Recently looking through some old files and realised that they are now deprecated. I've tried converting them into the newer PDO variant, but I'm stuck on something. Here's the code:
<?php
$team=$_POST['team'];
$user=$_POST['user'];
$dbHandle=new PDO("mysql:host=localhost;dbname=databasename;","user","password",array(PDO::ATTR_EMULATE_PREPARES=>false));
$query=$dbHandle->prepare("INSERT INTO tablename VALUES(?,?,?)");
if(!is_numeric($user)){
echo "Error message 1";
}elseif($user=="123"){
echo "Error message 2";
}else{
$query->execute(array($user,$team,"pending"));
if(mysql_affected_rows()>0){
echo "Success message";
}else{
echo "Error message 3";
}
}
?>
Nothing I've tried seems to get the success message. It looks like most of the code is working, because it always ends up giving me the third error message every time, and I can confirm that nothing has been added to the database. Not shown above are the three lines of code for enabling all PHP error messages, but the page isn't throwing up any such messages.
Also, while I'm at it, I'm still not entirely familiar with PDO, but from the way I understood it, it's much more secure. From what I have above, are there any security risks, and if so, how should I fix them?
EDIT: The code is currently as thus:
<?php
$team=$_POST['team'];
$user=$_POST['user'];
$dbHandle=new PDO("mysql:host=localhost;dbname=databasename;","user","password",array(PDO::ATTR_EMULATE_PREPARES=>false));
$query=$dbHandle->prepare("INSERT INTO tablename VALUES(?,?,?)");
if(!is_numeric($user)){
echo "Error message 1";
}elseif($user=="123"){
echo "Error message 2";
}else{
$query->execute(array($user,$team,"pending"));
if($query->rowCount()>0){
echo "Success message";
}else{
echo "Error message 3";
}
}
?>
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
$dsn = "mysql:host=localhost;dbname=test;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,"user","password", $opt);
$stm = $pdo->prepare("INSERT INTO tablename VALUES(?,?,?)");
$stm->execute(array($_POST['user'],$_POST['team'],"pending"));
echo "Success message";
The problem is that mysql_affected_rows() function is not PDO, you should use ->rowCount() method to know the value of affected rows. Also, I would preffer to add parameters in a separated instruction specifying the correct type with constants like PDO::PARAM_INT and PDO::PARAM_STR, so you can avoid errors:
$query=$dbHandle->prepare("INSERT INTO tablename VALUES(?,?,?)");
if(!is_numeric($user)){
echo "Error message 1";
}elseif($user=="123"){
echo "Error message 2";
}else{
$status = "pending";
$query->bindParam(1, $user, PDO::PARAM_INT);
$query->bindParam(2, $team, PDO::PARAM_STR);
$query->bindParam(3, $status, PDO::PARAM_STR);
$query->execute();
if($query->rowCount() > 0){
echo "Success message";
}else{
echo "Error message 3";
}
}
Related
I am converting an old php 5.6 code to 7.2 and learning how to use PDO.
I have reached a point where I got stuck and would like to learn from the community.
I created a test file structure:
db.php:
<?php
try {
$conn = new PDO($initlocation, $username, $pwdata);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "worked"; // THIS WORKS ON THE SCREEN
}
catch(PDOException $e){
echo "Connection failed: " . $e->getMessage();
}
?>
test.php:
<?php
include("db.php");
$user_query='SELECT * FROM `users` WHERE `email`="user1.a#gmail.com"';
echo $user_query; // I GET THE QUERY PRINTED ON THE SCREEN
echo is_object($conn); // THIS IS 1 WHICH IS GOD
echo "<br>";
echo is_object($res); // THIS IS 1 WHICH IS ODD
try{
$res = $conn->query($user_query);
}
catch (Exception $e){
echo "Query failed: " . $e->getMessage(); // NOTHING
}
echo "<br>";
echo is_object($res); // NOTHING
$data_exists = $res->fetch();
if ($data_exists==1) echo "yes"; // NOTHING
?>
I have left the testing method in the code as well and I am keen to find a better solution to find out why the query does not show anything.
The aim would be to find the email address in the DB and give me some feedback about it. Thank you in advance all the comments I will only learn form them.
Additional info:
When I run the SQL query in the DB directly it does give me the record that has the same email.
