I am currently practicing OOP, creating a MySQLi class that will have atleast the basic MySQLi functions (insert, select, update, etc). This is what I have got so far:
if(!class_exists('dbc')) {
class dbc {
public function __construct($host = host, $username = username, $password = password, $database = database) {
// Make the constants class variables
$this->host = host;
$this->username = username;
$this->password = password;
$this->database = database;
$this->connection = new mysqli($this->host, $this->username, $this->password, $this->database);
if($this->connection->connect_errno) {
die('Database connection error!');
return false;
}
}
public function __deconstruct() {
if($this->connection) {
$this->connection->close();
}
}
public function insert($table, $variables = array()) {
if(empty($table) || empty($variables)) {
return false;
}
$sql = "INSERT INTO $table ";
$fields = array();
$values = array();
foreach($variables as $field => $value) {
$fields[] = "'" . $field . "'";
$values[] = "'" . $value . "'";
}
$fields = '(' . implode(', ', $fields) . ')';
$values = '(' . implode(', ', $values) . ')';
$sql .= $fields . ' VALUES ' . $values;
$query = $this->connection->query($sql);
if(!$query) {
echo mysqli_error($this->connection);
}
echo $sql;
}
}
}
As you can see, I create the connection via the details from the config file, I then send a query through the established connection. But for some reason when I attempt to create a MySQLi insert query, I just get the same error over, and over again:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''name', 'option') VALUES ('Sub Title', 'This is a test website')' at line 1
I even echoed out the sql query, which appeared to be the correct format:
INSERT INTO options ('name', 'option') VALUES ('Sub Title', 'This is a test website')
I have spent hours of Googling, trial and error, etc, trying to fix this, and have had no luck, and as it's 12:30am, I'm tired and may be missing something critical, so if anyone knows what is causing this problem, it'll be greatly appreciated for a solution, etc.
Thanks,
Kieron
The column names in the first set of parenthesis should not be quoted:
INSERT INTO options (name, option) VALUES ('Sub Title', 'This is a test website')
// ^^^^ ^^^^^^
Though you can use backticks ` around the column names e.g. `name`, `option`.
Your connection is definitely not working as you are missing the $ on these 4 lines infront of the parameter names
$this->host = host;
$this->username = username;
$this->password = password;
$this->database = database;
Should be
$this->host = $host;
$this->username = $username;
$this->password = $password;
$this->database = $database;
Also the name you have used for your class deconstructor is incorrect it should be
public function __destruct() () {
yours will not cause an error but it will not run automatically on class destruction with your name.
#Marty is correct about the use of backticks and not single quotes around your query syntax, but I dont see how the connection gets made based on the first error I mentioned, and therefore how you get a sensible SQL error reported, however something may be going on that is not obvious from the code you showed us.
Related
I started to learn PHP, have made a great way for myself (not for PHP world) but I cannot succeed updating the information part.. I have problem about updating multiptle tables, and keep receiving this nice error: Could not update data: Query was empty.
I've searched a lot, have been fighting with that for a week and tried to do my best but no result. That's why I am posting here. By the way I know that my code is not neither whole PDO nor MYSQLI but I'm trying my best to learn and implement them as well..
I have got 3 tables now: Students - LessonsBought - Payments.
1) students_id is a joined one with students_id in other tables.
2) students_id is a foreign Key with lessonsbought_id and payments_id
(InnoDB)
Here is my code :
<?php
$servername = "localhost";
$username = "MY-DB-USERNAME";
$password = "MY-DB-PASSWORD";
$dbname = "MY-DB-NAME";
$conn = mysql_connect($servername, $username, $password, $dbname);
if(isset($_POST['update']))
{
$students_name = $row['students_name'];
$students_phone = $row['students_phone'];
$students_email = $row['students_email'];
$students_grade = $row['students_grade'];
$students_reg_date = $row['students_reg_date'];
$lessonsbought_type = $row['lessonsbought_type'];
$lessonsbought_hour = $row['lessonsbought_hour'];
$payment_total = $row['payment_total'];
$payment_method = $row['payment_method'];
$payment_done = $row['payment_done'];
$payment_waiting = $row['payment_waiting'];
$students_id = $_GET["id"];
$sql = mysql_query("UPDATE students,lessonsbought,payment SET
students_name = '$students_name', students_phone = '$students_phone',
students_email = '$students_email', students_grade = '$students_grade',
students_reg_date = '$students_reg_date',
lessonsbought_type= '$lessonsbought_type',
lessonsbought_hour='$lessonsbought_hour',payment_total='$payment_total',
payment_method = '$payment_method', payment_done='$payment_done',
payment_waiting = '$payment_waiting', WHERE students_id =
'$students_id'");
$retval = mysql_query( $sql, $conn );
if(!$retval )
{
die('Could not update data: ' . mysql_error());
}
echo "Updated data successfully\n <font color='green'>
<b>Record deleted successfully</b><font><br />
<a class='buttons' href='/result.php'>Turn Back To Result Page</a>";
}
?>
first you have to select database
mysql_select_db("database_name");
secondly use separate update query to update different table
thirdly you are calling mysql_query inside another mysql_query.
