UPDATE users SET userpicture = :filename WHERE userid = :userid');
$sql->bindParam(':filename', $filename);
$sql->bindParam(':userid', $userid);
$sql->execute();
This may still mean that the statement did nothing if the user id didn't exist. This would point to a deeper bug in your app, it's questionable if the PDO code should care about it specifically.
I have the following SQL query:
UPDATE uploads SET UserName='Test2', UserEmail='Test2', UploadCount='4'
WHERE Country = 'Algeria'
When I run this query via MySQL workbench it executes fine.
I am trying to run this via a website / PHP however, and am attempting to execute the query in the following way:
$sql = "UPDATE uploads SET UserName='$user_data[name]', UserEmail='$user_data[email]', UploadCount='$user_data[FilesUploaded]' WHERE Country = '$country'";
echo $sql;
try
{
$pdo = new PDO('mysql:host=localhost; dbname=db01', $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare($sql);
$stmt->execute();
# Affected Rows?
echo $stmt->rowCount(); // 1
} catch(PDOException $e) {
echo 'Error: ' . $e->getMessage();
}
The SQL query is being built via variables here, however I copy / pasted the echo of $sql into workbench to check that there were no syntax errors creeping in, the echo of $sql is what I pasted above.
When I run it via the web application, I get 0 row affected and the UPDATE is not made, where am I going wrong?
Thank you
UPDATE: A new paramatarized version of the PDO:
$sql = "UPDATE uploads SET ";
$sql .="UserName = :name,
UserEmail = :email,
UploadCount = :FilesUploaded";
$sql .=" WHERE Country = '$country'";
try
{
$pdo = new PDO('mysql:host=localhost; dbname=db01', $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare($sql);
$stmt->bindParam(":name", $user_data['name']);
$stmt->bindParam(":email", $user_data['email']);
$stmt->bindParam(":FilesUploaded", $user_data['FilesUploaded']);
$stmt->execute();
# Affected Rows?
echo $stmt->rowCount(); // 1
} catch(PDOException $e) {
echo 'Error: ' . $e->getMessage();
}
It looks like you're trying to insert information from an array while it's in quotes. Try this:
$sql = "UPDATE uploads SET UserName='".$user_data['name']."', UserEmail='".$user_data['email']."', UploadCount='".$user_data['FilesUploaded']."' WHERE Country = '$country'";
I'm passing multiple INSERT statements in one PDO prepare statement and the execute works; however, if any of the inserts fail the the execute() always returns TRUE and catch() is never invoked.
$query = '
INSERT INTO resources SET
resource_type_id = :audio_resource_type_id
, resource_status_id = :resource_status_id
, is_hosted = :is_hosted
, category_id = :category_id
, serve_url = :audio_serve_url
, title = :title;
SET #audio_id = LAST_INSERT_ID();
INSERT INTO resources SET
resource_type_id = :thumbnail_resource_type_id
, resource_status_id = :resource_status_id
, category_id = :category_id
, serve_url = :thumbnail_serve_url
, parent_resource_id = #audio_id;';
if ($audio_duration) {
$query .= '
INSERT INTO audio_duration SET
audio_id = #audio_id
, duration_seconds = :audio_duration';
}
try {
$sth = $dbi->dbh->prepare($query);
$sth->bindParam('audio_resource_type_id', $this->resource_types['audio']);
$sth->bindParam('thumbnail_resource_type_id', $this->resource_types['THUMBNAIL']);
$sth->bindParam('resource_status_id', $resource_status_id);
$sth->bindParam('category_id', $this->category_id);
$sth->bindParam('audio_serve_url', $audio_serve_url);
$sth->bindParam('thumbnail_serve_url', $thumbnail_serve_url);
$sth->bindParam('title', $title);
$sth->bindParam('audio_duration', $audio_duration);
$sth->execute();
} catch (PDOException $e) {
print "Error!: " . $e->getMessage();
log($e->getMessage());
alert($e->getMessage());
return FALSE;
}
Thank you for any thoughts on this.
Just want to point out this..
To stop PDO from silently failing, you can set the error mode on the PDO connection.
$dbh = new PDO();
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
There is also PDO::ERRMODE_WARNING if you want errors but still continue.