include('config.php');
mysqli_select_db($mysqli, "real");
if ($transaction == "Success" && $currency == "USD") {
$user_ids = '".$user_id."'; $total_cred = `user_credits` +'".$package_credits."';
$add = $mysqli->prepare("UPDATE `users` SET `user_credits` = ? WHERE `user_id` = ?");
$add->bind_param('si', $total_cred,$user_ids); $add->execute();
}
The code doesn't throw out any error nor its updating the database .
Change the if block to
// $user_ids = '".$user_id."'; REMOVE THE statement
// $total_cred = `user_credits` + '".$package_credits."'; REMOVE THIS too
$add = $mysqli->prepare("UPDATE `users` SET `user_credits` = `user_credits` + ? WHERE `user_id` = ?");
$add->bind_param('ii', $package_credits, $user_id ); $add->execute();
Let MySQL do the hard part.
Try this one:
include('config.php');
mysqli_select_db($mysqli, "real");
if ($transaction == "Success" && $currency == "USD")
{
$user_ids = '".$user_id."';
$total_cred = user_credits +'".$package_credits."';
$add = $mysqli->prepare("UPDATE users SET user_credits = ? WHERE user_id = ?");
$add->bind_param('si', $total_cred,$user_ids);
$add->execute();
}
Related
I have a function in my PHP script which restores data from backup. Everything was fine and working well, until suddenly it stopped working after months of working well. I am using OC 2.2.0 and this function is supposed to restore products and their data from oc_product_backup table. I print_r every step so that I would see where the problem is, and realized that when it gets to:
return true;
it never happens. What could be wrong all of the sudden, and how do I make this work? I never had this kind of problem. My function looks like this:
function restoreBackup()
{
global $mysqli;
$i = 0;
$getpic = "SELECT * FROM oc_product_backup LIMIT 0, 100000";
$backup = $mysqli->query($getpic);
$mysqli->autocommit(FALSE);
$updateproduct_sql = "UPDATE oc_product SET image = ?, modified_by = ?, date_modified = ? WHERE product_id= ?";
$updatedescription_sql = "UPDATE oc_product_description SET meta_description = ?, meta_keyword = ?, tag = ?, modified_by = ? WHERE product_id = ? AND language_id = ?";
$stmt = $mysqli->prepare($updateproduct_sql);
$stmt->bind_param('siss', $image, $modified_by, $date_modified, $product_id);
//print_r ($updateproduct_sql);
$stmt2 = $mysqli->prepare($updatedescription_sql);
$stmt2->bind_param('sssisi', $meta_description, $meta_keyword, $tag, $modified_by, $product_id, $language_id);
//print_r($updatedescription_sql);
while($row = $backup->fetch_array(MYSQLI_ASSOC))
{
//$name = removeslashes($row['name']);
//$name = $row['name'];
//$description = removeslashes($row['description']);
//$description = $row['description'];
$meta_description = $row['meta_description'];
$meta_keyword = $row['meta_keyword'];
$tag = $row['tag'];
$product_id = $row['product_id'];
$modified_by = $row['modified_by'];
$language_id = $row['language_id'];
//if($row['language_id'] == 1)
//{
$image = $row['image'];
//$ean = $row['ean'];
//$name = $row['name'];
//$model = $row['model'];
//$status = $row['status'];
$price_sync = $row['price_sync'];
$date_modified = $row['date_modified'];
if(!$stmt->execute())
return false;
//}
if(!$stmt2->execute())
return false;
$i++;
if(($i % 500) === 0) $mysqli->commit();
}
$mysqli->commit();
$backup->close(); //the last line that gets executed
return true; //this never happens
writeToLog('- Backup restored');
}
After looking at the code a bit, it seems like your prepared statements binding the data was outside of the loop, so technically it would never have written any data.