your sql variable will be just query. like shown below
$sql="UPDATE students SET students_name = '$students_name', students_phone = '$students_phone' WHERE students_id = '$students_id'";
lastly Please stop using mysql_* functions.
I have taken some of your code and added it into PDO so you can see how you should be doing this. In this instance it'll work also once all fields have been entered;
Firstly, set yourself up a database connection file:
class Database
{
private $host = "localhost";
private $db_name = "dbname";
private $username = "user";
private $password = "pass";
public $conn;
public function dbConnection()
{
$this->conn = null;
try
{
$this->conn = new PDO("mysql:host=" . $this->host . ";dbname=" . $this->db_name, $this->username, $this->password);
$this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $exception)
{
echo "Connection error: " . $exception->getMessage();
}
return $this->conn;
}
}
Then, I'd make a DBCommon file also. You need to ensure you require_once the database connect file:
class DBCommon
{
private $conn;
/** #var Common */
public $common;
public function __construct()
{
$database = new Database();
$db = $database->dbConnection();
$this->conn = $db;
}
public function runQuery($sql)
{
$stmt = $this->conn->prepare($sql);
return $stmt;
}
}
Then you need to make your classes, so for this one it'd be for example, class student;
class student extends DBCommon
{
public function __construct()
{
parent::__construct();
}
public function updateStudent($name, $phone, $email, $grade)
{
$userid = $_SESSION['user_session'];
$stmt = $this->runQuery("UPDATE `tablename` SET `students_name` = :sname, `students_phone` = :phone, `students_email` = :email, `students_grade` = :grade WHERE `students_id` = :sid");
$stmt->bindParam(array(':sname' => $name, ':phone' => $phone, ':email' => $email, ':grade' => $grade, ':sid' => $userid));
$stmt->execute();
echo "Your Records have now been updated.";
}
}
You can add a try / catch block around these to pass back an error message.
Then within your form file you'd need to include the classes file and then create the class and then form your trigger for the code to run when you press the submit button like below:
require_once ('class.file.php');
$class = new student();
if (isset($_POST['update']))
{
$class->updateStudent($_POST['name'], $_POST['phone'], $_POST['email'], $_POST['grade']);
}
I know this doesn't precisely tell you what you've done wrong but the major wrong thing you have done is gone via MySQL_. This way is a much cleaner and effective way.
P.S. Always bind your params never use '{$var}' within your queries as you'll be subject to vulnerabilities.
Iam trying to make a OOP based forum in PHP and currently im stuck at making the Database class. Specifically Iam stuck at making a "general purpose" insert class function for the Datatable class (using PDO btw).
class DB
{
private $dbconn;
public function __construct(){
}
protected function connect($dbname, $dbhost='127.0.0.1', $dbuser='root', $dbpass=''){
try{
$this->dbconn = new PDO("mysql:host=$dbhost;dbname=$dbname;", $dbuser, $dbpass, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'"));
}
catch(PDOException $e){
echo 'Connection failed: '.$e->getMessage()."<br />";
}
}
protected function disconnect(){
$this->dbconn = null;
}
public function insert($dbname, ){
$this->connect($dbname);
try{
# prepare
$sql = "INSERT INTO pdodemotable (firstname, lastname, age, reg_date)
VALUES (?, ?, ?, now())";
$stmt = $dbconn->prepare($sql);
# the data we want to insert
$data = array($firstname, $lastname, $age);
# execute width array-parameter
$stmt->execute($data);
echo "New record created successfully";
}
catch(PDOException $e){
echo $sql . "<br>" . $e->getMessage();
}
}
}
The insert function is as you see unfinished. I cant figure out how to get the insert function to adapt to ANY amount of arguments, ANY amount of database columns and ANY table. The code thats in the function right now is taken from one of my other projects where I used procedural programming. Its by first time using OOP with Databases.
