Basically I'm converting all my statements in my class file to prepared statements. After reading over the php.net manual, I still cannot see where or what my error is.
In this particular function I am getting the profile of a user by the users ID.
Any help fellas?
I was able to answer my own question. Using SELECT * doesn't work very well with object oriented prepared statements.
Rather, select all the fields in the table needed and then bind them accordingly.
This particular function is getting all the details of a user by their ID.
Enjoy.
public function getProfile($id){
if($result = $this->link->prepare("SELECT id,first,last,full_name,email,photo FROM dl_users WHERE id=?")){
$result->bind_param('i',$id);
$result->execute();
$result->store_result();
$result->bind_result($id,$first,$last,$full_name,$email,$bio,$hometown,$position,$skills,$photo);
if($result->num_rows == 1){
$user = array();
$result->fetch();
$user['id'] = $id;
$user['first'] = $first;
$user['last'] = $last;
$user['full_name'] = $full_name;
$user['email'] = $email;
$user['photo'] = $photo;
return $user;
}
$result->close();
}
}
MySQLi's prepared statements work with variable references. $result->fetch() doesn't return the fields, it returns a boolean.
What you are can do is this:
public function getProfile($id){
if($result = $this->link->prepare("SELECT * FROM users WHERE id =?")){
$result->bind_param("s", $id);
$result->execute();
$result = $stmt->get_result();
if($row = $result->fetch_assoc()){
return $row;
}else{
return array("error"=>"Profile-Not-Found");
}
$result->close();
}
}
Note: This requires mysqlnd be installed.
If your id field is an integer, you must bind the param in this way:
$result->bind_param("i", $id);
More info here: http://www.php.net/manual/en/mysqli-stmt.bind-param.php
I was able to answer my own question. Using SELECT * doesn't work very well with object oriented prepared statements.
Rather, select all the fields in the table needed and then bind them accordingly.
This particular function is getting all the details of a user by their ID.
Enjoy.
public function getProfile($id){
if($result = $this->link->prepare("SELECT id,first,last,full_name,email,photo FROM dl_users WHERE id=?")){
$result->bind_param('i',$id);
$result->execute();
$result->store_result();
$result->bind_result($id,$first,$last,$full_name,$email,$bio,$hometown,$position,$skills,$photo);
if($result->num_rows == 1){
$user = array();
$result->fetch();
$user['id'] = $id;
$user['first'] = $first;
$user['last'] = $last;
$user['full_name'] = $full_name;
$user['email'] = $email;
$user['photo'] = $photo;
return $user;
}
$result->close();
}
}
Related
I have been converting a small login script i did to PDO trying to give it a try.
Code mysqli
$stmt = $conn->prepare('SELECT id, name FROM users WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($id, $name);
if ($stmt->fetch()) {
$_SESSION['id'] = $id;
$_SESSION['name'] = $name;
$is_valid = true;
} else {
$is_valid = false;
self::logout();
}
I changed to PDO
$sql = "SELECT id, name FROM users WHERE id = :id";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->bindParam(':name', $name);
$stmt->execute();
if ($stmt->fetch())
{
$_SESSION['id'] = $id;
$_SESSION['name'] = $name;
$is_valid = true;
} else {
$is_valid = false;
self::logout();
}
in mysqli i was able to bind and store $id and $name but read those were not available in PDO
$stmt->store_result();
$stmt->bind_result($id, $name);
There's no equivalent of bind_result in PDO because you don't really need it. Just read the data from the row:
if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
$_SESSION['id'] = $row["id"];
$_SESSION['name'] = $row["name"];
$is_valid = true;
}
You also don't need the $stmt->bindParam(':name', $name); line because there is no :name input parameter in your SQL.
More examples are available in the manual and elsewhere.
See also Is it possible to use store_result() and bind_result() with PHP PDO? for more useful background info.
The equivalent method is called bindColumn(). You can bind a variable to one column in the result set.
/* Bind by column number */
$stmt->bindColumn(1, $id);
$stmt->bindColumn(2, $name);
while ($stmt->fetch(PDO::FETCH_BOUND)) {
print $name . "\t" . $id. "\n";
}
However, I would recommend writing simpler code. PDO is designed to be easier to use.
If you want to make the code simpler, use arrays. The method fetch() returns an array with the current row. They are better when you need to fetch more than one column from the result. If you only need to fetch one column, use fetchColumn().
