Okay, not too sure what I've done wrong, but I am having problems running a stored procedure using PDO. The procedure looks a little like this and runs perfectly as a stand alone.
CREATE PROCEDURE [dbo].[user_UserAdd]
#FirstName nvarchar(100),
#Surname nvarchar(100),
#EMail nvarchar(200),
#Password nvarchar(16)
AS
BEGIN
DECLARE #UserId uniqueidentifier
SET #UserId = NEWID()
INSERT INTO user_Data
VALUES (#UserId,
#FirstName,
#Surname,
#EMail,
#Password)
END
I know that the database connection works correctly as a select query returns the correct answers.
My php file contains the following :-
$stpro = $conn->prepare('EXECUTE user_UserAdd ?, ?, ?, ?');
$stpro->bindParam(1, $firstname, PDO::PARAM_STR, 100);
$stpro->bindParam(2, $surname, PDO::PARAM_STR, 100);
$stpro->bindParam(3, $email, PDO::PARAM_LOB, 200);
$stpro->bindParam(4, $password, PDO::PARAM_STR, 16);
// call the stored procedure
$returnvalue = $stpro->execute();
if (!$returnvalue)
{
return $stpro->errorInfo();
}
This always returns the same error message
["2"] = "An invalid PHP type was specified as an output parameter.
DateTime objects, NULL values, and streams cannot be specified as output parameters."
I have changed EXECUTE to just EXEC and to CALL and just get the same message. On checking the database it is definitely not inserting the new line of data, but at the same time the php page loads properly and does not kick any error messages regarding the stored procedure not running.
Sound like a binding error , although code looks correct.
You can try binding without specifying the type and leave it up to PDO:
$query = "EXECUTE user_UserAdd :firstname, :surname, :email, :password";
$stpro = $conn->prepare($query);
$stpro->bindParam(':firstname', $firstname);
$stpro->bindParam(':surname', $surname);
$stpro->bindParam(':email', $email);
$stpro->bindParam(':password', $password);
// call the stored procedure
$returnvalue = $stpro->execute();
Or just don't bind at all and see if it works:
$query = "EXECUTE user_UserAdd :firstname, :surname, :email, :password";
$stpro = $conn->prepare($query);
// call the stored procedure
$returnvalue = $stpro->execute(array(
':firstname'=> $firstname,
':surname'=> $surname,
':email'=> $email,
':password'=> $password,
));
Related
I want to know about this error how can I sort out this error? Check my code, here is the function.
Here is the code that i am using:
first is create function and second is error checking, how can I know about this error further please help me out, take me out from this problem.
function create(){
$this->created=date('Y-m-d H:i:s');
// insert query
$query = "INSERT INTO " . $this->table_name . "
SET
uname = :uname,
email = :email,
contact_number = :contact_number,
password = :password,
access_level = :access_level,
access_code = :access_code,
status = :status,
created = :created";
$stmt = $this->conn->prepare($query);
$this->uname=htmlspecialchars(strip_tags($this->uname));
$this->email=htmlspecialchars(strip_tags($this->email));
$this->contact_number=htmlspecialchars(strip_tags($this->contact_number));
$this->password=htmlspecialchars(strip_tags($this->password));
$this->access_level=htmlspecialchars(strip_tags($this->access_level));
$this->access_code=htmlspecialchars(strip_tags($this->access_code));
$this->status=htmlspecialchars(strip_tags($this->status));
$stmt->bindParam(':uname', $this->uname);
$stmt->bindParam(':lastname', $this->lastname);
$stmt->bindParam(':email', $this->email);
$stmt->bindParam(':contact_number', $this->contact_number);
$password_hash = password_hash($this->password, PASSWORD_BCRYPT);
$stmt->bindParam(':password', $password_hash);
$stmt->bindParam(':access_level', $this->access_level);
$stmt->bindParam(':access_code', $this->access_code);
$stmt->bindParam(':status', $this->status);
$stmt->bindParam(':created', $this->created);
// execute the query, also check if query was successful
if($stmt->execute()){
return true;
}else{
$this->showError($stmt);
return false;
}
}
You are binding a parameter that does not exists in the SQL:
$stmt->bindParam(':lastname', $this->lastname);
As your error states clearly "SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match".
you are binding a param lastname which is not present in SQL query.
