We Keep Coding

What's wrong with this SQL INSERT prepared statement? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Reference - What does this error mean in PHP?
(38 answers)
Why does this PDO statement silently fail?
(2 answers)
Closed 2 years ago.
I'm creating a user registration system for my website. I had this working code:
$sqlQuery = "INSERT INTO GH_users (firstname, surname, email, accountConfirmed, username, passwordHash)
VALUES ('$firstname', '$surname', '$email', 0, '$usernameSignup', '$passwordHash')";
$execute = $dbConn->exec($sqlQuery);
However, I found out that this invites the risk of SQL injection. Therefore, I have tried to use a prepared statement to prevent this but I am unable to get it to work. Codes that I've tried:
$sqlQuery = "INSERT INTO GH_users (firstname, surname, email, accountConfirmed, username, passwordHash)
VALUES (?, ?, ?, ?, ?, ?)";
$stmt = $dbConn->prepare($sqlQuery);
$stmt->bindParam($firstname, $surname, $email, 0, $usernameSignup, $passwordHash);
$stmt->execute();
$sqlQuery = "INSERT INTO GH_users (firstname, surname, email, accountConfirmed, username, passwordHash)
VALUES (?, ?, ?, 0, ?, ?)";
$stmt = $dbConn->prepare($sqlQuery);
$stmt->bindParam("sssss", $firstname, $surname, $email, $usernameSignup, $passwordHash);
$stmt->execute();
// These give the following error: PDOStatement::bindParam() expects at most 5 parameters, 6 given
// So I tried this:
$sqlQuery = "INSERT INTO GH_users (firstname, surname, email, accountConfirmed, username, passwordHash)
VALUES (?, ?, ?, 0, ?, ?)";
$stmt = $dbConn->prepare($sqlQuery);
$stmt->bindParam($firstname, $surname, $email, $usernameSignup, $passwordHash);
$stmt->execute();
// But this throws: PDOStatement::bindParam() expects parameter 3 to be long, string given
I'm not sure why these are throwing the errors given, especially the "expects parameter 3 to be long" as the email field is a string (varchar) data type. Can anyone help with this and explain what is wrong(accountConfirmed is a bit if it helps)?
UPDATE
I realised that I was receiving these errors because I was not using prepared statements and bound parameters in PDO. Thanks to #tadman and #user3783243 in the comment section, I was able to shorten my code by adding my parameters to execute() to do the binding instead of using bindParam() for each of the parameters.
SOLUTION
$sqlQuery = "INSERT INTO GH_users (firstname, surname, email, accountConfirmed, username, passwordHash)
VALUES (?, ?, ?, 0, ?, ?)";
$stmt = $dbConn->prepare($sqlQuery);
$stmt->execute(array($firstname, $surname, $email, $usernameSignup, $passwordHash));

PHP mysqli prepare statement bind_param boolean error

Testing the statement from all side, but failed to find a solution for it.
// Insert the new user into the database
if( $insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)")){
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2,
$reg_ip, $random_salt, $countryname, $ref_code, $hashed_pin, $user_id3,
$user_id4);
$insert_stmt->execute();
This never executes or gets inside the if statement.
I debugged it by removing the if part, that shows bind_param() is boolean error.
$insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)");
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2, $reg_ip,
$random_salt, $countryname, $ref_code, $hashed_pin, $user_id3, $user_id4);
if($insert_stmt->execute()){
Fatal error: Call to a member function bind_param() on boolean
I have done following test:
All 10 variables data type test = OK (with gettype() function)
Variables data value = OK (printed all data value for checking)
Mysql query statement = OK (tested on MYSQL directly with inputted data, mysql is inserting values)
There is no syntax error either.
Variable alignment is = Ok
Data connection is = ok (as it runs other prepare statements without errors on same page)
Then where is the mistake?

I figure it out.
Solution:
It was not working because of the previous prepare statement $stmt_aff connection was not closed.
Once I closed it. Next Prepare statement $insert_stmt started working.
A good lesson learned why bind_param boolean error get produced if there are multiple prepare statement on the same page.
$stmt_aff->close();

PHP SQL insert prepared statements doesn't insert properly

When executing the following code, no Errors occur but the data isn't put into the database!
$zero = 0;
$connection = new mysqli("localhost", "andrewle_me", "*****", "andrewle_velocity");
$stmt = $connection->prepare("INSERT INTO accounts Values(?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("issssssi", $zero, $_POST["username"], password_hash($_POST["password"], PASSWORD_DEFAULT), $_POST["Email"], $_POST["firstname"], $_POST["lastname"], $_POST["nationality"], $zero);
$stmt->execute();
$stmt->close();
$connection->close();
echo "Success";

Define your posts and password hash outside of the param binding. Set the fields in the table that your values are going to be entered into.

properly sanitize multiple user inputs with mysqli

Im currently using mysqli, and I want a way to properly sanitize every single user input. Im looking for the most simple lightweight way to do this, as I understand that Im NOT supposed to use mysql_real_escape....
my query is like so
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
as i understand i'm supposed to use the function bindParam... If i use it like so, am i completley securing my user inputs?
$stmt->bind_param('sssssssss', $_POST[msg], ('$ip'), ('$date'), '$_POST[main]', '$_POST[twit]', ('$cit'), ('$lat'), ('$lon'), '$_POST[lang]');
$stmt->execute();
$stmt->close();
If this isn't securing my user inputs how do i properly do so?

You need to prepare the statement to be safe. Something like below (its probably not 100% but gives you an idea)
$sql = new mysqli("localhost", "my_user", "my_password", "world");
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssssss",$_POST[msg], $ip, $date, $_POST[main], $_POST[twit], $cit, $lat, $lon, $_POST[lang]);
$stmt->execute();

First of all you have to follow basic PHP syntax
'$_POST[msg]' would be inserted as a literal $_POST[msg] string, while you expecting a value for $_POST['msg'] variable.

Prepared statements in MySQLi

I'm doing SQL queries in prepared statements(MySQLi)
This is the query
$register = $friend_zone->prepare("INSERT INTO users (name, username, password, email, security_answer, date, user_level, security_question) VALUES(?, ?, ?, ?, ?, ?, ?, ?)");
$register->bind_param($name, $username, $password, $email, $security_answer, $date, $user_level, $security_question);
$register->execute();
Im getting a warning
Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in /var/www/includes/functions.php on line 152 Notice: Undefined variable: result in /var/www/includes/functions.php on line 159
Can someone help?

You are using the bind_param() function wrong. The first parameter is a string containing the data types. For example:
$register->bind_param('ssssssis', $name, $username, $password, $email, $security_answer, $date, $user_level, $security_question);
Each letter corresponds to it's respective variable. s is for strings and i is for integers. There are some other ones available too.

Try:
$register = $friend_zone->prepare("INSERT INTO users (name, username, password, email, security_answer, date, user_level, security_question) VALUES(?, ?, ?, ?, ?, ?, ?, ?)");
$register->execute( array($name, $username, $password, $email, $security_answer, $date, $user_level, $security_question) );