Im a newbie to both OOP and PDO. There must be some sort of method or function that could help me that Im missing. The only solution I see right now is to use a ridicoulus amount of string handling and if statement... it cant be the best solution... there must be a easier way...
First notice - you don't need the $dbname parameter for insert method, instead it should be a constructor parameter:
class DB {
private $dbconn;
public function __construct($dbname, $dbhost='127.0.0.1', $dbuser='root', $dbpass='') {
// also don't catch the error here, let it propagate, you will clearly see
// what happend from the original exception message
$this->dbconn = new PDO("mysql:host=$dbhost;dbname=$dbname;", $dbuser, $dbpass, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'"));
}
...
}
As for the insert method - first try to imagine how it will be used.
For example, it can be like this:
$db = new DB('mydb');
$db->insert('mytable', array('firstname'=>'Pete', 'lastname'=>'Smith'));
Then you can pass the table name and data (keys/values) into the method:
public function insert($table, $data) {
// again, no need to try / catch here, let the exceptions
// do their job
// handle errors only in the case you are going to fix them
// and not just to ingnore them and 'echo', this can lead to much worse problems
// see the explanation below regarding the `backtick` method
$table = $this->backtick($table);
$fields = array();
$placeholders = array();
$values = array();
foreach($data as $key=>$value) {
$fields[] = $this->backtick($key);
// you can also process some special values like 'now()' here
$placeholders[] = '?';
}
$fields = implode($fields, ','); // firstname, lastname
$placeholders = implode($placeholders, ','); // ?, ?
$sql = "INSERT INTO $table ($fields) values ($placeholders)";
$stmt = $this->dbconn->prepare($sql);
$stmt->execute(array_values($data));
}
public function update($table, $id, $data) {
$table = $this->backtick($table);
$fields = array();
foreach($data as $key=>$value) {
$fields[] = $this->backtick($key) . " = ?";
}
$fields = implode($fields, ','); // firstname=?, lastname=?
$sql = "UPDATE $table SET $fields where id=?";
$stmt = $this->dbconn->prepare($sql);
$data['id'] = $id;
$stmt->execute(array_values($data));
if ($stmt->execute(array_values($data)) === false) {
print 'Error: ' . json_encode($stmt->errorInfo()). PHP_EOL;
}
while ($row = $stmt->fetchAll()) {
print json_encode($row) . PHP_EOL;
}
}
private function backtick($key) {
return "`".str_replace("`","``",$key)."`";
}
Another alternative is to create the separate object which will represent one table row (the ActiveRecord pattern).
The code which uses such object could look like this:
$person = new Person($db);
$person->firstName = 'Pete';
$person->lastName = 'Smith';
$person->save(); // insert or update the table row
Update on possible SQL injection vulnerability
I also added the update and backtick methods to illustrate the possible SQL injection.
Without the backtick, it is possible that update will be called with something like this:
$db->updateUnsafe('users', 2, array(
"name=(SELECT'bad guy')WHERE`id`=1#"=>'',
'name'=>'user2', 'password'=>'text'));
Which will lead to the SQL statement like this:
UPDATE users SET name=(SELECT'bad guy')WHERE`id`=1# = ?,name = ?,password = ? where id=?
So instead of updating the data for user with id 2, we it will change the name for the user with id 1.
Due to backtick method, the statement above will fail with Unknown column 'name=(SELECT'bad guy')WHEREid=2#' in 'field list'.
Here is the full code of my test.
Anyway, this probably will not protect you from any possible SQL injection, so the it is much better not to use the user input for known parameters like table name and field names.
Instead of doing something like $db->insert('mytable', $_POST), do $db->insert('mytable', array('first'=>$_POST['first'])).
Try to pass the arguments has an array, then, inside the method insert, do a foreach.
Something like:
$data['first_name'] = 'your name';
...