$sql = "SELECT id, name FROM users WHERE id = :id";
$stmt = $conn->prepare($sql);
$stmt->execute([
'id' => $id,
'name' => $name,
]);
if ($row = $stmt->fetch()) {
$_SESSION['id'] = $row['id'];
$_SESSION['name'] = $row['name'];
$is_valid = true;
} else {
$is_valid = false;
self::logout();
}
I have the following normal User class statement that I'm trying to convert to a prepared statement.
public function didReceiveRequest($user_from) {
$user_to = $this->user['username'];
$check_request_query = mysqli_query($this->con, "SELECT * FROM friend_requests WHERE user_to='$user_to' AND user_from='$user_from'");
if (mysqli_num_rows($check_request_query) > 0) {
return true;
}
else {
return false;
}
}
I'm new to prepared statements and have been doing pretty well throughout the User class, but am still having trouble with a few. Being new, I don't follow the logic as well, so please go easy. Here is what I have so far:
public function didReceiveRequest($user_from){
$user_to = $this->user['username'];
$check_request = $this->con->stmt_init();
$check_request->prepare('SELECT * FROM friend_requests WHERE user_to=? AND user_from=?');
$check_request->bind_param('ss', $user_to, $user_from);
$check_request->execute();
$result = check_request->get_result();
$data = $result->fetch_assoc();
$check_request->free_result();
$check_request->close();
if($data > 0){
return true;
}else{
return false;}
}
So a couple things abt this: 1)I know there is probably a better and more efficient way to do this. And 2) Will what I have return the same result as what was there (with normal statement) previously. I don't want to mix up calls from my dependent pages.
Here is how you would use MySqli prepared statements for your case example.
public function didReceiveRequest($user_from) {
$query = "SELECT *
FROM friend_requests
WHERE user_to = ? AND user_from = ?";
$user_to = $this->user['username'];
$stmt = $this->con->prepare($query);
$stmt->bind_param(ss, $user_to, $user_from); //set your bindings
$stmt->execute();
//$results = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);//Use if you want to see results.
if($stmt->num_rows !== 0) {
return TRUE;
}else{
return FALSE;
}
}
Here is a really good link to read that teaches you how to use prepared statements with MySqli. I would bookmark this link and refer to it often. MySqli prepared statements
Using prepared statements does not affect how you receive the results from you query.
The difference I see in what was provided as an answer is $result = $stmt->get_result(); Again being new to prepared statements I'm not 100% that this is the reason above code throws an error, but this code works.
public function didReceiveRequest($user_from) {
$user_to = $this->user['username'];
$stmt = $this->con->stmt_init();
$stmt->prepare('SELECT * FROM friend_requests WHERE user_to=? AND user_from=?');
$stmt->bind_param('ss', $user_to, $user_from);
$stmt->execute();
$result = $stmt->get_result();
$qty = $result->num_rows;
$stmt->free_result();
$stmt->close();
if($qty > 0) {
return true;
}else{
return false;
}
}
Ok, so I am having a lot of trouble with Prepared statements. I've done hours of research and still can't seem to fully understand everything...
I really feel like I need to understand Prepared statements because I was just about to release a few new free APIs on my website (which require API Key to execute API) but I recently realized how insecure everything is.... I can simply use SQL injection to bypass API Key check, e.g. 'OR'1'='1
Here is how I validate API Key:
$apikey = $_GET['key'];
$sql = "SELECT * FROM `table` WHERE `key` = '$apikey'";
$query = mysqli_query($con, $sql);
if($query)
{
$fetchrow = mysqli_fetch_row($query);
if(isset($fetchrow[0]))
{
echo "API Key is valid!";
}
else
{
echo "API KEY is invalid";
}
}
And like mentioned above this can easily be bypassed by executing my API like this
http://website.com/api.php?key='OR'1'='1
This really scared me at first, but then I did some research and learned a good way to prevent any form of SQL injection is to use prepared statement, so I did a lot of research and it just seems quite complicated to me :/
So I guess my question is, how can I take my above code, and make it function the same way using prepared statements?
Probably everything you need:
class Database {
private static $mysqli;
Connect to the DB:
public static function connect(){
if (isset(self::$mysqli)){
return self::$mysqli;
}
self::$mysqli = new mysqli("DB_HOST", "DB_USER", "DB_PASS", "DB_NAME");
if (mysqli_connect_errno()) {
/*Log error here, return 500 code (db connection error) or something... Details in $mysqli->error*/
}
self::$mysqli->query("SET NAMES utf8");
return self::$mysqli;
}
Execute statement and get results:
public static function execute($stmt){
$stmt->execute();
if ($mysqli->error) {
/*Log it or throw 500 code (sql error)*/
}
return self::getResults($stmt);
}
Bind results to the pure array:
private static function getResults($stmt){
$stmt->store_result();
$meta = $stmt->result_metadata();
if (is_object($meta)){
$variables = array();
$data = array();
while($field = $meta->fetch_field()) {
$variables[] = &$data[$field->name];
}
call_user_func_array(array($stmt, "bind_result"), $variables);
$i = 0;
while($stmt->fetch()) {
$array[$i] = array();
foreach($data as $k=>$v)
$array[$i][$k] = $v;
$i++;
}
$stmt->close();
return $array;
} else {
return $meta;
}
}
Class end :)
}
Example of usage:
public function getSomething($something, $somethingOther){
$mysqli = Database::connect();
$stmt = $mysqli->prepare("SELECT * FROM table WHERE something = ? AND somethingOther = ?");
$stmt->bind_param("si", $something, $somethingOther); // s means string, i means number
$resultsArray = Database::execute($stmt);
$someData = $resultsArray[0]["someColumn"];
}
Resolving your problem:
public function isKeyValid($key){
$mysqli = Database::connect();
$stmt = $mysqli->prepare("SELECT * FROM table WHERE key = ? LIMIT 1");
$stmt->bind_param("s", $key);
$results = Database::execute($stmt);
return count($results > 0);
}
PHP automatically closes DB connection so no worries about it.
