I've started learning PDO yesterday and I thought I had it down but I've run into an error again while trying to submit a simple form. I'm using the example on w3schools but with a form input.
index.php
<form action="submit.php" method="post">
<input type="text" id="name" placeholder"Enter Your Name">
<button type="submit">Submit</button>
</form>
Here is my page that processes the form:
submit.php
<?php
$servername = "localhost";
$username = "testuser";
$password = "testpassword";
$dbname = "testdb";
$nickname = $_POST['name'];
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
//Set PDO Error Mode to Exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO test (name)
VALUES (:nickname)";
// use exec() because no results are returned
$conn->exec($sql);
echo "New record created successfully";
}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}
$conn = null;
?>
The Error I'm getting is:
INSERT INTO test (name) VALUES (:nickname)
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':nickname)' at line 2
You have to use prepared statments, try something like this:
// query
$sql = "INSERT INTO test (name)
VALUES (:nickname)";
$q = $conn->prepare($sql);
$q->execute(array(':nickname'=>$nickname));
First, you need to create a prepared statement, then bind to it a value, that you want to insert. You can more read about PDO from official php.net (http://php.net/manual/en/pdo.prepared-statements.php)
<?php
$servername = "localhost";
$username = "testuser";
$password = "testpassword";
$dbname = "testdb";
$nickname = $_POST['name'];
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
//Set PDO Error Mode to Exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO test (name)
VALUES (:nickname)";
$stm = $conn->prepare($sql);
$stm->bindParam(':nickname', $nickname);
// use exec() because no results are returned
$stm->execute();
echo "New record created successfully";
}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}
$conn = null;
?>
Your form input needs a name attribute, as this is how it is referenced.
<input type="text" id="name" placeholder="Enter Your Name">
You cannot rely on an "id" alone.
<input type="text" name="name" id="name" placeholder="Enter Your Name">
^^^^^^^^^^^
Having used error reporting, would have signalled an "Undefined index name..." notice.
The name attribute is the value that is in the PHP $_POST array so the above example will give:
$_POST['name'] = <the value you entered into the name input box>
To further clarify, the id value of the <input> element does not appear in the PHP $_POST data. The POST data requires a name attribute to submit data from the form.
you're almost there, you have missed a couple of steps. By using the :name marker in the sql string you are identifying that you will bind variables to this marker. this means that you need to have PDO prepare the sql query statement first, then bind your variable to it, then send it to the server.
like the following example:
...
$name = $_POST['name']
$sql = "INSERT INTO nameTable (name) VALUES(:name)";
//this is what you missed
$stmt= $con->prepare($sql);
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
//the following is the way of executing a prepared statement, you keep using the $stmt variable, rather than the $con one.
$stmt->execute();
That should get it working.
What about
$q = $conn->prepare("INSERT INTO test (name) VALUES (:nickname)");
// Variant #1
$q->bindParam(':nickname', $nickname, PDO::PARAM_STR);
$q->execute();
// Variant #2
$q->bindValue(':nickname', $nickname, PDO::PARAM_STR);
$q->execute();
// Variant #3
$q->execute([':nickname' => $nickname]);
Also note:
bindParam() unlike bindValue(), bounds the variable as a reference and it will only be evaluated at the time execute() is called.
you are missing two steps:
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
//Set PDO Error Mode to Exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO test (name)
VALUES (:nickname)";
$conn->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
// use exec() because no results are returned
$conn->exec($sql,array(':nickname' => $username));
echo "New record created successfully";
}
Related
What is the proper way to "encapsulate" the sql queries scripts and connection script with try/catch or if/else blocks? I want to have a config.php file that will contain the connection part:
<?php
$servername = "localhost";
$username = "username";
$password = "password";
try {
$conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "Connected successfully";
}
catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}
?>
Now taken from w3schools, when they insert a value to the database, they simply re-write the entire connection part again:
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDBPDO";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO MyGuests (firstname, lastname, email)
VALUES ('John', 'Doe', 'john#example.com')";
// use exec() because no results are returned
$conn->exec($sql);
echo "New record created successfully";
}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}
$conn = null;
?>
but I want to properly separate the two. Also, if I use prepared statements, do I need to check if on each part? i.e the prepare, bindParam and execute? Or a single try/catch or if/else is enough:
// Prepare an insert statement
$sql = "INSERT INTO table(value) VALUES (:value)";
$stmt = $conn->prepare($sql);
// Bind variables to the prepared statement as parameters
$stmt->bindParam(':value', $value, PDO::PARAM_STR);
$stmt->execute(); //does each part here need an if/else?
You should only make the connection once. There's no need to close and reopen the connection between queries. I assume the reason the example at w3schools is written that way is so that it will be self-contained, executable as-is without relying on a connection established in another example.
