I tried to use, for the first time, prepared statement in order to avoid sql injection but it seems i have a problem when i try to insert or update my database i use these lines to do what i want:
Insert:
$stmt = $con->prepare("INSERT INTO my_array (image1,image2,image3,image4, info, type, lat, lng, date_created, status, created_by, closed_by, date_finished) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)") ;
$stmt->bind_param('bbbbssddsssss', $image1, $image2, $image3, $image4, $info, $type, $lat, $long, $date, $opened, $user, $closed_by, $closed_by, $date_finished);
$stmt->execute();
$result = $stmt->get_result();
Update:
$stmt = $con->prepare("UPDATE users SET fullname = IF(LENGTH(?) = 0, fullname, ?), email = IF(LENGTH(?) = 0, email, ?), phone_num = IF(LENGTH(?) = 0, phone_num, ?) , address = IF(LENGTH(?) = 0, address, ?) WHERE username = '$user'") ;
$stmt->bind_param('ssssiiss',$fullname, $fullname, $email, $email, $phone_number , $phone_number, $address, $address);
$stmt->execute();
$result = $stmt->get_result();
in both i get a "false" result.
In the first you have $closed_by duplicate.
In the second you have $user in the prepared statement. That must be a parameter.
use proper error handling in each of your statements:
if(!($stmt = $con->prepare("INSERT INTO my_array (image1,image2,image3,image4, info, type, lat, lng, date_created, status, created_by, closed_by, date_finished) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"))
{
echo "Prepare failed: (" . $con->errno . ") " . $con->error;
}
if(!$stmt->bind_param('bbbbssddsssss', $image1, $image2, $image3, $image4, $info, $type, $lat, $long, $date, $opened, $user, $closed_by, $closed_by, $date_finished))
{
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
if(!$stmt->execute())
{
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
if(!($result = $stmt->get_result())
{
echo "Getting result set failed: (" . $stmt->errno . ") " . $stmt->error;
}
Related
I use the same Code local and on the server.
While its working just fine local, there is no db-entry while running on the server.
While the INSERT statement is not working i can read and update the rows - so the connection should be fine.
Can somebody help me?
function setDataToParticipantTable($db_host, $db_password, $db_user, $db_name, $new_participant)
{
$db = new PDO('mysql:host=' . $db_host . ';dbname=' . $db_name, $db_user, $db_password);
$qry = "INSERT INTO " . "`TAEK_Subscriber19`" . " (`Vorname`, `Nachname`, `Email`, `Straße`, `Hausnummer`, `PLZ`, `Ort`, `Land`, `Turnusaerztevertreter`, `DO_VM_WS_1`, `DO_NM_WS_1`, `FR_VM_WS1_1`, `FR_VM_WS2_1`, `FR_NM_WS_1`, `Kongresseroeffnung`, `Kongressparty`, `Infotext`, `Hash`)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
$statement = $db->prepare($qry);
$statement->bindParam(1, $new_participant['Vorname']);
$statement->bindParam(2, $new_participant['Nachname']);
$statement->bindParam(3, $new_participant['Email']);
$statement->bindParam(4, $new_participant['Straße']);
$statement->bindParam(5, $new_participant['Hausnummer']);
$statement->bindParam(6, $new_participant['PLZ']);
$statement->bindParam(7, $new_participant['Ort']);
$statement->bindParam(8, $new_participant['Land']);
$statement->bindParam(9, $new_participant['Turnusaerztevertreter']);
$statement->bindParam(10, $new_participant['DO_VM_WS_1']);
$statement->bindParam(11, $new_participant['DO_NM_WS_1']);
$statement->bindParam(12, $new_participant['FR_VM_WS1_1']);
$statement->bindParam(13, $new_participant['FR_VM_WS2_1']);
$statement->bindParam(14, $new_participant['FR_NM_WS_1']);
$statement->bindParam(15, $new_participant['Kongresseroeffnung']);
$statement->bindParam(16, $new_participant['Kongressparty']);
$statement->bindParam(17, $new_participant['Infotext']);
$statement->bindParam(18, $new_participant['Hassh']);
$statement->execute();
$statement = null;
$db = null;
}
This is my php code. Can you please help me. There's no data in my database.
