I'm trying out using prepared statements for the first time and running into the following issue with the below code
Error :
Warning: mysqli_stmt_bind_param() expects parameter 1 to be
mysqli_stmt, boolean given
Code :
$stmt = mysqli_prepare($db, "INSERT INTO fragrances(name, description, essentialoils, topnotes, middlenotes, basenotes, reference, year, type, price, fragrancehouse, triangle, extractname, extractreference, extractprice, extractfragrancehouse, disccolour, collarcolour, actuatorcolour)
VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssssssssssssssssss', $name, $description, $essentialoils, $topnotes, $middlenotes, $basenotes, $reference, $year, $type, $price, $fragrancehouse, $triangle, $extractname, $extractreference, $extractprice, $extractfragrancehouse, $disccolour, $collarcolour, $actuatorcolour);
mysqli_stmt_execute($stmt);
I've looked at many different questions on here and none of their solutions seem to apply for my problem, does anyone know what the issue is?
$stmt becomes a boolean only when mysqli_prepare returns false.
When this happens it means it failed to prepare the query therefore you need to check for errors:
$stmt = mysqli_stmt_init($db);
if (mysqli_stmt_prepare($stmt, 'INSERT INTO fragrances VALUES...')) {
//it's all good bind and execute here
}else{
//we have a problem
printf("Errormessage: %s\n", mysqli_error($db));
}
The error message means your mysqli_prepare returned a boolean (and for your case, it returned false).
You need to replace all your field name by the character ? to make your prepared statement. This is how it works.
See example in the official documentation
EDIT See also mysqli_error , which will detail your error. In fact, you should always check a variable before using it:
$stmt = mysqli_prepare($db, "....");
if(!$stmt)
echo mysqli_error($db); // display error only for debug. Avoid this in production
It means your SQL was invalid because the prepare is returning false;
Your SQL should be;
$stmt = mysqli_prepare($db, "INSERT INTO fragrances VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )");
Each ? is to show where each parameter needs to be bound respectively.
Your INSERT statement is invalid: VALUES clause must be with ? in parantheses (and after field names in parentheses). Also good practice is to check $stmt after assigning:
$stmt = mysqli_prepare($db,
"INSERT INTO fragrances (name, description, essentialoils, topnotes, middlenotes, basenotes, reference, year, type, price, fragrancehouse, triangle, extractname, extractreference, extractprice, extractfragrancehouse, disccolour, collarcolour, actuatorcolour)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
if ($stmt) {
mysqli_stmt_bind_param($stmt, 'sssssssssssssssssss', $name, $description, $essentialoils, $topnotes, $middlenotes, $basenotes, $reference, $year, $type, $price, $fragrancehouse, $triangle, $extractname, $extractreference, $extractprice, $extractfragrancehouse, $disccolour, $collarcolour, $actuatorcolour);
mysqli_stmt_execute($stmt);
// ...
} else
printf("Error: %s\n", mysqli_error($db));
Related
So I have this massive headache inducing query that I need to perform involving 65 form inputs needing to be injected into a database using mysqli prepared statements.
The issue I'm running into is that it says the # of variables I am attempting to call bind_param on does not match the # of "s"'s that I am using. I counted a dozen times and do not see where I am going wrong here. There are 65 variables, and 65 "s"'s.
Can anyone see something I'm missing? Or am I perhaps using the bind_param method in an incorrect manner?
// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query3 = 'INSERT INTO datashep_AMS.COMPLETE_APPLICATIONS (
project_name,
status,
funding_requested,
project_title,
program,
county,
parish,
name_of_watercourse,
which_is_a_tributary_of,
name_of_applicant,
contact_person_or_project_supervisor,
relationship_to_organization,
business_phone,
home_phone,
email,
signature_of_thesis_or_study_supervisor,
mailing_address,
postal_code,
website,
mailing_address_for_payment,
hst_registration_no,
total_cost_dollar,
total_cost_percent,
dollar_amount_requested_from_nbwtf,
percent_amount_requested_from_nbwtf,
descriptive_summary,
background_of_organization,
mandate,
years_in_existence,
membership,
accomplishments,
previous_project_name,
previous_project_number,
previous_project_amount_received_from_nbwtf,
summary_of_activities,
summary_of_Results,
project_title_2,
reason_and_or_purpose,
objectives,
project_description,
methods,
equipment_and_materials_required,
personnel_required,
proposed_start_date,
proposed_end_date,
type_of_data_to_be_stored,
where_will_it_be_housed,
monitoring,
short_term_achievement,
long_term_achievement,
previous_studies,
required_permits,
consultants,
short_term_commitment,
long_term_commitment,
project_duration,
project_evaluation,
promotion_of_project,
promotion_of_client,
publication_of_results,
community_benefits,
effects_on_traditional_uses,
possible_changes_in_public_access_to_areas,
possible_impact_on_wildlife_and_or_environment,
likelihood_of_future_requests_for_funding,
list_all_other_funding_sources_for_this_project
) VALUES (
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?