function restoreBackup() {
global $mysqli;
$i = 0;
$getpic = "SELECT * FROM oc_product_backup LIMIT 0, 100000";
$backup = $mysqli - > query($getpic);
$mysqli - > autocommit(FALSE);
$updateproduct_sql = "UPDATE oc_product SET image = ?, modified_by = ?, date_modified = ? WHERE product_id= ?";
$updatedescription_sql = "UPDATE oc_product_description SET meta_description = ?, meta_keyword = ?, tag = ?, modified_by = ? WHERE product_id = ? AND language_id = ?";
while ($row = $backup - > fetch_array(MYSQLI_ASSOC)) {
$meta_description = $row['meta_description'];
$meta_keyword = $row['meta_keyword'];
$tag = $row['tag'];
$product_id = $row['product_id'];
$modified_by = $row['modified_by'];
$language_id = $row['language_id'];
$image = $row['image'];
$price_sync = $row['price_sync'];
$date_modified = $row['date_modified'];
$stmt = $mysqli - > prepare($updateproduct_sql);
$stmt - > bind_param('siss', $image, $modified_by, $date_modified, $product_id);
if (!$stmt - > execute())
return false;
$stmt2 = $mysqli - > prepare($updatedescription_sql);
$stmt2 - > bind_param('sssisi', $meta_description, $meta_keyword, $tag, $modified_by, $product_id, $language_id);
if (!$stmt2 - > execute())
return false;
$i++;
if (($i % 500) === 0) $mysqli - > commit();
}
$mysqli - > commit();
$backup - > close(); //the last line that gets executed
return true; //this never happens
writeToLog('- Backup restored');
}
My code working fine , but i got this error :
SQLSTATE[HY000]: General error
I searching on google and someone say that it's may SQLi
What is this ? And how can i fix that ?
thanks and sorry for my poor english
try{
$db_con = new PDO("mysql:host={$db_host};dbname={$db_name}",$db_user,$db_pass);
$db_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Anti Brute Forced
$stmt = $db_con->prepare("
SELECT * FROM users
");
$stmt->execute();
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)){
$users_username = $row["users_username"];
$users_password = $row["users_password"];
$users_wrong_password = $row["users_wrong_password"];
if ($users_wrong_password <= 3 && isset($_GET["username"],$_GET["password"]) && $_GET["username"] == $users_username && $_GET["password"] != $users_password){
$u = $users_wrong_password + 1;
$g = 0;
$g = $_GET['username'];
$stmt = $db_con->prepare("
UPDATE users
SET users_wrong_password = $u
WHERE users.users_username = '$g'
");
$stmt->execute();
}
if ($_GET["username"] == $users_username && $users_wrong_password >= 4){
echo "Your Account Was Banned For 1 Hours";
die;
}
}
$g = $_GET['username'];
$stmt = $db_con->prepare("SELECT * FROM users where users_username = '$g'");
$stmt->execute();
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)){
$ss = $row["users_wrong_password"];
}
if($ss <= 3){
$g = 0;
$g = $_GET['username'];
$stmt = $db_con->prepare("
UPDATE users
SET users_wrong_password = 0
WHERE users_username = '{$_GET['username']}'
");
$stmt->execute();
}
// Anti Brute Forced
[Solved]
Edit:
$g = $_GET['username'];
$p = $_GET['password'];
$stmt = $db_con->prepare("
SELECT * FROM users where users_username = '$g' and users_password = '$p'
");
I found this problem in a similar another way
"errorInfo":["HY000"]
How does "HY000" error happen?
It happens when you are updating, deleting or inserting data with PDO, and you try to fetch it's result.
The solution, just do not use fetch or fetchAll methods after executing an updating, deleting or inserting. Surely, it does not make sense to fetch it's result!