<?php
require_once("dbconnect.php");
session_start();
for ($x = 0; x < $_POST['reimcounter']; $x++) {
$date = $_POST['date'];
$tin = $_POST['tin'];
$address = $_POST['address'];
$particulars = $_POST['particulars'];
$referencenumber = $_POST['refno'];
$total = floatval(preg_replace('/[^\d\.]/', '', $_POST['total' . $x]));
$nonvat = floatval(preg_replace('/[^\d\.]/', '', $_POST['nonvat' .
$x]));
Is there anything wrong with my insert code?
$sql = "INSERT INTO rtco_cms.dbo.Reimbursement VALUES (?, ?, ?, ?, ?, ?,
?, ?, ?)";
$params = array($date, $tin, $SESSION['empid'], $address,
$SESSION['clientid'], $particulars, $referencenumber, $nonvat, $total);
$stmt = sqlsrv_query($conn, $sql, $params);
}
header("location: ../reimbursement.php");
?>
Change this
$params = array($date, $tin, $SESSION['empid'], $address,
$SESSION['clientid'], $particulars, $referencenumber, $nonvat, $total);
to
$params = array($date, $tin, $_SESSION['empid'], $address,
$_SESSION['clientid'], $particulars, $referencenumber, $nonvat, $total);
Session variable calling is wrong. Hope it helps
Update your insert query for example see this query:
tsql= "INSERT INTO dbo.vF_events (
username,
Rft,
Ging,
description,
date,
trdate)
VALUES
(?, ?, ?, ?, ?, ?)";
$var = array($username, $sort, $ag, $description, $date, $trdate);
if (!sqlsrv_query($conn, $tsql, $var))
{
die('Error: ' . sqlsrv_errors());
}
echo "record added";
This question already has answers here:
PHP UPDATE prepared statement
(3 answers)
Closed 11 months ago.
I have written the code below and it is supposed to update a selected entry in the database when the user presses the update button. When I press the update button I just get a blank page. I cannot figure out what is wrong with my code. Any help would be appreciated.
<?php
//Open a new connection to the MySQL server
$mysqli = new mysqli('localhost','some directory','some password','some user ');
//Output any connection error
if ($mysqli->connect_error) {
die('Connection failed : ('. $mysqli->connect_errno .') '. $mysqli->connect_error);
}
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['cd']) && is_numeric($_GET['cd']))
// get id value
$id = $_GET['cd'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$phonenumber = $_POST['phonenumber'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$dob = $_POST['dob'];
$doi = $_POST['doi'];
$adjustername = $_POST['adjustername'];
$claimrefnumber = $_POST['claimrefnumber'];
$providernature = $_POST['providernature'];
$created = $_POST['created'];
$language = $_POST['language'];
$client = $_POST['client'];
$amountauthorized = $_POST['amountauthorized'];
$active = $_POST['active'];
$invoiceformat = $_POST['invoiceformat'];
$query = ("UPDATE tabele SET firstname, lastname, phonenumber, city, state, zipcode, dob, doi, adjustername, claimrefnumber, providernature, created,language, client, amountauthorized, active, invoiceformat, WHERE id)
VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$statement = $mysqli->prepare($query);
$statement->bind_param('isssssssssssssssss', $id, $firstname, $lastname, $phonenumber, $city, $state, $zipcode, $dob, $doi, $adjustername, $claimrefnumber, $providernature, $created, $language, $client, $amountauthorized, $active, $invoiceformat);
if($statement->execute()){
header("some location");
}else{
die('Error : ('. $mysqli->errno .') '. $mysqli->error);
}
$statement->close();
?>
I figured it out, I finally found an example that works although I had to tweak some parts. The code below will grab the id passed from the url, do a prepared statement to update the selected id, and then redirect to a url location. The only thing missing is a Limit statement which I haven't figured out how to make work.
The code will also work to delete will be nearly identical with a few minor tweaks.
