I make code that using pdo to insert information to database and gain XSS protection.
now im few days look at the code and dont see the problem that make the code to not insert the requird information.
Here`s My code:
if ($register = $mysqli->prepare("INSERT INTO `accounts`(`id`, `username`, `email`, `password`, `salt`, `fullname`, `birthdate`, `gender`, `secure question`, `secure answer`, `asked`, `answered`, `lastlogin`) VALUES (NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {
$register->bind_param("ssssssddsdds", $username, $email, $password, $random_salt, $fullname, $birthdate, $gender, $question, $answer, $z, $z, $lastlogin);
// Execute the prepared query.
if (! $register->execute()) {
echo "אירעה שגיאה";
$register->close();
}else{
echo 'אתם נרשמתם בהצלחה!. לחצו כאן';}
$register->close();
}
And the connection code:
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
Thank you.
Use mysqli_affected_rows to get the number of inserted row, if any function fails, check for errors using mysqli_error
$sql = "INSERT INTO `accounts`(`id`, `username`, `email`, `password`, `salt`, `fullname`, `birthdate`, `gender`, `secure question`, `secure answer`, `asked`, `answered`, `lastlogin`) VALUES (NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
if ($register = $mysqli->prepare($sql)) {
$register->bind_param("ssssssddsdds", $username, $email, $password, $random_salt, $fullname, $birthdate, $gender, $question, $answer, $z, $z, $lastlogin);
// Execute the prepared query.
if (!$register->execute()) {
echo "אירעה שגיאה";
die("execute() failed: ". mysqli_error($mysqli));
}
if(mysqli_affected_rows($register) > 0){
echo 'אתם נרשמתם בהצלחה!. לחצו כאן';
}else{
echo 'Did not inser any row';
}
}else{
die("prepare() failed: ". mysqli_error($mysqli));
}
Related
I am trying to use prepared statements as a best practice but I keep getting these errors.
1) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES (?, ?, ?, ?, ?,?, ?, ?, ?, ?)'
2) Undefined index: finalExamGrade in C:\wamp64 (this goes for all the superglobal variables)
3) Fatal error: Call to a member function bind_param() on boolean in C:\wamp64\
Any fixes? Ideas?
PHP/MySQL
require_once("DBCONNECT.php");
$id = $_REQUEST['studentID'];
$last = $_REQUEST['lastName'];
$first = $_REQUEST['firstName'];
$grade1 = $_REQUEST['test1Grade'];
$grade2 = $_REQUEST['test2Grade'];
$grade3 = $_REQUEST['test3Grade'];
$grade4 = $_REQUEST['test4Grade'];
$final = $_REQUEST['finalExamGrade'];
$stmt = $connect->prepare("SELECT * FROM students) VALUES (?, ?, ?, ?, ?,?, ?)");
$stmt->bind_param("issiiiii", $id, $last, $first, $grade1, $grade2, $grade3, $grade4, $final);
$stmt->execute();
var_dump($id, $last, $first, $grade1, $grade2, $grade3, $grade4, $final);
$stmt->close();
$connect->close();
$stmt = $connect->prepare("SELECT * FROM students) VALUES (?, ?, ?, ?, ?,?, ?)");
The above code is the root of all of your problem.
You use SELECT to insert data. It should be INSERT.
There is an extra bracket after students table.
The total parameters doesn't match with the bind_param one. There are 7 ?
in your code when you want to store 8 variables.
Change into this code
$stmt = $connect->prepare("INSERT INTO students(col1, col2, col3, col4, col5, col6, col7, col8) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("issiiiii", $id, $last, $first, $grade1, $grade2, $grade3, $grade4, $final);
I don't explain this code any further because it has been discussed on comments.
I have this piece of code, my user_account table gets populated but I am not getting anything inside my donor table. Can someone please tell me what could be the problem ? Thanks!
$stmt = mysqli_prepare($conn, "INSERT INTO user_account(username, password) VALUES (?, ?);") or die("Can't prepare user_account query: " . mysqli_error($conn));
mysqli_stmt_bind_param($stmt, "ss", $_POST['user'], $_POST['psw']);
mysqli_execute($stmt);
$stmt2 = mysqli_prepare($conn, "
INSERT INTO donor (user_id, blood_id, first_name,last_name,email_add,gender, birthday, telephone, city, last_donation)
SELECT LAST_INSERT_ID(), b.blood_id, ?, ?, ?, ?, ?, ?, ?, ?
FROM blood_type AS b
WHERE b.Blood_group= ?") or die ("Can't prepare donor query: " . mysqli_error($conn));
mysqli_stmt_bind_param($stmt2, "sssssssss", $_POST['fname'], $_POST['lname'], $_POST['email'], $_POST['gender'], $_POST['Birthday'], $_POST['Telephone'], $_POST['city'], $_POST['lastdonation'], $_POST['bloodgroup']);
mysqli_execute($stmt2);
I can conect to my database just fine, but whenever I try to insert data I get a "Call to a member function bind_param() on a non-object" error, which I know means that I must have mistyped the name of a slot, or something, but I just can't see it, I'm connecting locally, do I have to set up something in MyPhP to allow data to be added from a php file? Thanks in advance.
