I am creating a user registration system using PDO, and am attempting to insert the users form data into a database table. Very simple, however the wrong value is entered into the database. The values entered into the database are :username, :password, :email_address, :city, etc, rather than the value passed to the function from my form. Any idea as to what I am doing wrong? I tried using bindParam and bindValue but had similar results, and based on other posts I concluded that using an array is the best way to do it. help!
function add_user($username, $password, $email, $fName, $lName, $address, $city, $state, $zip, $phone ) {
global $db;
$sql = "INSERT INTO alumni_user_info
(username, password, email_address, first, last, address, city, state, zip_code, phone)
VALUES
(':username', ':password', ':email_address', ':first', ':last', ':address', ':city', ':state', ':zip_code', ':phone')";
$sth = $db->prepare($sql);
$result = $sth -> execute(array(':username' => $username, ':password' => $password, ':email_address' => $email, ':first' => $fName, ':last' => $lName, ':address' => $address, ':city' => $city, ':state' => $state, ':zip_code' => $zip, ':phone' => $phone));
if ($sth->execute()) {
$success = "Registration successful";
return $success;
} else {
var_dump($result->errorInfo());
$success = "Registration failed";
return $success;
}
Do not use quotes for parameters. It will be escaped because you're binding parameters already.
$sql = "INSERT INTO alumni_user_info
(username, password, email_address, first, last, address, city, state, zip_code, phone)
VALUES
(:username, :password, :email_address, :first, :last, :address, :city, :state, :zip_code, :phone)";
If you do something like this ':username' PDO will treat it as string.
Related
So bassically I can't seem to send the array with the input values to my database.
I tried sending it seperately, it works, but it only sends the array or the way around. There are no errors.
if (isset($_POST['submit'])) {
$services = implode ("|", $_POST['services']);
mysqli_query($mysqli, "INSERT INTO klientai (package, name, surname, email, phone, message, services) VALUES('$_POST[package]', '$_POST[name]', '$_POST[surname]', '$_POST[email]', '$_POST[phone]', '$_POST[message]', '$services'");
}
mysql_query function is deprecated and is not secured, You should use another option.
You can use PDO for example:
https://www.php.net/manual/en/book.pdo.php
open connection
$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
insert method 1
$sql = "INSERT INTO users (name, surname, sex) VALUES (?,?,?)";
$stmt= $pdo->prepare($sql);
$stmt->execute([$name, $surname, $sex]);
insert method 2
$data = [
'name' => $name,
'surname' => $surname,
'sex' => $sex,
];
$sql = "INSERT INTO users (name, surname, sex) VALUES (:name, :surname, :sex)";
$stmt= $pdo->prepare($sql);
$stmt->execute($data);
also check https://phpdelusions.net/pdo_examples/insert and
https://www.startutorial.com/articles/view/pdo-for-beginner-part-1
In this method, you don't need to escape your strings for SQL injection and it should also solve your problem.
Since I can't/don't know how to auto_increment two columns in one table I trying to do this with transactions. This is what I trying
$pdo->beginTransaction();
try
{
$sql = "INSERT INTO users ( username, password, firstname, lastname, email, user_image, path)
VALUES (:username, :password, :firstname, :lastname, :email, :user_image, :path)";
$q = $pdo->prepare($sql);
$q->execute(array(
':username' => $username,
':password' => sha1($password),
':firstname' => $firstname,
':lastname' => $lastname,
':email' => $email,
':user_image' => $forDB,
':path' => $path,
));
$lastInsertID = $pdo->lastInsertId();
$sql = $pdo->prepare("INSERT INTO users (usertype)
VALUE (:user_id)");
$sql->execute(array(
':user_id' => $lastInsertID
));
$pdo->commit();
}
// any errors from the above database queries will be catched
catch (PDOException $e)
{
// roll back transaction
$pdo->rollback();
// log any errors to file
ExceptionErrorHandler($e);
exit;
}
So basically I want to insert in column usertype the ID of this record (user_id) both columns must be equal.