<?php
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['id']) && is_numeric($_GET['id']))
// get id value
$id = $_GET['id'];
$results = $id;
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$phonenumber = $_POST['phonenumber'];
$city = $_POST['city'];
$state = $_POST['state'];
$zipcode = $_POST['zipcode'];
$dob = $_POST['dob'];
$doi = $_POST['doi'];
$adjustername = $_POST['adjustername'];
$claimrefnumber = $_POST['claimrefnumber'];
$providernature = $_POST['providernature'];
$created = $_POST['created'];
$language = $_POST['language'];
$client = $_POST['client'];
$amountauthorized = $_POST['amountauthorized'];
$active = $_POST['active'];
$invoiceformat = $_POST['invoiceformat'];
$connection = new mysqli("localhost", "some directory", "some password", "some user");
$statement = $connection->prepare("update table set firstname = ?, lastname = ?, phonenumber = ?, city = ?, state = ?, zipcode = ?, dob = ?, doi = ?, adjustername = ?, claimrefnumber = ?, providernature = ?, created = ?,language = ?, client = ?, amountauthorized = ?, active = ?, invoiceformat = ? where id = ?");
$statement->bind_param("sssssssssssssssssi", $firstname, $lastname, $phonenumber, $city, $state, $zipcode, $dob, $doi, $adjustername, $claimrefnumber, $providernature, $created, $language, $client, $amountauthorized, $active, $invoiceformat, $id);
$statement->execute();
if($statement->execute()){
header("some location");
}else{
die('Error : ('. $mysqli->errno .') '. $mysqli->error);
}
$statement->close();
?>
I am trying to store data into database from my form.I have try below code,but it will give me fatal error.what is the changes i have to do so that code can work fine.Here i have check my database connection all working fine but there is only one error of fatal error:Call to a member function bind_param() on a non-object.
<?php
if(isset($_POST['submit']))
{
$conn = mysqli_connect('localhost', 'root', '','tmtool');
if($conn -> connect_errno )
{
die('coudn\'t connect to the database' . mysqli_connect_error());
}
if(! get_magic_quotes_gpc() )
{
$Testcase_id = addslashes (filter_input(INPUT_POST, 'Testcase_id'));
$Testcase_title = addslashes (filter_input(INPUT_POST, 'Testcase_title'));
$Testcase_desc = addslashes(filter_input(INPUT_POST, 'Testcase_desc'));
$Product_id= addslashes(filter_input(INPUT_POST, 'Project_id'));
$Date_created= addslashes(filter_input(INPUT_POST, 'Date_created'));
$Created_by= addslashes(filter_input(INPUT_POST, 'Created_by'));
$Type= addslashes(filter_input(INPUT_POST, 'Type'));
$Priority = addslashes(filter_input(INPUT_POST, 'Priority'));
$Precondition= addslashes(filter_input(INPUT_POST, 'Precondition'));
$Test_step = addslashes(filter_input(INPUT_POST, 'Test_step'));
$Expected_result = addslashes(filter_input(INPUT_POST, 'Expected_result'));
$Request_mode = addslashes(filter_input(INPUT_POST, 'Request_mode'));
$Language = addslashes(filter_input(INPUT_POST, 'Language'));
$Category = addslashes(filter_input(INPUT_POST, 'Category'));
$Sub_category = addslashes(filter_input(INPUT_POST, 'Sub_category'));
}
else
{
$Testcase_id =(filter_input(INPUT_POST, 'Testcase_id'));
$Testcase_title =(filter_input(INPUT_POST, 'Testcase_title'));
$Testcase_desc = (filter_input(INPUT_POST, 'Testcase_desc'));
$Product_id=(filter_input(INPUT_POST, 'Project_id'));
$Date_created=(filter_input(INPUT_POST, 'Date_created'));
$Created_by=(filter_input(INPUT_POST, 'Created_by'));
$Type= (filter_input(INPUT_POST, 'Type'));
$Priority =(filter_input(INPUT_POST, 'Priority'));
$Precondition=(filter_input(INPUT_POST, 'Precondition'));
$Test_step =(filter_input(INPUT_POST, 'Test_step'));
$Expected_result =(filter_input(INPUT_POST, 'Expected_result'));
$Request_mode = (filter_input(INPUT_POST, 'Request_mode'));
$Language = (filter_input(INPUT_POST, 'Language'));
