How do I convert string data type into integer with php pdo? I have tried using PDO::PARAM_INT and PDO::PARAM_STR but return false and error when I tried to insert data to postgresql. Is there any way to solve this?
here the codes :
function create(){
// to get time-stamp for 'created' field
$this->getTimestamp();
//write query
$query = "INSERT INTO
" . $this->table_name . "
(id_barang, nama_barang, harga_beli, harga_jual, created) VALUES (?, ?, ?, ?, ?)";
$stmt = $this->conn->prepare($query);
$stmt->bindParam(1, $this->id_barang, PDO::PARAM_STR);
$stmt->bindParam(2, $this->nama_barang, PDO::PARAM_STR);
$stmt->bindParam(3, $this->harga_beli, PDO::PARAM_INT);
$stmt->bindParam(4, $this->harga_jual, PDO::PARAM_INT);
$stmt->bindParam(5, $this->created);
if($stmt->execute()){
return true;
}else{
return false;
}
}
it return false and i'm using alert if function create() false.
harga_beli and harga_jual are integer data type in postgresql. in html form i'm using javascript function to separate the zero. example : 60.000, and the numbers should be an integer on database.
You can use intval function :
echo intval('042'); // 42
You can leave it up to PDO to do the conversion
If execute is false check for errors
The proper way to know if it is successful is to check the affected row
$stmt->bindParam(1, $this->id_barang);
$stmt->bindParam(2, $this->nama_barang);
$stmt->bindParam(3, $this->harga_beli);
$stmt->bindParam(4, $this->harga_jual);
$stmt->bindParam(5, $this->created);
$stmt->execute() or die('error:'.$this->conn->errorInfo());
if($stmt->rowCount() > 0){
return true;
}else{
return false;
}
Related
I am trying to protect against SQL-injections by using prepared statements.
The following code shows the function that is called when a new user is created. The code that is commented out did work but was unsafe. Therefore, I tried changing it, but am getting the following error:
PDO::exec() expects parameter 1 to be string, object given
Here is the code:
function save()
{
if ($this->id === null) {
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
//$query = sprintf(self::INSERT_QUERY,
// $this->username,
// $this->password,
// $this->email,
// $this->bio,
// $this->isAdmin );
} else {
$query = sprintf(self::UPDATE_QUERY,
$this->username,
$this->password,
$this->email,
$this->bio,
$this->isAdmin,
$this->id
);
}
return self::$app->db->exec($query);
}
I am really new to both PHP and security, so any hints would be greatly appreciated!
The PDO::prepare method returns a PDOStatement object (not a string value). You need to use the PDOStatement::execute method to execute the prepared statement:
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->execute(); //execute the prepared statement.
With PDO::exec you can only execute a SQL statement (without binding parameters).
You are mixing prepared statements and SQL statements. You should use the following:
function save()
{
if ($this->id === null) {
$query = self::$app->db->prepare(self::INSERT_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
return $query->execute();
} else {
$query = self::$app->db->prepare(self::UPDATE_QUERY);
$query->bindParam(1, $this->username);
$query->bindParam(2, $this->password);
$query->bindParam(3, $this->email);
$query->bindParam(4, $this->bio);
$query->bindParam(5, $this->isAdmin);
$query->bindParam(6, $this->id);
return $query->execute();
}
}
I'm trying to insert into a table, I have managed this using the same syntax for another query but this fails, the only difference is that this contains date information. Can anyone spot the problem?
The date is in this format: 2016-07-07.