$stmt->bindParam(':lastname', $this->lastname);
remove this line
As pointed out in the other answers, you are binding a parameter that does not exists in the SQL.
$stmt->bindParam(':lastname', $this->lastname);
This line, if removed, should solve one issue.
Another one is that you are using suspicious SQL syntax (a MySQL extension),
and as far as I know, the standard syntax for inserting in SQL is
INSERT INTO table (x, y, z) VALUES (0, 1, 2);
and not
INSERT INTO table SET x=0, y=1, z=2;
I hope that it helps.
I am creating a user registration system, and I am at the point where I start modifying the database i get the error
"Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in /opt/lampp/htdocs/Projectss/01_sarah/index.php on line 41
"
I have tried using every single method in php documentation concerning adding data to the database
here is some code
$hash_password = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (first_name,last_name,email,password) VALUES('$first_name','$last_name','$email','$hash_password')";
$stmt = $conn->prepare($query);
if (!$stmt) {
echo mysqli_error($conn);
}
$stmt->bind_param('ssss', $query);
$stmt->execute(); // execute prepared statement
$conn->close(); // close connection
}
The expected result should is to not receive any warning after saving the information to the database
You're passing complete query in the bindParam and also passing the values in the query instead of this you need to pass the parameters in the bindParam like this..
$hash_password = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (first_name,last_name,email,password) VALUES(?, ?, ?, ?)";
$stmt = $conn->prepare($query);
$stmt->bind_param('ssss', $first_name, $last_name, $email, $hash_password);
$stmt->execute(); // execute prepared statement
$conn->close(); // close connection
I need to call a stored procedure to insert the data to sql and it return a value with output parameter
like
CREATE PROCEDURE InsertInfo
#userid VARCHAR(100),
#login_time DATETIME,
#IsSuccuess BIT,
#loginid INT OUTPUT
AS
BEGIN
INSERT INTO Audit_LoginLogoutAttempt(UserID,Login_Time, IsSuccuess, DateCreated) VALUES (#userid,#login_time,#IsSuccuess, GETDATE())
SET #loginid = ##IDENTITY
END
GO
How to send input and output parameters using PHP
$stmt = $conn->prepare("{CALL InsertInfo(?, ?, ?, ?)}");
$stmt->bindParam(1, $UserID);
$stmt->bindParam(2, $LoggedInDateTime);
$stmt->bindParam(3, $IsSuccuess);
$stmt->bindParam(4, $get_id, PDO::PARAM_INT, 32);
$stmt->execute();
echo $get_id;
I tried like this but I'm not getting desired value from $get_id
You should bind your parameter as an OUTPUT parameter. If you have output parameters in your stored procedure and stored procedure returns recordsets, you need to fetch all recordsets to get output values.
<?php
# Statement
$stmt = $conn->prepare("{CALL InsertInfo(?, ?, ?, ?)}");
$stmt->bindParam(1, $UserID);
$stmt->bindParam(2, $LoggedInDateTime);
$stmt->bindParam(3, $IsSuccuess);
$stmt->bindParam(4, $get_id, PDO::PARAM_INT|PDO::PARAM_INPUT_OUTPUT, PDO::SQLSRV_PARAM_OUT_DEFAULT_SIZE);
$stmt->execute();
# Fetch results. Include this if your procedure returns resultsets (usually from SELECT statements):
#do {
# while ($row = $stmt->fetch()) {
# //
# }
#} while ($stmt->nextRowset());
# Get OUTPUT parameter value
echo $get_id;
?>
I usually put SET NOCOUNT ON as first line in stored procedures. This prevents SQL Server from passing the count of rows affected as part of the result set.
CREATE PROCEDURE InsertInfo
#userid VARCHAR(100),
#login_time DATETIME,
#IsSuccuess BIT,
#loginid INT OUTPUT
AS
BEGIN
SET NOCOUNT ON
INSERT INTO Audit_LoginLogoutAttempt(UserID,Login_Time, IsSuccuess, DateCreated) VALUES (#userid,#login_time,#IsSuccuess, GETDATE())
SET #loginid = ##IDENTITY
END
I am consistently receiving null whenever I try to reverse the cipher text that I store in a MySQL database through PHP.
