I have simple SQL query that could benefit from bind variables so I have written like this:
$stmt = $this->db->prepare("SELECT * FROM activities WHERE user_id=':user_id' AND date(start_time)=date(':on_specific_day')");
$stmt->bindParam(':user_id',$where['user_id']);
$stmt->bindParam(':on_specific_day',$where['on_specific_day']);
As you can see there is an associative array called where which is used to store my where conditions. When I execute this statement it doesn't return any errors but the row count is zero. If I instead discard my dream of using bind variables and do this:
$stmt = $this->db->prepare("SELECT * FROM activities WHERE user_id='{$where['user_id']}' AND date(start_time)=date('{$where['on_specific_day']}')");
The query runs just fine and returns 2 results in my test case. Can someone help me from slipping into madness. :^)
You don't need to enclose your PDO parameters with quote marks:
$stmt = $this->db->prepare("SELECT * FROM activities WHERE user_id=:user_id AND date(start_time)=date(:on_specific_day)
Related
I’ve been trying to code a login form in PHP using a prepared statement but every time I try to log in I get the following error:
mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement
Here is my code:
<?php
$mysqli = new mysqli("localhost", "root" , "" , "security");
$stmt = $mysqli->prepare("SELECT username AND password FROM users WHERE username = ?");
$username = $_POST['name'];
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->bind_result($password, $username);
$stmt->fetch();
Can someone tell me why this is happening?
$mysqli->prepare("SELECT username, password FROM users WHERE username = ?");
$username = $_POST['name'];
$stmt->bind_param('s' ,$username);
$stmt->execute();
$stmt->bind_result($username, $password);
Your select syntax was wrong, the correct syntax is
SELECT field1, field2, field3 FROM TABLE WHERE field1 = ? AND field2 = ?
To select more fields simply separate them by a comma and not an AND
Explanation
The error message clearly states that the number of columns you are SELECTing does not match the number of variables you provided to mysqli_stmt::bind_result(). They need to match exactly.
For example:
-- ↓ 1 ↓ 2 ↓ 3
SELECT col1, col2, col3 FROM tableA
There are 3 columns being fetched, so you need to provide 3 variables.
$stmt->bind_result($var1, $var2, $var3);
There could be a number of reasons why the column count doesn't match variable count.
Count your columns and variables
The simplest cause is that you made a mistake in the count. Do a recount of both. Maybe you changed the SQL but forgot to adjust bind_result()?
SELECT *
Using SELECT * is not recommended with bind_result(). The number of columns in the table could change as a result of schema changes or joins and will break your application. Always list all the columns explicitly!
Logical problem with SQL
The code from the question contains a logical mistake. SELECT username AND password produces a single column in the result. The AND keyword evaluates to a boolean expression. To select multiple columns you must use ,. Maybe there is another logical error in the query that causes the SQL to produce a different number of columns than you expected?
UPDATE and INSERT
DML statements such as INSERT, UPDATE and DELETE do not produce result sets. You can't bind variables to such prepared statement. You need to execute another SELECT statement to fetch the data.
Fetching an array from the prepared statement
The return value of mysqli_stmt::bind_result() is not an array, it's just a boolean. If you expected this function to return an array, then you are probably looking for get_result() with fetch_all() instead.
To select an array you need to get the mysqli_result object first.
$stmt = $mysqli->prepare("SELECT username AND password FROM users WHERE username = ?");
$stmt->bind_param('s', $username);
$stmt->execute();
$mysqli_result = $stmt->get_result();
// The object can then be iterated or used with fetch_* methods
foreach($mysqli_result as $row) {
}
// or
$arrayRow = $mysqli_result->fetch_assoc();
If this function doesn't exist in your PHP installation, then it means you have PHP not installed properly. You need to either recompile it, or enable mysqlnd (e.g. in cPanel).
If you are only learning PHP, it would be much easier for you to learn PDO instead.
I have a question.
I have the following query:
$query = "select * from module,bloc where module.id_bloc = ?";
I tried to bind the value so I did:
$stmt = $this->db->prepare($query);
$stmt->bindValue(1, "bloc.id_bloc");
But, when I test I don't get any result on my browser.
It's weird because when I replace directly inside like the following code:
$query = "select * from module,bloc where module.id_bloc = bloc.id_bloc";
I get the the right result on my browser.
Could someone explain to me why it doesn't work when I am doing a bindValue?
It will not work because, when bound, a string will be quoted. (Or, for all intents and purposes, work as if it were quoted, however PDO may handle it behind the scenes.) Then, your query is interpreted as:
select * from module,bloc where module.id_bloc = 'bloc.id_bloc'
That is: It will be interpreted as a literal string, rather than a reference to a table column, and will obviously not give you the expected result. There is no need for binding it to begin with.
If, for some reason, you need to run a query with a variable table/column name from an unsafe source, you will have to manually format/sanitize it; see here for an example of how to do it.
From experience and also having been told constantly the benefits of using prepared statements and binding my parameters, I have constantly used those two techniques in my code, however I would like to understand exactly the purpose of each of those two techiques:
From my understanding of prepared statements:
$sql = "SELECT * FROM myTable WHERE id = ".$id;
$stmt = $conn->prepare($sql);
$stmt->execute();
The previous code should create a sort of a buffer in the database with the query I proposed. Now FROM MY UNDERSTANDING (and I could be very wrong), the previous code is insecure, because the string $sql could be anything depending on what $id actually is, and if $id = 1; DROP TABLE myTable;--, I would be inserting a malicious query even though I have a prepared statement.