$data['twentieth_name'] = 'twentieth name';
foreach( $data as $key => $value )
$final_array[':'.$key] = $value;
$stmt->execute( $final_array );
I would like to make a CRUD class, for inserting, updating and deleting data, in the __contruct function, I don't want to call the connection, I would only specify the connection name, then I am getting this error:
PHP Fatal error: Call to a member function prepare
() on a non-object in crud.php on line 60
<?php
/* Start (config.php)
This part of code is only to show you that the connection name is "connexion" which is called in config.php
$connexion = new PDO('mysql:host='.$db_host.';dbname='.$db_name, $db_user, $db_passwd
, array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES '.$db_charset.'')); //SET NAMES utf8
$connexion->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_WARNING);
EnD */
classDB.php
require_once('config.php');
final class crud {
public function __construct($connexionName) {
$this->connexionName = $connexionName;
}
public final function insert($tableName, $fields=array()){
$this->tableName = $tableName;
$this->fields = $fields;
foreach ($this->fields as $kf => $vf) {
$inKeys[] = $kf;
$inKeysDotted[] = ':' . $kf;
$insertedKeys = implode(', ', $inKeys);
$insertedKeysDotted = implode(', ', $inKeysDotted);
}
echo '<br />';
$sql = "INSERT INTO $this->tableName ($insertedKeys) VALUES ($insertedKeysDotted)";
$insertItems = $this->connexionName->prepare("$sql"); // THIS IS LINE 60
echo 'insert '.$insertItems.'<br />';
} // end insert()
} // end CRUD
$con = new crud($connexion);
echo '<br />';
$con->insert('ban_ip', array('visitor_type'=>'5', 'ip'=>'111.222.333.444'));
?>
Thanks in advance
I'm made a database class in php. Now i was testing the update function in it. It returns an syntax error or an unknown column error depending on how the where-clause is formed.
I tried:
'woord = \'uiteindelijk\'' and 'woord = \"uiteindelijk\"' and
'woord = "uiteindelijk"' and more
I also tried different quotes and backsticks in de functions query but it al gave me the same errors.
My question is what is the right way to form the where-clause is this example if it possible ofcourse. And if not how can i fix it.
part of database.mysqli.php
<?php
class myDB {
private $mysqli;
public function __construct() {
require_once('config.php');
$this->mysqli = new mysqli(HOST, USERNAME, PASSWORD, DB_NAME);
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
}
public function close() {
$this->mysqli->close();
}
private function check($input) {
if(is_string($input)) {
$input = trim($input);
return $this->mysqli->real_escape_string($input);
}
elseif(is_int($input)) {
return $input;
}
elseif($input === true || $input === false) {
return $input;
}
else {
die('invalid input');
}
}
public function update($table, $data, $where) {
$table = $this->check($table);
$where = $this->check($where);
$result = '';
if (is_array($data)) {
$update = array();
foreach ($data as $key => $val) {
$key = $this->check($key);
$val = $this->check($val);
$update[] .= $key . '=\'' . $val . '\'';
}
$query = 'UPDATE ' . $table . ' SET ' . implode(',', $update) . ' WHERE ' . $where;
if($this->mysqli->query($query)) {
$result = 'Last updated row id is: '.$this->mysqli->insert_id;
}
else {
$result = $this->mysqli->error;
}
}
return $result;
}
test.php
<!DOCTYPE HTML>
<html>
<head>
</head>
<body>
<?php
require_once('database.mysqli.php');
$db = new myDB;
$data = array('woord' => 'gewoontjes', 'lengte' => 10);
$result = $db->update('galgje', $data, 'woord = \'uiteindelijk\'');
echo $result;
$db->close();
?>
</body>
</html>
The problem comes from escape_string in your check method. This function is used to escape precise parts inside a statement, you cannot apply it to the where clause as a whole in such a generic way.
If you ever know for sure that your inputs are safe (not containing special characters breaking the sql statement, malicious or not), then simply remove the escaping.
Or if you think that they may contain special characters, for good reasons or to possibly drag a sql injection, then you have to provide a more constrained interface so that you can build the where clause yourself with the appropriate escaping. For example :
public function update($table, $data, $woord) {
...
$where = 'woord = \'' . $this->check($woord) . '\'';
...
}
Edit: I know it may sound too much constrained but security comes at a price. For something more flexible, you could have a look at prepared statements. They let you use placeholders, for example WHERE woord = ? AND id < ?, which you can bind to variables with something like :
$stmt->bind_param('si', $woord, $id); // 'si' -> 1:string, 2:integer
In this case, mysqli applies escaping internaly on bound strings, so you don't have to worry about it.