If you have the code that defines your connection in one file like the first example you showed, you can include that file in other files that need a connection to execute queries, and $conn will be available there. For a simple project, that's all you really need.
As far as if/else or try/catch, since you have set the PDO::ATTR_ERRMODE attribute on your connection to PDO::ERRMODE_EXCEPTION, then wrapping bits of code where a query may fail in if/else probably won't be that useful, because an exception will be thrown if the query fails, so handling the exception in a catch block will work better. You can examine the exception to see exactly what went wrong, log the error, and show an appropriate error message to the user where applicable. Dumping every exception message to the screen as shown in the second example is generally not a good way to show appropriate error messages to users.
You should include the prepare, bind, and execute in the try block. execute() is not the only thing that can cause an exception. prepare() may throw an exception if you aren't using emulated prepared statements (depending on the setting of PDO::ATTR_EMULATE_PREPARES), and bind can also cause an exception, for example if you mess up a named placeholder.
if/else is more useful for checking the results of queries that executed successfully (e.g. did this select statement return any records). The level of detail of error handling you need determines how many if/else, try/catch blocks you need.
Sometimes it sucks when you have these ; " ' (semicolon, single and double quotation marks) everything in a string.
Question is simple what is the easiest way to send those sting into the database.
base64_encode();
base64_decode();
// Is not an option. I need to keep those data just same as it is.
You need
addslashes('your text') // in your php page
PDO statements is the best solution to your problem of executing SQL queries to your database with values that have single/double quotation marks... but more importantly PDO statements help prevent SQL injection.
To show you how this works, this very simple example gives you a basic understanding of how PDO statements work. All this example does is make the connection to the database and insert the username, email and password to the users table.
<?php
// START ESTABLISHING CONNECTION...
$dsn = 'mysql:host=host_name_here;dbname=db_name_here';
//DB username
$uname = 'username_here';
//DB password
$pass = 'password_here';
try
{
$db = new PDO($dsn, $uname, $pass);
$db->setAttribute(PDO::ERRMODE_SILENT, PDO::ATTR_EMULATE_PREPARES);
error_reporting(0);
} catch (PDOException $ex)
{
echo "Database error:" . $ex->getMessage();
}
// END ESTABLISHING CONNECTION - CONNECTION IS MADE.
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$hashed_password = password_hash($password, DEFAULT_BCRYPT);
//Validation on inputs here...
// Your SQL query... here is a sample one.
$query = "INSERT INTO users (userName, email, password) VALUES (:userName, :email, :password)";
$statement = $db->prepare($query);
// The values you wish to put in.
$statementInputs = array("userName" => $username, "email" => $email, "password" => $hashed_password);
$statement->execute($statementInputs);
$statement->closeCursor();
?>
You could put the establishing connection part in a separate file and require_once that file to avoid having to write the same code, again and again to establish a connection to your database.
Use mysqli_real_escape_string
$someText = mysqli_real_escape_string($con,"It's a test.");
where $con is your database connection variable.
I have this form:
<form action="contactus.php" method="post">
<select name="formTitle">
<option value="">Select...</option>
<option value="M">Mr</option>
<option value="F">Mrs</option>
</select>
<p><b>Name</b></p>
<input type="text" name="formName" maxlength="50"/>
<p><b>Enquiry</b></p>
<input type="text" name="formEnquiry" maxlength="500"/>
</select>
<p><input type="submit" name="formSubmit" value="Submit"/></p>
And I have a MySQL database (called 'contacts') with a table (called 'enquiries') with three columns; 'Title', 'Name', 'Enquiry'.
The database has no password or anything. It's just a localhost with a 'root' password.
What kind of PHP would I need to send the data from this HTML form to the MySQL database?
I can help you in this problem.
So, just add the following code to your php file contactus.php.
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "contacts";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if(isset($_POST['formSubmit'])) {
$formTitle = $_POST['formTitle'];
$formName = $_POST['formName'];
$formEnquiry = $_POST['formEnquiry'];
$sql = "INSERT INTO enquiries (Title, Name, Enquiry) VALUES ('$formTitle', '$formName', '$formEnquiry')";
$conn->query($sql);
?>
I hope this will solve your problem.
SIMPLE ANSWER: MySQL
A LITTLE BIT MORE DEVELOPED ANSWER:
MySQL is in basic terms the combination of PHP and SQL to create an easy way to do various actions to a database, which include:
Create table
Query table
Update table
and much more
There are variations of MySQL, including MySQLi and MySQL (PDO).
an example of connecting to your database via MySQL (PDO) would be:
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$myDB = "databasename";
try {
$conn = new PDO("mysql:host=$servername;dbname=$myDB", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "Connected successfully";
//insert code there that you want to execute...