)';
// "Preparing" the query using mysqli->prepare(query) -- which is the equivalent of mysql_real_escape_string -- in other words, it's the SAFE database injection method
$stmt = $dbConnection->prepare($query3);
// "Bind_param" == replace all the "?"'s in the aforementioned query with the variables below
$stmt->bind_param("s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s", $project_name, $status, $funding_requested, $project_title, $program, $county, $parish, $name_of_watercourse, $which_is_a_tributary_of, $name_of_applicant, $contact_person_or_project_supervisor, $relationship_to_organization, $business_phone, $home_phone, $email, $signature_of_thesis_or_study_supervisor, $mailing_address, $postal_code, $website, $mailing_address_for_payment, $hst_registration_no, $total_cost_dollar, $total_cost_percent, $dollar_amount_requested_from_nbwtf, $percent_amount_requested_from_nbwtf, $descriptive_summary, $background_of_organization, $mandate, $years_in_existence, $membership, $accomplishments, $previous_project_name, $previous_project_number, $previous_project_amount_received_from_nbwtf, $summary_of_activities, $summary_of_Results, $project_title_2, $reason_and_or_purpose, $objectives, $project_description, $methods, $equipment_and_materials_required, $personnel_required, $proposed_start_date, $proposed_end_date, $type_of_data_to_be_stored, $where_will_it_be_housed, $monitoring, $short_term_commitment, $long_term_achievement, $previous_studies, $required_permits, $consultants, $short_term_commitment, $long_term_commitment, $project_duration, $project_evaluation, $promotion_of_project, $promotion_of_client, $publication_of_results, $community_benefits, $effects_on_traditional_uses, $possible_changes_in_public_access_to_areas, $possible_impact_on_wildlife_and_or_environment, $likelihood_of_future_requests_for_funding, $list_all_other_funding_sources_for_this_project);
// Perform the actual query!
$stmt->execute();
The number of characters in the type definition string must be equal to the number of placeholders (? marks) in the SQL query.
// three ? marks
$stmt->prepare("INSERT INTO table (one, two, three) VALUES (?,?,?)");
$stmt->bind_param("sss", $one, $two, $three);
// three s characters (and three variables as well)
Note that characters in the type definition string should not be separated by commas.
You can see this format demonstrated in the examples on the manual page.
there are 65 string params so if there are 65 s's you have the correct number. However the errors are appearing because you separated the s's by commas. Instead of $stmt->bind_param("s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s..."
it should be
$stmt->bind_param("sssssssssssssssss..."
This should solve your errors.
The character in the bind_param should not be separated by a comma.
If you have to bind two variables do this:
$stmt->bind_param('ss', $firstvariable, $secondvariable);
So I have this massive headache inducing query that I need to perform involving 65 form inputs needing to be injected into a database using mysqli prepared statements.
The issue I'm running into is that it says the # of variables I am attempting to call bind_param on does not match the # of "s"'s that I am using. I counted a dozen times and do not see where I am going wrong here. There are 65 variables, and 65 "s"'s.
Can anyone see something I'm missing? Or am I perhaps using the bind_param method in an incorrect manner?
// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query3 = 'INSERT INTO datashep_AMS.COMPLETE_APPLICATIONS (
project_name,
status,
funding_requested,
project_title,
program,
county,
parish,
name_of_watercourse,
which_is_a_tributary_of,
name_of_applicant,
contact_person_or_project_supervisor,
relationship_to_organization,
business_phone,
home_phone,
email,
signature_of_thesis_or_study_supervisor,
mailing_address,
postal_code,
website,
mailing_address_for_payment,
hst_registration_no,
total_cost_dollar,
total_cost_percent,
dollar_amount_requested_from_nbwtf,
percent_amount_requested_from_nbwtf,
descriptive_summary,
background_of_organization,
mandate,
years_in_existence,
membership,
accomplishments,
previous_project_name,
previous_project_number,
previous_project_amount_received_from_nbwtf,
summary_of_activities,
summary_of_Results,
project_title_2,
reason_and_or_purpose,
objectives,
project_description,
methods,
equipment_and_materials_required,
personnel_required,
proposed_start_date,
proposed_end_date,
type_of_data_to_be_stored,
where_will_it_be_housed,
monitoring,
short_term_achievement,
long_term_achievement,
previous_studies,
required_permits,
consultants,
short_term_commitment,
long_term_commitment,
project_duration,
project_evaluation,
promotion_of_project,
promotion_of_client,
publication_of_results,
community_benefits,
effects_on_traditional_uses,
possible_changes_in_public_access_to_areas,
possible_impact_on_wildlife_and_or_environment,
likelihood_of_future_requests_for_funding,
list_all_other_funding_sources_for_this_project
) VALUES (
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
?