$Category = (filter_input(INPUT_POST, 'Category'));
$Sub_category = (filter_input(INPUT_POST, 'Sub_category'));
}
$sql = $conn->prepare("INSERT INTO tmtool.testcase_master ( `Testcase_id`,`Testcase_title`,`Testcase_desc`,`Product_id`,`Date_created`,`Created_by`,`Type`,`Priority`, `Precondition`, `Test_step`, `Expected_result`, `Request_mode`, `Language`, `Category`, `Sub_category`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$sql->bind_param('sssssssssssssss',$Testcase_id,$Testcase_title,$Testcase_desc, $Product_id, $Date_created, $Created_by, $Type , $Priority, $Precondition, $Test_step, $Expected_result, $Request_mode, $Language, $Category , $Sub_category);
if($sql->execute())
{
echo "Entered data successfully\n";
mysqli_close($conn);
}
else {
die('Could not enter data: ' . mysqli_error($conn));
}
}else{
echo "you are not able to connect to data base";
}
?>
You use mysqli_* in OOP style so you have to use the keyword new and remove the _connectpart for the connection like this:
$conn = new mysqli('localhost', 'root', '','tmtool');
//^^^ ^ '_connect' removed
//| See here
Also change your close statement from:
mysqli_close($conn);
to this:
$conn->close();
And for errors you have to use this:
$conn->error //Not mysqli_error($conn)
As suggested by #Rizier123,
When i am try to put prepare statement into if condition then it will work for me...Thanks #Rizier123
Final correction in code is:
if(($sql = $conn->prepare("INSERT INTO tmtool.testcase_master ( `Testcase_id`,`Testcase_title`,`Testcase_desc`,`Product_id`,`Date_created`,`Created_by`,`Subscriber_type`,`Priority`, `Precondition`, `Test_step`, `Expected_result`, `Activation_mode`, `Language`, `Category`, `Sub_category`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"))== FALSE)
{
echo "false";
}
$sql->bind_param('sssssssssssssss',$Testcase_id,$Testcase_title,$Testcase_desc, $Product_id, $Date_created, $Created_by, $Subscriber_type , $Priority, $Precondition, $Test_step, $Expected_result, $Activation_mode, $Language, $Category , $Sub_category);
Is there a possibility to put that in a loop?
if (!empty($_POST["textDE"])) {
$mysqli = $connect->prepare("INSERT INTO `l10n-strings` (`translationID`, `languageCode`, `text`) VALUES (?, ?, ?)");
$mysqli->bind_param('iss', $l10id, $languageCodeDE, $textDE);
$mysqli->execute();
}
if (!empty($_POST["textEN"])) {
$mysqli = $connect->prepare("INSERT INTO `l10n-strings` (`translationID`, `languageCode`, `text`) VALUES (?, ?, ?)");
$mysqli->bind_param('iss', $l10id, $languageCodeEN, $textEN);
$mysqli->execute();
}
if (!empty($_POST["textES"])) {
$mysqli = $connect->prepare("INSERT INTO `l10n-strings` (`translationID`, `languageCode`, `text`) VALUES (?, ?, ?)");
$mysqli->bind_param('iss', $l10id, $languageCodeES, $textES);
$mysqli->execute();
}
if (!empty($_POST["textFR"])) {
$mysqli = $connect->prepare("INSERT INTO `l10n-strings` (`translationID`, `languageCode`, `text`) VALUES (?, ?, ?)");
$mysqli->bind_param('iss', $l10id, $languageCodeFR, $textFR);
$mysqli->execute();
}
if (!empty($_POST["textIT"])) {
$mysqli = $connect->prepare("INSERT INTO `l10n-strings` (`translationID`, `languageCode`, `text`) VALUES (?, ?, ?)");
$mysqli->bind_param('iss', $l10id, $languageCodeIT, $textIT);
$mysqli->execute();
}
$languages = array('DE', 'EN', 'ES', 'FR', 'IT');
foreach ($languages as $lang) {
$langKey = 'text' . $lang;
if (!empty($_POST[$langKey])) {
$mysqli = $connect->prepare(
"INSERT INTO `l10n-strings` (`translationID`, `languageCode`, `text`) ".
"VALUES (?, ?, ?)"
);
$mysqli->bind_param(
'iss',
$l10id,
${'languageCode'.$lang},
${$langKey}
);
$mysqli->execute();
}
}
Variable variables make this easier, with a look-up array.
Also disable register globals in your PHP configuration, it is a security issue.