Try the following and use prepared statements like protection from SQL injections.
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$email]);
$user = $stmt->fetch();
I've got a website that is pulling data from my MSSQL Server. I am using functions to build tables for reports. Here's what I've got:
function BeginTable($rowCount,$headings,$searchValue,$ReportName,$OneButton,$NewSearch)
{
try{
$StateSelectSQL = "select distinct State from pmdb.MaterialTracking where State is not null";
var_dump($StateSelectSQL);echo " What!<br>";
$getSelect = $conn->query($StateSelectSQL);
var_dump($getSelect);echo " When!<br>";
$StateSelectNames = $getSelect->fetchALL(PDO::FETCH_ASSOC);
var_dump($StateSelectNames);echo " Where!<br>";
}
catch(Exception $e)
{
echo "Something went wrong";
die(print_r($e->getMessage()));
}
I tried this too:
try{
$StateSelectSQL = "select distinct State from pmdb.MaterialTracking where State is not null";
var_dump($StateSelectSQL);echo " What!<br>";
$getSelect = $conn->prepare($StateSelectSQL);
$getSelect->execute();
//$getSelect = $conn->query($StateSelectSQL);
//var_dump($getSelect);echo " When!<br>";
$StateSelectNames = $getSelect->fetchALL(PDO::FETCH_ASSOC);
var_dump($StateSelectNames);echo " Where!<br>";
}
catch(Exception $e)
{
echo "Something went wrong<br>";
die( print_r( $e->getMessage()));
}
The second and third var_dump's never show anything and the rest of the code (not shown here) doesn't get run. If I comment out the $getSelect and $StateSelectNames lines (with the var_dump's under them) then everything else works.
Here is my DBConn.php file that is included above the Function:
$conn = new PDO("sqlsrv:server=$servername;database=$dbname", $username,$password);
//set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$conn->setAttribute(PDO::SQLSRV_ATTR_QUERY_TIMEOUT, 10);
What is wrong with the line $getSelect = $conn->query($StateSelectSQL); I can't figure it out. I tried using it later in my foreach like this:
foreach($conn->query($StateSelectSQL) as $StateName)
But that doesn't work either. It again stops at this line and doesn't go any further. The only thing I can think of is that my SQL is messed up, but when I run it in SSMS it works fine!
What's going on?
Try preparing and executing your SQL before using fetchAll. Also consider enabling exception mode if you haven't already and wrapping your statement in a try catch - this should flag any issues (e.g. your applications database user not having permission to access the schema, or syntax error etc)
Exceptions:
See this stack overflow post for info about how to enable
And for your code:
try {
$sql = "
SELECT DISTINCT State
FROM pmdb.MaterialTracking
WHERE State IS NOT NULL
";
$sth = $conn->prepare($sql);
$sth->execute();
$rowset = $sth->fetchAll(PDO::FETCH_ASSOC);
print_r($rowset);
} catch PDOException($err) {
echo "Something went wrong".
echo $err;
}
I have figured it out after pulling my hair out all day! I had to include my DBConn.php inside the function. After this it worked. I don't know why that mattered since it is included at the beginning of the file. If there is anyone who can explain why that is i'd be grateful!
It now looks like this:
function BeginTable($rowCount,$headings,$searchValue,$ReportName,$OneButton,$NewSearch)
{
try{
include("DBConn.php");
$SelectSQL = "select distinct State from pmdb.MaterialTracking where State is not null order by State";
$getSelect = $conn->prepare($SelectSQL);
$getSelect->execute();
$StateSelectNames = $getSelect->fetchALL(PDO::FETCH_ASSOC);
}
catch(Exception $e)
{
echo "Something went wrong<br>";
die( print_r( $e->getMessage()));
}
Making the switch to PDO from MySQL in PHP. In the past, when a query was ran and wasn't executed for whatever reason, I was able to send myself an email with the mysql_error() message in the body like so:
$query = "SELECT dogs FROM animals";
$res = mysql_query($query);
if (!$res) {
$error = "Error Message: " . mysql_error();
mail("my#email.com","Database Error",$error);
}
From that I would be alerted by an emil when something was wrong with the database on a website.
