The following statement works perfectly fine under PHP 5.2:
$db = new mysqli($db_host, $db_user, $db_pass, $database);
$sql = $db->prepare('SELECT id, field1, field2, field3 FROM people WHERE email = ? AND pass=?');
$user = strtolower($_POST['user']);
$pass = md5($_POST['pass']);
$sql -> bind_param('ss', $user ,$pass);
$sql -> execute();
$sql -> bind_result($id, $field1, $field2, $field3);
if ($sql -> fetch()) {
...
}
However, after upgrading to PHP 5.4 the fetch() fails and gives the following error:
Attempt to read a row while there is no result set associated with the statement
I couldn't find any hints that something has changed regarding the functions I use and the way I use them. I have seen that there was a change for bind_param using arrays in 5.3, but as I'm not using arrays here, I don't think that I'm affected by this change.
Related
When I run the code below, it returns nothing. When I explicitly type a string in the place of the '?', it will return the expected result but using the prepared version has not worked for me thus far. I do not believe there is any kind of versioning issue as using prepared statements for INSERT queries has worked for me in the past. What might be the problem here with the prepared statement?
$pdo = new PDO("mysql:host=localhost;dbname=database", $user, $pass);
$sql = "SELECT * FROM table WHERE column LIKE '%?%';";
$stmt = $pdo->prepare($sql);
$stmt->execute(array($_GET['searchterm']));
$results = $stmt->fetchAll();
print_r($results);
You are preparing the value so it isn't behaving as if you just put the string inside of the query.
When preparing a string you don't need to add " or ', that is done for you. You need to add the %'s into the value that you are escaping.
$pdo = new PDO("mysql:host=localhost;dbname=database", $user, $pass);
$sql = "SELECT * FROM table WHERE column LIKE ?;";
$stmt = $pdo->prepare($sql);
$stmt->execute(array("%{$_GET['searchterm']}%"));
$results = $stmt->fetchAll();
print_r($results);
I'm trying to get to grips with mysqli but finding it a struggle compared to the now depreciated mysql. So far with the old methods I've been able to get information back about my tables in an associative array. I'm trying to form a prepared statement and echo the id number back. I would also like to be able to print the whole sql statement that has been binded, but seen as I can't even echo the id number from a single SELECT statement, it is out of the question at the moment.
$db = new mysqli('xxx', 'xx', 'xx', 'xxxx');
$sql = "SELECT user_id, name FROM users WHERE name=?"
$statement = $db -> prepare($sql);
$statement -> bind_param("s", "Emma");
$statement -> execute();
$statement -> bind_result($id, $name);
$output = $statement -> fetch();
echo $output -> $id . " " . $name;
I seem to be getting lost at the line bind_result. I figured if statement is an object, then I should be able to echo them in the form I have devised? When I refresh my page I just get nothing. I have 2 entries in my table and 1 of them does have the name string that is used above.
You think too complex. Just try this:
$db = new mysqli('xxx', 'xx', 'xx', 'xxxx');
$sql = "SELECT user_id, name FROM users WHERE name=?";
$statement = $db->prepare($sql);
$statement->bind_param("s", "Emma");
$statement->execute();
$statement->bind_result($id, $name);
while ($statement->fetch()) {
echo $id . " " . $name;
}
The bind_result() methods takes care that for each $statement->fetch() you execute you get fresh values in the variables $id and $name.
You should take a look at the good documentation of those methods.
I've gone through quite a number of stackoverflow threads and I simply can't get it right to retrieve the results after preparing a query. I've tried a number of different solutions and none seem to be able to fetch the associative array after I execute the query
$mysqli = new MySQLi('localhost', 'root', '', 'prac2');
$query = $mysqli-> prepare("SELECT * FROM `user` WHERE username=? and password=?");
$query-> bind_param('ii', $username, $password);
if($query-> execute()) {
$query->store_result();
if ($query -> num_rows > 0) {
$result = $mysqli->query($query);
$r = $result -> fetch_array(MYSQLI_ASSOC)['userid'];
$_SESSION['userid'] = $r;
}
}
I've established that sometimes its a case of result containing a boolean for success but I'm still not certain what exactly I'm doing wrong.
UPDATED:
Okay the bind_param works now, but the fetch_assoc keeps giving me the error "Call to a member function fetch_assoc() on a non-object", I even test the result to ensure that it returns true.
$mysqli = new MySQLi('localhost', 'root', '', 'prac2');
$query = $mysqli->prepare("SELECT * FROM user WHERE username=? and password=?");
echo $mysqli->error;
$query-> bind_param('ss', $username, $password);
if($query->execute()) {
$result = $query -> store_result();
if($result) {
while($row = $result -> fetch_assoc()){
echo $row['userid'];
$_SESSION['userid'] = $row['userid'];
}
}
}
Usernames and password are strings and it should be 's' denoting that corresponding variable has type string. I don't see how usernames and passwords are integers. Bind Param Types
$query-> bind_param('ss', $username, $password);
Inside bind_param for string you should use s. I mean try ss instead of ii.
This is the code, following (Explanation is afterwards):
<?php
error_reporting(E_ALL);
ini_set('display_errors',1);
$uname = $_POST['uname'];
if($uname!=""){
$mysqli = new mysqli('localhost', 'root', '', 'dota_site_test');
if(mysqli_connect_errno()){
echo("connetion error: " . mysqli_connect_errno());
exit();
}
$stmt = $mysqli->prepare("SELECT Username FROM users WHERE Username=?");
$stmt -> bind_param("s", $uname);
$stmt -> execute();
$stmt -> bind_result($unamecheck);
if($stmt->num_rows > 0){
echo "taken: ";
echo "name is ".$unamecheck;
}else{
echo "free: ";
echo "name is ".$unamecheck;
}
$stmt -> close();
$mysqli -> close();
}
?>
I am not sure where the problem is, but when I am, at the bottom, trying to echo "name is ". $unamecheck;, It is just returning blank. The way this code works is that on every key press the query is run to see if a Username is already present in the database. I have checked my Ajax, and the $uname = $_POST['uname']; is working fine.
In addition, I have ran the query "SELECT Username FROM users WHERE Username=?" within mysql itself, replacing the ? with my username, and that worked fine.
Have I made a mistake with the prepared statement? I am not sure if this is the way it must be done, but I am trying to be careful with SQL injection.
The result of my testing just shows free: name is being echo'd regardless of input. No other error codes are present.
You need to call
$stmt -> fetch();
After
$stmt -> bind_result($unamecheck);
In the prepare query, try to separete the =? from the column name, like this:
SELECT Username FROM users WHERE Username = ?
If this not work, print mysql_error() to verify if there is a mysql error
Throwing 'Call to a member function prepare() on a non-object' on the $mysqli->prepare. The original worked perfectly fine. Is this not possible in mysqli?
Guess I should have made it clear that mysqli is set correctly as in include - $mysqli = new mysqli($db_host, $db_user, $db_pass, $db_database);
original :
mysql_query("UPDATE test_users SET lastIP=currIP, dtLastLogin=dtCurrLogin WHERE user='".$user."'");
new mysqli version:
function user_login($user)
{
// Update user's last ip and last login date in db
$stmt = $mysqli->prepare("UPDATE test_users SET lastIP = currIP, dtLastLogin = dtCurrLogin WHERE user= ?");
// bind params
$stmt->bind_param('s', $user);
// execute prepared statement
$stmt->execute();
// close statement
$stmt->close();
You can do what you want to do with mysqli, but you haven't initialised the variable $mysqli in your function.
Either declare it as a global variable, or pass it in as an argument.