FROM MY UNDERSTANDING this is where binding my parameters com in. If I do the following instead:
$sql = "SELECT * FROM myTable WHERE id = :id";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->execute();
The database should know exactly all the parts of the sql statement before hand:
SELECT these columns: * FROM myTable and WHERE id = "a variable that was input by the user", and if "a variable that was input by the user" != a variable, the query fails.
I have been told by some my understanding is correct, and by others that it is false, could someone please let me know if I am wrong, correct, or missing something? And elaborate as much as you want, all feedback is greatly appreciated!
You're correct that the first case is insecure. It's important to understand though, that preparing a statement only has value if you are using variable data, and/or executing the same query repeatedly. If you are executing plain statements with no variables, you could simply do this:
$sql = "SELECT * from myTable WHERE this_column IS NOT NULL";
$result = $conn->query($sql);
And end up with a PDOStatement object to work with, just like when you use PDO::exec().
For your second case, again, you're largely correct. What's happening is the variable passed to the database is escaped and quoted (unless you specify otherwise with the third argument to PDOStatement::bindParam(), it's sent as a string which is fine for most cases.) So, the query won't "fail" if bad data is sent. It behaves exactly as if you had passed a valid number that didn't exist as an ID in the database. There are, of course, some edge cases where you are still vulnerable even with a correctly prepared statement.
Also, to make life easier, you can use prepared statements like this, to do implicit binding:
$sql = "SELECT * FROM myTable WHERE id = :id";
$stmt = $conn->prepare($sql);
$stmt->execute([":id"=>$id]);
Or even like this, with un-named parameters:
$sql = "SELECT * FROM myTable WHERE id = ?";
$stmt = $conn->prepare($sql);
$stmt->execute([$id]);
Naturally, most of this has been explained in the comments while I was typing up the answer!
I am trying to select exact json value in mysql query condition, currently i am using LIKE and it work but like returns false positive.
my code is::
$id='1';
json data example:: ["1","12","38"]
$sql="SELECT * FROM `posts` WHERE `json_column` LIKE '%".$id."%' ";
with this query, it returns both 1 and 12. how can i get just 1?
Note the extra quotes:
$sql="SELECT * FROM posts WHERE json_column LIKE '%\"$id\"%'";
However, this is wide open to SQL inject if $id comes from user input. Be careful.
The more secure method would be to use parameterised queries with PHPs prepared statements as follows:
$stmt = $dbh->prepare("SELECT * FROM posts WHERE json_column LIKE '%\"?\"%'");
$stmt->bindParam(1, $id);
Quick question. Whilst using the prepare method in mysqli. It is possible/a good idea; to use it twice within the same mysqli connection? Example:
OOP layered
public function getStuff(){
$posts=array();
$query = $this->DBH->prepare('SELECT * FROM table WHERE stuff =?');
$query->bind_param('s','param');
$query->execute();
$query->bind_result($ID,$col1,$col2,$etc);
while($query->fetch()){
$posts[]=array('ID'=>$ID,'col1'=>$col1,'extras'=>$this->getExtras($ID));
}
$query->close();
return $posts;
}
private function getExtra($postID){
$extras=array();
$query = $this->DBH->prepare('SELECT * FROM anotherTable WHERE moreStuff =?');
$query->bind_param('s',$postID);
$query->execute();
$query->bind_result($ID,$col1,$col2,$etc);
while($query->fetch()){
$extras[]=array('ID'=>$ID,'col1'=>$col1,'etc'=>$etc);
}
$query->close();
return $extras;
}
Right my possible error is that I've used the same variable and the same database connection. I'm not 100% sure this will work as I've called $this->DBH whilst it is already being used in the parent function. Is there a better method to what I'm trying to achieve or is there a better structure I can use. Or should I just give up and use a separate variable? lol
Hopeful outcome:
$posts=array('ID'=>'column ID number','col1'=>'column1 data', 'extras'=>array('ID'=>'second table\'s ID number','col1'=>'second tables data','etc'=>'etc etc etc'));
In your example above, the variables which matter are $query. Each of those is local to its own method, and so the variables themselves will not collide. The MySQLi connection $this->DBH is capable of handling multiple open statements at once if circumstances are right.
The place where you need to use caution is with their execution order. If you prepare and execute a statement but do not fetch all rows from it, you may not be able to prepare() the next one until all rows have been fetched unless you first close it with mysqli_stmt::close() to deallocate the open statement handle.
For example:
// Prepares successfully:
$s1 = $mysqli->prepare("SELECT * FROM t1");
// Also prepares successfully (previous one not executed)
$s2 = $mysqli->prepare("SELECT * FROM t2");
// Then consider:
$s1 = $mysqli->prepare("SELECT id, name FROM t1");
$s1->bind_result($id, $name);
$s1->execute();
// And attempt to prepare another
$s2 = $mysqli->prepare("SELECT id, name FROM t2");
// Fails because $s1 has rows waiting to be fetched.
echo $m->error;
// "Commands out of sync; you can't run this command now"
Edit: misread your example...
Looking at your example above, you are indeed calling getExtras() while you are fetching from the getStuff() statement. You may run into the issue described above. Your two operations in this case may be able to be handled with a single JOIN instead, from which you fetch in only one loop to populate all your variables and build your output array as you want it. Depending on your need, this should either be an INNER JOIN if a related row is expected to exist in the othertable, or a LEFT JOIN if the related othertable may or may not have a row that matches the given ID.
SELECT
maintable.id,
maintable.col1,
othertable.col2,
othertable.col3
FROM
maintable
JOIN othertable ON maintable.id = othertable.id