}
catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}
?>
you mentioned that you don't have a password, so you might just leave the "password" slot empty ("") I suppose, though this is very insecure and I recommend you place a password.
In the code above, there is a comment that says:
//insert code there that you want to execute...
Here you would include code that would probably do actions similar to the ones mentioned above (query table, update table, etc). An example of code similar to that would be:
//htmlspecialchars takes out special characters that might
//exist in the posted information if someone were trying
//to hack your site via sql injection
$formTitle = htmlspecialchars($_POST['formTitle']);
$formName = htmlspecialchars($_POST['formName']);
$formEnquiry = htmlspecialchars($_POST['formEnquiry']);
$sql = "INSERT INTO enquiries (Title, Name, Enquiry) VALUES (formTitleBinded, formNameBinded, formEnquiryBinded)";
$sqlPrepared = $conn->prepare($sql);
$sqlPrepared->bindParam(':formTitleBinded',$formTitle);
$sqlPrepared->bindParam(':formNameBinded',$formName);
$sqlPrepared->bindParam('formEnquiryBinded',$formEnquiry);
$sqlPrepared->execute();
The previous code both sanitizes your input and inserts a row into your table with that information.
Let me know if that helped!
EDITED: My answer has been edited with parameter binding included to prevent SQL Injection.
This question already has an answer here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 2 years ago.
Having trouble with line 27, Don't quite know why as I am very new to PHP/MySQL.
Was wondering if anybody can advise me why I am getting the error;
"Fatal error: Call to a member function execute() on a non-object in
C:\xampp\htdocs\testscripts\usercreate.php on line 27"
in the following code:
<?php
$name = $_POST["name"];
$psswrd = $_POST["psswrd"];
$username = "root";
$password = "hidden";
$hostname = "localhost";
$table = "testtable";
// create connection to database
// ...
$db= new mysqli($hostname, $username, $password, $table);
// sanitize the inputs
// ...
// create an MD5 hash of the password
$psswrd = md5($psswrd);
// save the values to the database
$sql = "INSERT INTO accounts (name, psswrd) VALUES (:name, :psswrd)";
$stmt = $db->prepare($sql);
$stmt->execute(array(
":name" => $name,
":psswrd" => $psswrd
));
->prepare returns false if an error occurred. Since $stmt->execute is complaining of being called on a non-object, it's reasonable to assume that something went wrong with the query.
Check $db->error.
Try this :
$db= new mysqli($hostname, $username, $password, $table);
if ($db->connect_errno) {
throw new Exception($db->connect_error, $db->connect_errno);
}
$psswrd = md5($psswrd);
// save the values to the database
$sql = "INSERT INTO accounts (name, psswrd) VALUES (:name, :psswrd)";
$stmt = $db->prepare($sql);
if (!$stmt) {
throw new Exception($db->error);
}
$stmt->execute(array(
":name" => $name,
":psswrd" => $psswrd
));
Show your all exception for better idea of given error.
First thing, the fourth parameter the MySQLi class takes is the database name, not the table name.
So, change the$table = 'testtable'; to something like this : $dbname = 'dbname';
Also, in your code, you are using named parameters (:name and :passwrd). This won't work because MySQLi doesn't support named parameters. PDO (PHP Data Objects) supports named parameters. If you use the PDO class to connect to the database, your script will work fine!
If you want to connect to the database using the MySQLi class, do this :
$name = $_POST['name'];
$psswrd = $_POST['psswrd'];
$username = "root";
$password = "";
$hostname = "localhost";
$dbname = "dbname";
// create connection to database
// ...
$db= new mysqli($hostname, $username, $password, $dbname);
// sanitize the inputs
// ...
// create an MD5 hash of the password
$psswrd = md5($psswrd);
// save the values to the database
$sql = "INSERT INTO `testtable` (id, name) VALUES (?, ?)";
$stmt = $db->prepare($sql);
$stmt->bind_param('ss', $name, $psswrd);
$stmt->execute();
Try that. Use question marks instead of named parameters.
In the bind_param() function, I've written the first parameter as 'ss'. The two 's' here stands for Strings. If you had an integer data, you could have replaced 's' with 'i'.
It's pretty self explanatory as to why there are two 's'. It's because you are binding two variables to the SQL query, both of them are strings. Hence the two 's'.
CODE UPDATED, STILL NOT WORKING.
I know I´m apparently using mysql function which will be outdated. But for now all I want is for this code to work. I want to know what I´m doing wrong:(
I´m very new to php and databases... I have been struggling to get simple html form data to go into the database table. And I just can´t get it to work:( Can anyone help and see what is wrong with my code? I´ve just done a simple table in the database with the fields ID, FIRSTNAME and SURNAME.
