I've been trying out my PHP skills and it seems when I try to send out the information from my Android app to the PHP, it seems to send just the parameter names(The database shows :Lname as an example.) out to the database. We are using PDO as the way to communicate with the MySQL Database.
Here is the coding as follows:
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword ) VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
//Again, we need to update our tokens with the actual data:
$query_params = array(
':Lname' => $_POST['LName'],
':Fname' => $_POST['FName'],
':Address' => $_POST['Address'],
':City' => $_POST['City'],
':State' => $_POST['State'],
':ZIP' => $_POST['ZIP'],
':Phone' => $_POST['Phone'],
':myusername' => $_POST['username'],
':mypassword' => $_POST['password']
);
//time to run our query, and create the user
try {
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch (PDOException $ex) {
// For testing, you could use a die and message.
//die("Failed to run query: " . $ex->getMessage());
//or just use this use this one:
$response["success"] = 0;
$response["message"] = $ex->getMessage();
die(json_encode($response));
}
You have included literal values in your query string.
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword )
VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
should be
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword )
VALUES ( :Lname, :Fname, :Address, :City, :State, :ZIP, :Phone, :myusername, :mypassword)";
You need to remove the quotes from your SQL values, as its being interpreted as literal strings. If you remove them, you should be all good :)
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword ) VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
Related
According to everything I've found and seen, this seems correct. When I print $query the outcome is the following:
"INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (?,?,?,?,?,?,?,?,?)"
The parameters should have been filled in with the variables in bindValues(). So, for example ...
INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (Bill, A, Hopkins, 123 Ave, ....)
I'd like to stick with this method - it is surrounded by a try/catch block. From printing the query variable out I can see that is where the issue is.
What am I missing? I really appreciate you looking!
$query = 'INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (?,?,?,?,?,?,?,?,?)';
echo $query;
$statement = $db->prepare($query);
$statement->bindValue(1, $firstName);
$statement->bindValue(2, $middle);
$statement->bindValue(3, $lastName);
$statement->bindValue(4, $address);
$statement->bindValue(5, $city);
$statement->bindValue(6, $state);
$statement->bindValue(7, $zip);
$statement->bindValue(8, $email);
$statement->bindValue(9, $gender);
$success = ($statement->execute());
We need more code considering the error but you can try this with prepared statements:
$query = 'INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (:firstName, :middle, :lastName, :address, :city, :state, :zip, :email, :gender)';
$statement = $db->prepare($sql);
$statement->execute(array(':firstName'=>$firstName, ':middle'=>$middle, ':lastName'=>$lastName, ':address'=>$address, ':city'=>$city, ':state'=>$state, ':zip'=>$zip, ':email'=>$email, ':gender'=>$gender));
I have a problem trying to insert new data into database,
i don't even get any error
$db = new MyPDO();
$datauser = array(
'account' => $acc,
'tid' => $tid,
'email' => $email,
'amount' => $amount,
'date' => 'NOW()',
'obj_id' => $object_id);
$sql = $db->query("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
$sql->execute($datauser);
Checking database after running the script and see no new rows..
Any ideas how can i fix hat?
You need to prepare your statement instead of running a query directly with placeholders.
Change:
$sql = $db->query("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
To:
$sql = $db->prepare("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
You should also add error handling in your MyPDO class so that PDO will throw exceptions and tell you exactly what goes wrong when it goes wrong.
I am creating a user registration system using PDO, and am attempting to insert the users form data into a database table. Very simple, however the wrong value is entered into the database. The values entered into the database are :username, :password, :email_address, :city, etc, rather than the value passed to the function from my form. Any idea as to what I am doing wrong? I tried using bindParam and bindValue but had similar results, and based on other posts I concluded that using an array is the best way to do it. help!
function add_user($username, $password, $email, $fName, $lName, $address, $city, $state, $zip, $phone ) {
global $db;
$sql = "INSERT INTO alumni_user_info
(username, password, email_address, first, last, address, city, state, zip_code, phone)
VALUES
(':username', ':password', ':email_address', ':first', ':last', ':address', ':city', ':state', ':zip_code', ':phone')";
$sth = $db->prepare($sql);
$result = $sth -> execute(array(':username' => $username, ':password' => $password, ':email_address' => $email, ':first' => $fName, ':last' => $lName, ':address' => $address, ':city' => $city, ':state' => $state, ':zip_code' => $zip, ':phone' => $phone));
if ($sth->execute()) {
$success = "Registration successful";
return $success;
} else {
var_dump($result->errorInfo());
$success = "Registration failed";
return $success;
}
Do not use quotes for parameters. It will be escaped because you're binding parameters already.
$sql = "INSERT INTO alumni_user_info
(username, password, email_address, first, last, address, city, state, zip_code, phone)
VALUES
(:username, :password, :email_address, :first, :last, :address, :city, :state, :zip_code, :phone)";
If you do something like this ':username' PDO will treat it as string.
how can i insert data from query results and other variables in one insert query?
sample:
$id = $_POST['id'];
$address = $_POST['address'];
$email = $_POST['email'];
$query = "INSERT INTO info_table(fname, lname, address, email) VALUES (SELECT fname, lname, FROM info WHERE id = '$id')";
$result = db->prepare($query);
$result->execute();
how can i insert $address and $email together with the select results variables?
This should do the trick for the query:
INSERT INTO info_table (
fname,
lname,
address,
email
)
SELECT
fname,
lname,
':address',
':email'
FROM
info
WHERE
id = ':id'
You aren't using the prepare right here. You really should bind to the paramters :address, :email, and :id
$result = db->prepare($query);
$result->bindParam(':id', $id, PDO::PARAM_STR);
$result->bindParam(':email', $email, PDO::PARAM_STR);
$result->bindParam(':address', $address, PDO::PARAM_STR);
$result->execute();
Answering precisely to your question:
$query = "INSERT INTO MyInsecureTable (fname, lname, address, email) SELECT fname, lname, '$address', '$email' FROM info WHERE id = '$id'";
But it is scares the . out of me.
I am having a strange issue that I am just not finding a solution to. The problem is that the prepared sql statement is not binding in values, parameters or even passing them through the execute function. Instead, it inserts the ':blah' placeholder. As I said, I have tried bindParam, bindValue and this method all without result. However, I will try them all again now.
I outputted the parameters being sent right before the execute call.
Array ( [:username] => schenn [:salt] => NW5552wekj5155cNr52O54q56 [:hashpass] => 5e54240aec6294873d11d6ac3e5b135136a1b671 [:email] => monkey#monkey.com [:state] => OR [:country] => USA [:last_login] => 12/08/2011 )
Below is the code:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login)
VALUES (':username', ':salt', ':hashpass', ':email', ':state', ':country', ':last_login')";
$stmt = $pdoI->prepare($query);
$params = array(":username" => $this->username, ":salt" => $this->salt, ":hashpass" => $this->hashpass,
":email" => $this->email, ":state" => $this->state, ":country" => $this->country, ":last_login" => $this->last_login );
$stmt->execute($params);
You shouldnt be quoting the placeholders in the SQL. Try the following as your SQL string:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country,
last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
You don't quote the binded values in the SQL statement when binding variables.
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
Also make sure $this->email, etc... is set correctly.