$sql = "SELECT * FROM `table` WHERE `key` = ?";
if(stmt = $mysqli->prepare($sql)) {
$stmt->bind_param("i", $apikey);
$stmt->execute();
$stmt->bind_result($res);
$stmt->fetch();
$stmt->close();
}
See more - http://php.net/manual/en/mysqli.prepare.php
The function should return the id of the found user or return false if not found.
Currently I am using bind result and fetch to check if a user is found in an mysql table:
public function getUserIDByName($UserName) {
$uid = "";
$i=0;
if($stmt = $this->mysqlserver->prepare("SELECT uid FROM user WHERE name=?")){
$stmt->bind_param("s", $UserName);
$stmt->execute();
$stmt->bind_result($uid);
while($stmt->fetch()){
$i++;
}
$stmt->close();
}
if($i==0){
return false;
}else{
return $uid;
}
}
This works, but I assume that there is a proper way to do this without a counter in the fetch loop. I can not use get_result as mysqlnd is not available.
Simple use num_rows to check your query return result or not
function getUserIDByName($UserName) {
if ($stmt = $this->mysqlserver->prepare("SELECT uid FROM user WHERE name=?")) {
$stmt->bind_param("s", $UserName);
$stmt->execute();
$row_cnt = $stmt->num_rows;
if ($row_cnt == 1) {
$stmt->bind_result($uid);
while ($stmt->fetch()) {
return $uid;
}
} else {
return false;
}
}
}
Use this instead
public function getUserIDByName($UserName)
{
$uid = '';
$response = false;
$stmt = $this->mysqlserver->prepare("SELECT uid FROM user WHERE name=?");
$stmt->bind_param("s", $UserName);
$stmt->execute();
$stmt->bind_result($uid);
if ($stmt->fetch()) {
$response = $uid;
}
$stmt->close();
return $response;
}
EDIT: just realized you're using mysqli and not pdo. Ill leave this here if you want to use PDO in the feature I guess.
This is how I would do it. You could change rowcount() > 0 to rowcount() === 1 if you want to guarantee only 1 user is found.
public function getUserIDByName($UserName)
{
$stmt = $this->mysqlserver->prepare("SELECT uid FROM user WHERE name = :name");
// bind :name to the username
$stmt->bindParam(":name", $UserName);
// execute the query
$stmt->execute();
// check the rowcount
if ($stmt->rowcount() > 0) {
// fetch the results as a associative array
return $stmt->fetch(PDO::FETCH_ASSOC);
}
// return false because rowcount wasn't bigger than 0
return false;
}
Here is my code:
$result_username = mysqli_query($dbconnection, Data::checkForUsername($username));
It then goes here:
public static function checkForUsername($username) {
global $database;
$query = "
SELECT COUNT(*)
FROM users
WHERE username='{$username}';";
$result = $database -> query($query);
return $result;
}
Then $result does this:
if (mysqli_result($result_username, 0) > 0) {
However, it then gives me back a Resource_Id?? I can not figure out why?
I simply want to check if the username exists in at least 1 row.
You need to fetch your data after you execute your query
$row = $result->fetch_array(MYSQLI_NUM);
return $row[0];
UPDATE: Now, using prepared statement your function can look like this:
public static function checkForUsername($username) {
global $database;
$result = 0;
$query = "SELECT COUNT(*) FROM users WHERE username=?";
/* create a prepared statement */
if ($stmt = $database->prepare($query)) {
/* bind parameters for markers */
$stmt->bind_param("s", $username);
/* execute query */
$stmt->execute();
/* bind result variable */
$stmt->bind_result($result);
/* fetch value */
$stmt->fetch();
/* close statement */
$stmt->close();
}
return $result;
}
You can try
return $result->num_rows
Then
if (checkForUsername('Redeyes') != 0) {
}