Here is the code:
<?php
//connect to database
$mysql_host = 'localhost';
$mysql_user = 'root';
$mysql_pass = '';
$mysql_db = 'test';
if (!mysql_connect ($mysql_host, $mysql_user, $mysql_pass)||!mysql_select_db ($mysql_db) ) {
die(mysql_error());
}
// Code
if (isset($_POST['firstname'])&&
isset($_POST['surname'])) {
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
if (!empty($username)&&!empty($password)) {
$query = "INSERT INTO `test`.`test_tabell`
VALUES ('', '" . mysql_real_escape_string($firstname) . "', '" . mysql_real_escape_string($surname) . "')";
/*$query = "INSERT INTO `test`.`test_tabell` VALUES (``, `.$firstname.`, `.$surname.`)"; */
$query_run = mysql_query($query);
if (!$query_run) echo mysql_error();
}
}
?>
<form action="add.php" method="POST">
Firstname:<br> <input type="text" name="firstname" value="<?php if (isset($firstname)) { echo $firstname; } ?>"><br><br>
Surname:<br> <input type="text" name="surname" value="<?php if (isset($surname)) { echo $surname; } ?>"><br><br>
<input type="submit" value="Submit">
</form>
Thank you!
Don't use mysql specific syntax, It's outdated and it begins to be annoying when you need to do some high level stuff, and you can't switch to sqlite or postgresql.
I recommend using PDO, you can do something like:
// Usage: $db = connectToDataBase($dbHost, $dbName, $dbUsername, $dbPassword);
// Pre: $dbHost is the database hostname,
// $dbName is the name of the database itself,
// $dbUsername is the username to access the database,
// $dbPassword is the password for the user of the database.
// Post: $db is an PDO connection to the database, based on the input parameters.
function connectToDataBase($dbHost, $dbName, $dbUsername, $dbPassword)
{
try
{
return new PDO("mysql:host=$dbHost;dbname=$dbName;charset=UTF-8", $dbUsername, $dbPassword);
}
catch(PDOException $PDOexception)
{
exit("<p>An error ocurred: Can't connect to database. </p><p>More preciesly: ". $PDOexception->getMessage(). "</p>");
}
}
And then init the variables (I think you forgot to define the name of the database);
$host = 'localhost';
$user = 'root';
$dataBaseName = 'databaseName';
$pass = '';
Now you can access your database via
$GLOBALS['db'] = connectToDataBase($host , $databaseName, $user, $pass);
Now you have an instance of a PDO database donnection.
One thing I want to point out is that you're vonurable to sql injections, you want to use prepared statements in your query, like:
$query = "INSERT INTO test(first_name, sur_name) VALUES (:firstname, :surname);";
Where we will execute two variables $firstName and $surName on the query, making them replace the values of :firstName and :surName, let me show you by first creating a simple insertion function:
function insertFunction($db, $query, $firstName, $surName)
{
$statement = $db->prepare($query);
return $statement->execute(array(":firstName" => $firstName, ":surName" => $surName));
}
So It's easy for you to do something like
$firstName = 'Smith';
$surName = 'John';
$db = $GLOBALS['db'];
$success = insertFunction($db, $query, $firstName, $surName);
Now you can check if it was successful or not, by checking whether $success is true or false.
If you want to see more advanced use of PDO (multiple rows etc) then you can check out one of my comments here: Javascript function as php?
(Not the top comment).
I hope this helps. Please comment if anything is odd.
Hard to tell without seeing your schema but try this:
$query = "INSERT INTO `test`.`test_tabell` VALUES ('', '$firstname', '$surname')";
$query_run = mysql_query($query);
You're using backticks instead of apostrophes. Also, you're trying to execute a query before defining what the query is.
Your insert query is wrong and also open to SQL injections. Here's how it should be:
$query = "INSERT INTO `test`.`test_tabell`
VALUES ('', '" . mysql_real_escape_string($firstname) . "', '" . mysql_real_escape_string($surname) . "')";
Notice the changing of all backticks to apostrophe.
Also, you're trying to execute the query before defining it.
EDIT
As per your information related to table definition, you can skip the id field from your table. The INSERT query will become:
$query = "INSERT INTO `test`.`test_tabell` (`FIRSTNAME`, `SURNAME`)
VALUES ('" . mysql_real_escape_string($firstname) . "', '" . mysql_real_escape_string($surname) . "')";
$query_run = mysql_query( $query );
As posted in the comments, you REALLY SHOULD NOT use/learn/practice using any function that starts with "mysql_" since it will NOT work as soon as PHP is updated. These functions are on their way out. Best of luck with learning to use PHP and SQL databases - just make sure you're learning something that will be useful in the future. Make sure to read up on Object Oriented Programming (OOP) in relation to PHP and both the PDO and mysqli_* functions.