)';
// "Preparing" the query using mysqli->prepare(query) -- which is the equivalent of mysql_real_escape_string -- in other words, it's the SAFE database injection method
$stmt = $dbConnection->prepare($query3);
// "Bind_param" == replace all the "?"'s in the aforementioned query with the variables below
$stmt->bind_param("s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s", $project_name, $status, $funding_requested, $project_title, $program, $county, $parish, $name_of_watercourse, $which_is_a_tributary_of, $name_of_applicant, $contact_person_or_project_supervisor, $relationship_to_organization, $business_phone, $home_phone, $email, $signature_of_thesis_or_study_supervisor, $mailing_address, $postal_code, $website, $mailing_address_for_payment, $hst_registration_no, $total_cost_dollar, $total_cost_percent, $dollar_amount_requested_from_nbwtf, $percent_amount_requested_from_nbwtf, $descriptive_summary, $background_of_organization, $mandate, $years_in_existence, $membership, $accomplishments, $previous_project_name, $previous_project_number, $previous_project_amount_received_from_nbwtf, $summary_of_activities, $summary_of_Results, $project_title_2, $reason_and_or_purpose, $objectives, $project_description, $methods, $equipment_and_materials_required, $personnel_required, $proposed_start_date, $proposed_end_date, $type_of_data_to_be_stored, $where_will_it_be_housed, $monitoring, $short_term_commitment, $long_term_achievement, $previous_studies, $required_permits, $consultants, $short_term_commitment, $long_term_commitment, $project_duration, $project_evaluation, $promotion_of_project, $promotion_of_client, $publication_of_results, $community_benefits, $effects_on_traditional_uses, $possible_changes_in_public_access_to_areas, $possible_impact_on_wildlife_and_or_environment, $likelihood_of_future_requests_for_funding, $list_all_other_funding_sources_for_this_project);
// Perform the actual query!
$stmt->execute();
The number of characters in the type definition string must be equal to the number of placeholders (? marks) in the SQL query.
// three ? marks
$stmt->prepare("INSERT INTO table (one, two, three) VALUES (?,?,?)");
$stmt->bind_param("sss", $one, $two, $three);
// three s characters (and three variables as well)
Note that characters in the type definition string should not be separated by commas.
You can see this format demonstrated in the examples on the manual page.
there are 65 string params so if there are 65 s's you have the correct number. However the errors are appearing because you separated the s's by commas. Instead of $stmt->bind_param("s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s,s..."
it should be
$stmt->bind_param("sssssssssssssssss..."
This should solve your errors.
The character in the bind_param should not be separated by a comma.
If you have to bind two variables do this:
$stmt->bind_param('ss', $firstvariable, $secondvariable);
if ($stmt = $mysqli->prepare("UPDATE profile SET fullname =?, guardian =?,
addressline1 = ?, addressline2 = ?, city = ?, stateid = ?, pin = ?, birthdate = ?,
bloodgroup= ?, allergydetails= ?, pancardno= ?, officephone= ?, residencephone= ?,
mobilephone= ?, drivinglicensenumber= ?, drivinglicensevalidupto= ?,
fmscidrivinglicensenumber= ?, fmscientrantlicensenumber= ?, vehiclemake= ?,
vehiclemodel= ?, vehiclenumber= ?, vehicleyear= ?, emergencyname= ?,
emergencyaddress1= ?, emergencyaddress2= ?,emergencylandphone= ?,
emergencymobilephone= ?, isprofilecomplete = ? WHERE username = ?"))
{
$stmt->bind_param('sssssississsssssssssssssssssi', $fullname, $sodowo,
addressline1, $addressline2, $city, $stateid, $pin, $birthdate, $bloodgroup,
$allergydetails, $pancardno, $officephone, $residencephone, $mobilephone,
$drivinglicensenumber, $drivinglicensevalidupto, $fmscidrivinglicensenumber,
$fmscientrantlicensenumber, $vehiclemake, $vehiclemodel, $vehiclenumber, $vehicleyear,
$emergencyname, $emergencyaddress1, $emergencyaddress2, $emergencylandphone,
$emergencymobilephone, $isprofilecomplete , $username );
$stmt->execute();
$stmt->close();
}
When the above update statement is executed it is updating all the rows with the values instead of the WHERE clause. Any ideas why this is happening?