My PDO setup is as follows:
setAttribute(PDO::ATTR_EMULATE_PREPARES,false);
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
I have a try catch in the PDO connection itself but I would like to get error messages for prepare and execute as they happen like so:
$query = "SELECT cats FROM animals";
$sql = $pdo->prepare($query);
if (!$sql->execute()) {
$error = "Error Message: " . (pdo error message here);
mail("my#email.com","Database Error",$error);
}
Any ideas on how to assign PDO error messages in an email subject? I'm able to get a logical error message if a prepare fails be using errorInfo() but on execute errors(such as invalid parameter counts for arrays), I can't seem to get an error message.
Thanks for any and all help.
Use try/catch
try {
$sql->execute();
} catch (PDOException $e) {
$e->getMessage(); // This function returns the error message
}
You can use:
$query = "SELECT cats FROM animals";
$sql = $pdo->prepare($query);
if (!$sql->execute()) {
$arr = $sql->errorInfo();
$error = print_r($arr, true);
mail("my#email.com","Database Error",$error);
}
Have a look through the code below. This is supposed to check whether or not a database contains a given user. If the it does, it just returns true. If it doesn't, then it returns false.
Anyway, regardless of the user and password existing in the database, for some reason it will not evaluate to true! ! !
function databaseContainsUser($email, $password)
{
include $_SERVER['DOCUMENT_ROOT'].'/includes/db.inc.php';
try
{
$sql = 'SELECT COUNT(*) FROM wl_user
WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute("USE $dbname");
}
catch (PDOException $e)
{
$error = 'Error searching for user. ' . $e->getMessage();
include $_SERVER['DOCUMENT_ROOT'].'/includes/error.html.php';
exit();
}
$row = $s->fetch(PDO::FETCH_NUM);
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
Any help would be appreciated
For some unknown reason you are passing "USE $dbname" string to execute.
remove that string.
Also, you are trying to catch an exception but apparently don't tell PDO to throw them.
And you are catching it only to echo a message, which is a big no-no.
I've explained the right way recently in this answer
If your problem is different, you have to ask (or better - google for this very problem).
Refer to PDO tag wiki for the proper connect options including database selection and error reporting.
Try this
try
{
$pdo = new PDO('mysql:host=localhost;dbname=yourDbName;', 'root', '',
array(PDO::ATTR_PERSISTENT => true));
$sql = 'SELECT count(*) FROM user WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute();
}
This is local server example, just change yourDbName to your db name. I just run this code on my local server and it is working.
When I ran this piece of code
<?php
include '../bin/config.php';
connect();
if (isset($_GET['id']) && is_numeric($_GET['id'])){
$id = $_GET['id'];
$stmt = $conn->prepare("DELETE FROM noteline WHERE Nid = ?");
$stmt->bindParam(1, $id, PDO::PARAM_INT);
$outcome = $stmt->execute();
if ($outcome){
echo 'it was successfully deleted';
header("Location: ../noteline");
}else {
echo 'it was not successful due to something';
}
}
?>
it echoed "it was successfully deleted" but nothing was deleted from my database...
but when I started a transaction by modified this code like this:
<?php
include '../bin/config.php';
connect();
if (isset($_GET['id']) && is_numeric($_GET['id'])){
$id = $_GET['id'];
$stmt = $conn->prepare("DELETE FROM noteline WHERE Nid = ?");
$stmt->bindParam(1, $id, PDO::PARAM_INT);
$conn->beginTransaction();
$outcome = $stmt->execute();
if ($outcome){
$conn->commit();
echo 'it was successfully deleted';
header("Location: ../noteline");
}else {
echo 'it was not successful due to something';
}
}
?>
My data was finally deleted from my MySQL database!
I want to know why?
Because the PDO connection is operating with auto-commit mode disabled. Look into the connect() function to ensure that you don't disable this mode.
(Also, I see you're using a global variable to store the connection object. Avoid global variables where possible.)
Sounds like your server might have autocommit turned off?
http://dev.mysql.com/doc/refman/5.0/en/commit.html
By default, MySQL runs with autocommit mode enabled. This means that
as soon as you execute a statement that updates (modifies) a table,
MySQL stores the update on disk to make it permanent.
There might be a line in your code somewhere that sends
SET autocommit=0;
to your server.