<?php
include 'connect.php';
if (isset($_POST['Slot1'])) {
$Slot1 = $_POST['Slot1'];
}
if (isset($_POST['Slot2'])) {
$Slot2 = $_POST['Slot2'];
}
if (isset($_POST['Slot3'])) {
$Slot3 = $_POST['Slot3'];
}
if (isset($_POST['Slot4'])) {
$Slot4 = $_POST['Slot4'];
}
if (isset($_POST['Slot5'])) {
$Slot5 = $_POST['Slot5'];
}
if (isset($_POST['Slot6'])) {
$Slot6 = $_POST['Slot6'];
}
if (isset($_POST['Slot7'])) {
$Slot7 = $_POST['Slot7'];
}
$stmt = $db->prepare("INSERT INTO `tabel` (Slot1, Slot 2, Slot3, Slot4,Slot5,
Slot6, Slot7)
VALUES (?, ?, ?, ?, ?, ?,?");
$stmt->bind_param('sssssss',$Slot1,$Slot2,$Slot3,$Slot4,$Slot5,$Slot6,$Slot7);
$stmt->execute();
$stmt->close();
header("Location: Display.php")
?>
You have missed one end parenthese
Replace
$stmt = $db->prepare("INSERT INTO `tabel` (Slot1, Slot 2, Slot3, Slot4,Slot5,
Slot6, Slot7)
VALUES (?, ?, ?, ?, ?, ?,?");
To
$stmt = $db->prepare("INSERT INTO `tabel` (Slot1, Slot 2, Slot3, Slot4,Slot5,
Slot6, Slot7)
VALUES (?, ?, ?, ?, ?, ?,?)");
Try to change your query to
$stmt = $db->prepare("INSERT INTO `tabel` (Slot1, Slot 2, Slot3, Slot4,Slot5,Slot6, Slot7)VALUES (?, ?, ?, ?, ?, ?,?)");
The issue I am having is the PHP code below only inserts the data into one table blue. What I want is if the directory category from the POST is equal to for example blue INSERT into Table blue , but if it is equal to yellow INSERT into yellow, but if it's equal to red INSERT into table red.
The only answers I have found deal with insert if exist but not multiple insert if statements. Any help would be greatly appreciated. I am just learning PHP code.
<?php
//Open a new connection to the MySQL server
$mysqli = new mysqli('localhost','some directory','password','some username');
//Output any connection error
if ($mysqli->connect_error) {
die('Connection failed : ('. $mysqli->connect_errno .') '. $mysqli->connect_error);
}
//values to be inserted in database table
$firstname = '$_POST[firstname]';
$lastname = '$_POST[lastname]';
$city = '$_POST[city]';
$state = '$_POST[state]';
$zipcode = '$_POST[zipcode]';
$directorycategory = '$_POST[directorycategory]';
$active = '$_POST[active]';
$query = ("INSERT INTO blue(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)");
$statement = $mysqli->prepare($query);
//bind parameters
$statement->bind_param('sssssss', $_POST['firstname'], $_POST['lastname'], $_POST['city'], $_POST['state'], $_POST['zipcode'], $_POST['directorycategory'], $_POST['active']);
if($statement->execute()){
header("some location");
}else{
die('Error : ('. $mysqli->errno .') '. $mysqli->error);
}
$statement->close();
?>
#oremIpsum1771 Your answer works the best. The final code is as follows
<?php
//Open a new connection to the MySQL server
$mysqli = new mysqli('localhost','some directory','password','some username');
//Output any connection error
if ($mysqli->connect_error) {
die('Connection failed : ('. $mysqli->connect_errno .') '. $mysqli->connect_error);
}
//values to be inserted in database table
$firstname = '$_POST[firstname]';
$lastname = '$_POST[lastname]';
$city = '$_POST[city]';
$state = '$_POST[state]';
$zipcode = '$_POST[zipcode]';
$directorycategory = '$_POST[directorycategory]';
$active = '$_POST[active]';
if($directorycategory == 'Employer'){
$query = ("INSERT INTO employer(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)");
}
else if($directorycategory == 'Blue'){$query = ("INSERT INTO blue(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)"); }
else if($directorycategory == 'Green'){$query = ("INSERT INTO green(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)"); }
else if($directorycategory == 'Red'){$query = ("INSERT INTO red(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)"); }
else if($directorycategory == 'Orange'){$query = ("INSERT INTO orange(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)"); }
$statement = $mysqli->prepare($query);
//bind parameters
$statement->bind_param('sssssss', $firstname, $lastname, $city, $state, $zipcode, $directorycategory, $active);
if($statement->execute()){
header("some location");
}else{
die('Error : ('. $mysqli->errno .') '. $mysqli->error);
}
$statement->close();
?>
I'm not seeing where you have the control structure for the query. If i'm understanding the problem correctly, I would think that you would need something like this:
if(directorycategory == 'blue'){$query = ("INSERT INTO blue(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)"); }
else if(directorycategory == 'yellow'){$query = ("INSERT INTO yellow(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)"); }
etc....
$query = ("INSERT INTO ".$_POST['directorycategory']."(
firstname, lastname, city, state, zipcode, directorycategory, active) VALUES(?, ?, ?, ?, ?, ?, ?)");
http://php.net/manual/en/language.operators.string.php
You can use the period to concatenate strings with variables to make 1 big string.
When executing the following code, no Errors occur but the data isn't put into the database!
$zero = 0;
$connection = new mysqli("localhost", "andrewle_me", "*****", "andrewle_velocity");
$stmt = $connection->prepare("INSERT INTO accounts Values(?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("issssssi", $zero, $_POST["username"], password_hash($_POST["password"], PASSWORD_DEFAULT), $_POST["Email"], $_POST["firstname"], $_POST["lastname"], $_POST["nationality"], $zero);
$stmt->execute();
$stmt->close();
$connection->close();
echo "Success";
Define your posts and password hash outside of the param binding. Set the fields in the table that your values are going to be entered into.