Thanks.
The last value of the types string for bind param (first parameter ("sssssississsssssssssssssssssi") is an "i" for integer but you're comparing it to "username" which is probably a string.
I guess the value you're passing in is converted to 0 and comparing 0 to any string in MySQL is always true (see mysql: why comparing a 'string' to 0 gives true?).
Try changing the last "i" for a "s" in "sssssississsssssssssssssssssi" (which is really horrible to read and hence very error-prone btw.)
I was always using normal querys for inserting data into the database but now I want to make it with prepared statements. I'm already using statements to select data in all my files but insert never worked... And now I ran out of ideas again. Maybe someone can see what I did wrong.
$animeId = $_POST['animeId'];
$username = $_POST['username'];
$rating = $_POST['rating'];
$story = $_POST['story'];
$genre = $_POST['genre'];
$animation = $_POST['animation'];
$characters = $_POST['characters'];
$music = $_POST['music'];
//Datum auslesen
$date = date("Y-m-d H:i:s");
if($insertRating = $con->prepare("INSERT INTO anime_rating (animeId, rating, story, genre, animation, characters, music, user, date) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?"))
{
$insertRating->bind_param("iiiiiiiss", $animeId, $rating, $story, $genre, $animation, $characters, $music, $username, $date);
$insertRating->execute();
$insertRating->close();
}
You have an errant comma in your query:
music, user,) VALUES (?, ?, ?, ?, ?, ?, ?
^^^
HERE
It should be
music, user) VALUES (?, ?, ?, ?, ?, ?, ?
In the statement:
INSERT INTO anime_rating (
animeId,
rating,
story,
genre,
animation,
characters,
music,
user /* 8 columns */)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?") /* 10 parameters */
There are 8 columns listed to insert values into and 10 parameters specified in the values section. Also as pointed out there is the extra comma in the list of values.
The number of columns must match the number of parameters and the number of parameters binding in the following statement:
`$insertRating->bind_param("iiiiiiiss", $animeId, $rating, $story, $genre, $animation, $characters, $music, $username, $date);`
Two errors in the statement:
INSERT INTO anime_rating (animeId, rating, story, genre, animation, characters, music, user,) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?"
^ here and ^ ^
remove the comma
add a closing parentheses before the end of the string.
remove one ,?
Furthermore you should chop one is from the binding:
$insertRating->bind_param("iiiiiiss", $animeId, $rating, $story, $genre, $animation, $characters, $music, $username, $date);
if($insertRating = $con->prepare("INSERT INTO anime_rating (animeId, rating, story, genre, animation, characters, music, user, date) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?"))
The last (") should be placed after the first ) at the end
New code:
if($insertRating = $con->prepare("INSERT INTO anime_rating (animeId, rating, story, genre, animation, characters, music, user, date) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)")
This question already has answers here:
mysqli_stmt::execute() expects exactly 0 parameters, 1 given
(4 answers)
Closed 1 year ago.
During my paths of coding in Mysqli I have been stumped and can't seem to figure out what the error is trying to say:
Warning: mysqli_stmt::execute() expects exactly 0 parameters, 1 given in /home/test/private_html/test.php on line 58
The code I have tried to fix many times is as so
$stmt = $mysqli->prepare("INSERT INTO `test_table`(datenow,test1,test2,test3,test4,test5,test6,test7,test8,
test9,test10,test11,test12,test14,test15,test16,test17,test18,)
VALUES (CURRENT_TIMESTAMP, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
$stmt->bind_param('ssssssssssssssssss',$test1,$test2,$test3,$test4,$test5,$test6,$test7,$test8,$test9,$test10,$test11,$test12,$test13,$test14, $test15,$test16,$test17,$test18);
$stmt->execute(array($test1,$test2,$test3,$test4,$test5,$test6,$test7,$test8,$test9,$test10,$test11,$test12,$test13,$test14,$test15, $test16,$test17,$test18
));
And the line 58 would be:
));
It should be:
$stmt->execute();
You don't provide the values when calling execute, you provided them when you called bind_param.
It seems like you're confusing mysqli with PDO.
$stmt = $mysqli->prepare("INSERT INTO `test_table`(datenow,test1,test2,test3,test4,test5,test6,test7,test8,
test9,test10,test11,test12,test14,test15,test16,test17,test18,)
VALUES (CURRENT_TIMESTAMP, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
$stmt->bind_param('ssssssssssssssssss',$test1,$test2,$test3,$test4,$test5,$test6,$test7,$test8,$test9,$test10,$test11,$test12,$test13,$test14, $test15,$test16,$test17,$test18);
$stmt->execute();
$stmt->execute();
That is enough already mate.