Note that you cannot use a placeholder to replace the whole where clause. WHERE ? with $stmt->bind_param('s', $where); will not work.
Last thing, PDO, an alternative API to access your database in PHP, supports named placeholders (WHERE woord = :woord instead of WHERE woord = ?).
Overview: I have a function that is supposed to pull a row of the db based on its id number
Problem: It seems my function is returning, but it isn't returning anything.
Details:
-I have 2 different files used here: db_class.php and character_pull.php
-Also I have a database that contains 1 table (characters) that does contain column "id"
-there are echo lines for debugging. I will give what the output is.
character_pull.php:
<?php
include "db_class.php";
echo "made it out here1";
$classobject = new db_class();
echo "made it out here2";
$results = $classobject->getPlayerStats("1");
print_r($results);
echo "made it out here3";
$id = "id: " . $results['id'];
$name = "name: " . $results['charname'];
$strength = "strength: " . $results['strength'];
$defense = "defense: " . $results['defense'];
$health = "health: " . $results['health'];
$level = "level: " . $results['level'];
$type = "type: " . $results['type'];
$experience = "experience: " . $results['experience'];
echo"<br/>";
echo "made it out here4";
?>
db_class.php:
<?php
include "database_connect.php";
class db_class{
public function getPlayerStats($id){
echo "<br/>" . "making it in class1";
$query = "SELECT * FROM characters WHERE id = $id";
$result = mysqli_query($query);
return $char = mysqli_fetch_array($result);
$result ->close();
}
}
?>
the output I receive when I run the page is this:
made it out here1made it out here2 making it in class1made it out
here3 made it out here4
I have tried several things to fix this, but am having trouble figuring out what is wrong.
I know that this is probably extremely sloppy and primitive, but try not to laugh too hard and maybe you can help me out :P. Thanks in advance.
You have a number of issues here.
It seems your DB class is quite incomplete. To me, if I am creating a class to represent a DB connection and various operations I am going to make that connection in that class, not via some include (where I assume the connection is happening). The here is that the include will only occur conditionally if your code hits that line. In this case, since you have that include outside any actual function in the class (like a constructor) it will never be called.
I would suggest something like this to resolve this:
class db_class {
protected $mysqli;
private $db_host = 'your_db_host';
private $db_user = 'your_db_user';
private $db_password = 'your_db_password';
protected $db_name = 'default_db_name';
public __construct($db_host = NULL, $db_user = NULL, $db_password = NULL, $db_name = NULL) {
if (!empty($db_host)) {
$this->db_host= $db_host;
}
// validate other parameters similarly
$mysqli = new mysqli($this->db_host, $this->db_use, $this->db_password, $this->db_name);
if($mysqli->connect_error) {
throw new Exception('Connect Error: ' . $mysqli->connect_errno . ', ' . $mysqli->connect_error);
} else {
$this->mysqli = $mysqli;
}
}
// other class methods
}
You now have an object representing a mysqli connection store in $this->mysqli.
Your getPlayerStats() method might now look like
public function getPlayerStats($id) {
if(empty($id)) {
throw new Exception ('An empty value was passed for id');
}
// verify this is integer-like value
$id = (string)$id;
$pattern = '/^\d+$/';
if (!preg_match($pattern, $id) !== 1) {
throw new Exception ('A non-integer value was passed for id');
}
$id = (int)$id;
$query = "SELECT id, name, strength, defense, level, health, type, experience FROM characters WHERE id = :id";
$stmt = $this->mysqli->prepare($query);
$stmt->bind_param('i', $id);
$result = $stmt->execute();
if (false === $result) {
throw new Exception('Query error: ' . $stmt->error);
} else {
$obj = new stdClass();
$stmt->bind_result($obj->id, $obj->name, $obj->strength, $obj->defense, $obj->level, $obj, health, $obj->type, $obj->experience);
$stmt->fetch();
$stmt->close();
return $obj;
}
}
Note I used prepared statements here, which, you should get used to using as it is really best practice for querying databases. Note also I have added in handling of error cases all throughout the code. You should get in the habit of doing this, as it will making debugging much easier.
Just a guess but I would move this above the class name:
<?php
include "database_connect.php";
class db_class{