Now when I try with this .. it is save empty fields except for the usertype which is updated with lastInsertID
Change
$sql = $pdo->prepare("INSERT INTO users (usertype)
VALUE (:user_id)");
to this
$sql = $pdo->prepare("UPDATE users SET usertype=:user_id WHERE user_id=:user_id");
I've been trying out my PHP skills and it seems when I try to send out the information from my Android app to the PHP, it seems to send just the parameter names(The database shows :Lname as an example.) out to the database. We are using PDO as the way to communicate with the MySQL Database.
Here is the coding as follows:
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword ) VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
//Again, we need to update our tokens with the actual data:
$query_params = array(
':Lname' => $_POST['LName'],
':Fname' => $_POST['FName'],
':Address' => $_POST['Address'],
':City' => $_POST['City'],
':State' => $_POST['State'],
':ZIP' => $_POST['ZIP'],
':Phone' => $_POST['Phone'],
':myusername' => $_POST['username'],
':mypassword' => $_POST['password']
);
//time to run our query, and create the user
try {
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch (PDOException $ex) {
// For testing, you could use a die and message.
//die("Failed to run query: " . $ex->getMessage());
//or just use this use this one:
$response["success"] = 0;
$response["message"] = $ex->getMessage();
die(json_encode($response));
}
You have included literal values in your query string.
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword )
VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
should be
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword )
VALUES ( :Lname, :Fname, :Address, :City, :State, :ZIP, :Phone, :myusername, :mypassword)";
You need to remove the quotes from your SQL values, as its being interpreted as literal strings. If you remove them, you should be all good :)
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword ) VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
I am sorry to bother you with such a newbie question, and thank you for taking the time to go over it and answer it.
function dbaddusr($username, $email, $password){
try{
$conn = new PDO(CONNECTDATA);
$stmt = $conn->prepare("INSERT INTO 'users' ('username', 'email', 'password') VALUES (:username, :email, :password)");
$pass = crypt($password);
$result = $stmt->execute(array("username" => $username, "email" => $email, "password" => $pass));
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
return false;
}
}
Problem is, $result is always false. (I discovered this by some simple var_dump statements inside the try block.
I am very new to this and your help on fixing it is highly appreciated.
Don't quote the column names, if you want, use the backticks `
INSERT INTO users (username, email, password) VALUES (:username, :email, :password)
Change quotes to backticks for table & column name in your query,
$stmt = $conn->prepare("INSERT INTO `users` (`username`, `email`, `password`) VALUES
(:username, :email, :password)");
You are passing $pass in your array and your function accepts $password
Check your error messages to get specific details and you will find the problem.
A non-bloated version with all useless and wrong code cleaned.
function dbaddusr($username, $email, $password){
global $conn;
$sql = "INSERT INTO users (username, email, password) VALUES (?,?,?)";
$stmt = $conn->prepare($sql);
$pass = crypt($password);
$stmt->execute(array($username, $email, $pass));
}
You have to connect ONCE per application, and then use that single connection all the way.
I am having a strange issue that I am just not finding a solution to. The problem is that the prepared sql statement is not binding in values, parameters or even passing them through the execute function. Instead, it inserts the ':blah' placeholder. As I said, I have tried bindParam, bindValue and this method all without result. However, I will try them all again now.
I outputted the parameters being sent right before the execute call.
Array ( [:username] => schenn [:salt] => NW5552wekj5155cNr52O54q56 [:hashpass] => 5e54240aec6294873d11d6ac3e5b135136a1b671 [:email] => monkey#monkey.com [:state] => OR [:country] => USA [:last_login] => 12/08/2011 )
Below is the code:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login)
VALUES (':username', ':salt', ':hashpass', ':email', ':state', ':country', ':last_login')";
$stmt = $pdoI->prepare($query);
$params = array(":username" => $this->username, ":salt" => $this->salt, ":hashpass" => $this->hashpass,
":email" => $this->email, ":state" => $this->state, ":country" => $this->country, ":last_login" => $this->last_login );
$stmt->execute($params);
You shouldnt be quoting the placeholders in the SQL. Try the following as your SQL string:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country,
last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
You don't quote the binded values in the SQL statement when binding variables.
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
Also make sure $this->email, etc... is set correctly.