try {
$sql2 = "INSERT INTO excavation.contexts_spatial
(area_easting,
area_northing,
context_number,
open_date,
close_date,
excavation_method,
contamination,
zooarchaeology_comments,
ceramic_comments) VALUES (
:area_easting,
:area_northing,
:context_number,
:open_date,
:close_date,
:excavation_method,
:contamination,
:zooarchaeology_comments,
:ceramic_comments)";
$stmt2 = $conn->prepare($sql2);
// prepare sql and bind parameters
$stmt2->bindParam(':area_easting', $area_easting, PDO::PARAM_INT);
$stmt2->bindParam(':area_northing', $area_northing, PDO::PARAM_INT);
$stmt2->bindParam(':context_number', $nextContext, PDO::PARAM_INT);
$stmt2->bindParam(':open_date', $open_date, PDO::PARAM_STR);
$stmt2->bindParam(':close_date', $close_date, PDO::PARAM_STR);
$stmt2->bindParam(':excavation_method', $excavation_method, PDO::PARAM_STR);
$stmt2->bindParam(':contamination', $contamination, PDO::PARAM_STR);
$stmt2->bindParam(':zooarchaeology_comments', $excavation_method, PDO::PARAM_STR);
$stmt2->bindParam(':ceramic_comments', $excavation_method, PDO::PARAM_STR);
//$stmt2->execute();
// insert a row
$area_easting = $_SESSION['area_easting'];
$area_northing = $_SESSION['area_northing'];
$nextContext = $_SESSION['nextContext'];
$open_date = $_SESSION['dateOpen'];
$close_date = $_SESSION['dateClose'];
$excavation_method = $_SESSION['excavationMethod'];
$contamination = $_SESSION['contamination'];
$zooarchaeology_comments = $_SESSION['zooarchaeologyComments'];
$ceramic_comments = $_SESSION['ceramicComments'];
$stmt2->execute();
echo "New records created successfully in contexts spatial<br />";
}
catch(PDOException $e)
{
echo "Error: " . $e->getMessage();
}
You are executing your statement before setting the variables. Remove $stmt2->execute();
from below
$stmt2->bindParam(':ceramic_comments', $excavation_method, PDO::PARAM_STR);
$stmt2->execute(); // REMOVE THIS LINE
// insert a row
$area_easting = $_SESSION['area_easting'];
I need to get an array of id's of the subscribers added to the database within this function:
function insert_test($pdo, $fullname, $email) {
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) VALUES (GETDATE(), GETDATE(), :fullname, :email, 1)")) {
$SQL->bindValue(':fullname', $fullname, PDO::PARAM_STR);
$SQL->bindValue(':email', $email, PDO::PARAM_STR);
$SQL->execute();
return array('status'=> true);
} else {
return array('status'=> false);
}
}
However I am stuggling with figuring out how to get the values and return them within the array like so:
return array('status'=> true,'ids'=> $ids);
I have read up and found that SCOPE_IDENTITY() is probably the most reliable way of getting these values but I don't know where to put it in this function to return the values that I need. The Primary key in the database is the id column.
Would it be something like this:
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) VALUES (GETDATE(), GETDATE(), :fullname, :email, 1) SELECT SCOPE_IDENTITY()"))
And then bind a parameter after that called $ids or am I over thinking this completely?
Any help would be greatly appreciated!
EDIT: I have tried using a similar function to the one in this question and was receiving an invalid cursor error so adapted it to look like this (notice the closeCursor was how to fix the invalid cursor error):
function insert_test($pdo, $fullname, $email) {
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) OUTPUT INSERTED.id VALUES (GETDATE(), GETDATE(), :fullname, :email, 1)")) {
$SQL->bindValue(':fullname', $fullname, PDO::PARAM_STR);
$SQL->bindValue(':email', $email, PDO::PARAM_STR);
$SQL->execute();
$SQL->closeCursor();
$ids = $SQL->fetchAll(PDO::FETCH_ASSOC);
return array('status'=> true, 'id' => $ids);
} else {
$pdo = null;
return array('status'=> false);
}
}
The return from this function is now this:
Array
(
[status] => 1
[id] => Array
(
)
)
So it seems the output is not working as it should? This is getting stranger and stranger...
Figured it out guys!
There was a problem with the position of the closeCursor(); method the function now looks like this:
function insert_test($pdo, $fullname, $email) {
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) OUTPUT INSERTED.id VALUES (GETDATE(), GETDATE(), :fullname, :email, 1)")) {
$SQL->bindValue(':fullname', $fullname, PDO::PARAM_STR);
$SQL->bindValue(':email', $email, PDO::PARAM_STR);
$SQL->execute();
$ids = $SQL->fetchAll(PDO::FETCH_ASSOC);
$SQL->closeCursor();
foreach ($ids as $id) {
return $id['id'];
}
} else {
$pdo = null;
return false;
}
}
So when insert_test($pdo, $fullname, $email); is within a for each loop containing the data being inserted the function returns each id as desired.