The PHP code used to insert the data:
public function insertChildren($employeeID, $empData, $key, $childName, $childBirth, $childGender, $childSSN, $isStep, $isFoster, $isStudent, $isHandicap, $address) {
$conn = $this->connect('insurance');
$insertChildren = $conn->prepare('INSERT INTO dependent_children (emp_id, ssn, name, dob, gender, handicap, student, foster, step, address) VALUES (:emp_id, AES_ENCRYPT(:ssn, AES_ENCRYPT(:key, UNHEX(sha1(:empData)))), :name, :dob, :gender, :handicap, :student, :foster, :step, :address)');
$insertChildren->bindParam(":emp_id", $employeeID, PDO::PARAM_INT);
$insertChildren->bindParam(":name", $childName, PDO::PARAM_STR);
$insertChildren->bindParam(':dob', $childBirth, PDO::PARAM_STR);
$insertChildren->bindParam(':empData', $empData, PDO::PARAM_STR);
$insertChildren->bindParam(':gender', $childGender, PDO::PARAM_STR);
$insertChildren->bindParam(':key', $key);
$insertChildren->bindParam(':ssn', $childSSN, PDO::PARAM_LOB);
$insertChildren->bindParam(':handicap', $isHandicap, PDO::PARAM_STR);
$insertChildren->bindParam(':student', $isStudent, PDO::PARAM_STR);
$insertChildren->bindParam(':foster', $isFoster, PDO::PARAM_STR);
$insertChildren->bindParam(':step', $isStep, PDO::PARAM_STR);
$insertChildren->bindParam(':address', $address, PDO::PARAM_STR);
$insertChildren->execute();
}
The SQL query that I thought would reverse it:
SELECT CAST(AES_DECRYPT(ssn, AES_DECRYPT('/ same random hexadecimal key bound in the php statement / ', unhex(sha1('1234')))) AS CHAR(50)) from dependent_children
Please note 1234 is the value that should be bound to the empData field in the PHP. I thought the latter query would correctly decrypt the first, but such is the case. Instead, I receive null. I am sure it is something simple, but I have not been able to locate the error source. Thanks so much!
Can someone just save my life been reading for a few hours,
I followed this exactly:
http://docs.php.net/manual/en/pdo.prepared-statements.php
I got this working with sqli but i was told by the group that this was prome to sql injection so i'm trying to improve my code
Alot of the topics here are on SELECT
When I try this i get a blank page, i still haven't gotten apache to render errors that is a separate issue....
this is php:
$dbh = new PDO('mysql:host=localhost;dbname=table', $DBuser, $DBpswd );
$stmt = $dbh->prepare("INSERT INTO `sonyCES2013`.`registration` (`id`, `firstName`, `lastName`, `eMail`, `telephone`, `outlet`, `comfirm`, `boothTour`) VALUES (
:id,
:firstName,
:lastName,
:eMail,
:telephone,
:outlet,
:comfirm,
:boothTour
)");
$stmt->bindParam(':id', NULL);
$stmt->bindParam(':firstName', $fName);
$stmt->bindParam(':lastName',$lName);
$stmt->bindParam(':eMail', $eMail);
$stmt->bindParam(':telephone', $telephone);
$stmt->bindParam(':outlet', $outlet);
$stmt->bindParam(':comfirm',$comfirmation);
$stmt->bindParam(':boothTour', $dateFormatted);
$stmt->execute();
Empty string is not the same as NULL. Also you must pass variables to bindParam() by reference.
If you want to pass a NULL as a query parameter, use
$stmt->bindValue(':id', NULL);
Or you can make a dummy variable and pass that, and give PDO a hint that it's a NULL:
$null = null;
$stmt->bindParam(':id', $null, PDO::PARAM_NULL);
Or else just omit id from the column in your INSERT:
$stmt = $dbh->prepare("INSERT INTO `sonyCES2013`.`registration`
(`firstName`, `lastName`, `eMail`, `telephone`, `outlet`, `comfirm`,
`boothTour`) VALUES ...
The problem was I had set some attributes to NULL. Comfirm was an optional value on the form and if no one selected it, i made the variable NULL. I instead set them to an empty string ''. that solved the problem.