If anyone can see any inherent problems with this please let me know!
I need to get an array of id's of the subscribers added to the database within this function:
function insert_test($pdo, $fullname, $email) {
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) VALUES (GETDATE(), GETDATE(), :fullname, :email, 1)")) {
$SQL->bindValue(':fullname', $fullname, PDO::PARAM_STR);
$SQL->bindValue(':email', $email, PDO::PARAM_STR);
$SQL->execute();
return array('status'=> true);
} else {
return array('status'=> false);
}
}
However I am stuggling with figuring out how to get the values and return them within the array like so:
return array('status'=> true,'ids'=> $ids);
I have read up and found that SCOPE_IDENTITY() is probably the most reliable way of getting these values but I don't know where to put it in this function to return the values that I need. The Primary key in the database is the id column.
Would it be something like this:
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) VALUES (GETDATE(), GETDATE(), :fullname, :email, 1) SELECT SCOPE_IDENTITY()"))
And then bind a parameter after that called $ids or am I over thinking this completely?
Any help would be greatly appreciated!
EDIT: I have tried using a similar function to the one in this question and was receiving an invalid cursor error so adapted it to look like this (notice the closeCursor was how to fix the invalid cursor error):
function insert_test($pdo, $fullname, $email) {
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) OUTPUT INSERTED.id VALUES (GETDATE(), GETDATE(), :fullname, :email, 1)")) {
$SQL->bindValue(':fullname', $fullname, PDO::PARAM_STR);
$SQL->bindValue(':email', $email, PDO::PARAM_STR);
$SQL->execute();
$SQL->closeCursor();
$ids = $SQL->fetchAll(PDO::FETCH_ASSOC);
return array('status'=> true, 'id' => $ids);
} else {
$pdo = null;
return array('status'=> false);
}
}
The return from this function is now this:
Array
(
[status] => 1
[id] => Array
(
)
)
So it seems the output is not working as it should? This is getting stranger and stranger...
Figured it out guys!
There was a problem with the position of the closeCursor(); method the function now looks like this:
function insert_test($pdo, $fullname, $email) {
if ($SQL = $pdo->prepare("INSERT INTO subscribers ([dateAdded],[dateUpdated],[fullname],[email],[isActive]) OUTPUT INSERTED.id VALUES (GETDATE(), GETDATE(), :fullname, :email, 1)")) {
$SQL->bindValue(':fullname', $fullname, PDO::PARAM_STR);
$SQL->bindValue(':email', $email, PDO::PARAM_STR);
$SQL->execute();
$ids = $SQL->fetchAll(PDO::FETCH_ASSOC);
$SQL->closeCursor();
foreach ($ids as $id) {
return $id['id'];
}
} else {
$pdo = null;
return false;
}
}
So when insert_test($pdo, $fullname, $email); is within a for each loop containing the data being inserted the function returns each id as desired.
If anyone can see any inherent problems with this please let me know!
if($stmt = $this->Sys->db->prepare("INSERT INTO dj_videos (title, url, caption) VALUES (?, ?, ?)")) {
$stmt->bind_param('sss', $title, $url, $comment);
$stmt->execute();
$stmt->store_result();
$stmt->fetch();
if($stmt->num_rows == 1) {
return TRUE;
}
else {
return FALSE;
}
This is returning false but it inserts the information into the database everytime. It blows my mind.
mysqli_stmt::execute Returns TRUE on success or FALSE on failure.
So you only need to return the result of it:
if($stmt = $this->Sys->db->prepare("INSERT INTO dj_videos (title, url, caption) VALUES (?, ?, ?)")) {
$stmt->bind_param('sss', $title, $url, $comment);
return $stmt->execute();
}
By the way, if the statement is UPDATE, DELETE, or INSERT, the total number of affected rows can be determined by using the mysqli_stmt_affected_rows() function.
num_rows returns the number of rows in a statement result set.
You want affected_rows, which returns the number of rows changed, deleted, or inserted by the last executed statement
$stmt->bind_param('sss', $title, $url, $comment);
$stmt->execute();
$stmt->store_result();
$stmt->fetch();
if($stmt->affected_rows == 1) {
return TRUE;
}
else {
return FALSE;
}