Example:
$stmt = $db_con->prepare("
UPDATE users SET name = 'Renato' WHERE ID = 0
");
$stmt->execute();
$stmt->fetch(PDO::FETCH_ASSOC); // The mistake is here, just remove this line
$stmt->fetchAll(PDO::FETCH_ASSOC); // It will cause troubles too, remove it
Solving the problem in a loop
The solution is changing the statement variable name inside loop, or fetch all before starting loop:
Solution: Changing variable name
$stmt = $db_con->prepare("
SELECT * FROM users
");
$stmt->execute();
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)){
// ...
// This is another statment
$another_stmt = $db_con->prepare("
UPDATE users
SET users_wrong_password = $u
WHERE users.users_username = '$g'
");
$another_stmt->execute();
}
Solution: Fetch all data from query before loop
$stmt = $db_con->prepare("
SELECT * FROM users
");
$stmt->execute();
// Everything is fetched here
$results = $stmt->fetchAll(PDO::FETCH_ASSOC)
foreach($results as $row){ // Another way to loop through results
$stmt = $db_con->prepare("
UPDATE users
SET users_wrong_password = $u
WHERE users.users_username = '$g'
");
$stmt->execute(); // Be happy with no troubles
}
I think there are multiple preparations of the same query.
Solution Get the query preparation out of the while.
code:
//... your code
$stmt1 = $db_con->prepare("
UPDATE users
SET users_wrong_password = $u
WHERE users.users_username = '$g'
");
$stmt->execute();
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)){
$users_username = $row["users_username"];
$users_password = $row["users_password"];
$users_wrong_password = $row["users_wrong_password"];
if ($users_wrong_password <= 3 && isset($_GET["username"],$_GET["password"]) && $_GET["username"] == $users_username && $_GET["password"] != $users_password){
$u = $users_wrong_password + 1;
$g = 0;
$g = $_GET['username'];
$stmt1->execute();
//...
}
At the end of this code there is a INSERT INTO statement that doesn't do anything. My connection.php is OK because I have used the same file in other projects and they work.
I am actually inserting a lot more data, but I was trying to find the problem out so I've removed a lot of variable from the INSERT statement.
<?php
include("connection.php");
include("functions.php");
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES,false);
date_default_timezone_set('Asia/Dhaka');
$mobile = (string)$_GET["mobile_number"];
$promo = (string)$_GET["promo_code"];
$type = (string)$_GET["type"];
$type_no = (($type=="imei") ? (string)$_GET["imei"] : (string)$_GET["udid"]);
$ip = (string)$_SERVER['REMOTE_ADDR'];
$signup_date = date("Y-m-d");
$q1 = "SELECT * FROM vbClient WHERE clCustomerID = :mobile";
$chk_mob_switch = $dbh->prepare($q1);
$chk_mob_switch->bindParam(':mobile', $mobile);
$chk_mob_switch->execute();
if ($chk_mob_switch->rowCount() == 0) {
$q2 = "SELECT * FROM api_db WHERE type_no = :type_no";
$chk_imei_bknd = $dbh->prepare($q2);
$chk_imei_bknd->bindParam(':type_no', $type_no);
$chk_imei_bknd->execute();
if ($chk_imei_bknd->rowCount() == 0) {
$validation_code = (string)generateValidationCode(6);
$request_id = (string)generateRequestID(15);
$q3 = "INSERT INTO api_db (mobile) VALUES (:mobile)";
$ins_info_bknd = $dbh->prepare($q3);
$ins_info_bknd->bindParam(':mobile', $mobile);
$ins_info_bknd->execute();
}
To check for errors I am using a function like the following:
function chkSyntax($dbh, $stmt, $query) {
$stmt = $dbh->prepare($query);
if (!$stmt) {
echo "\nPDO::errorInfo():\n";
print_r($dbh->errorInfo());
}
}
And then I'm calling it like this:
chkSyntax($dbh, $chk_mob_switch, $q1);
What am I doing wrong?
Hi, I have a question, when i ever insert this code
if ($pointsreach>=$tempunilevel ){
mysql_query("UPDATE `incentives_table` SET pointsreach = pointsreach +500 where userid = '$newsponsorid' ");
the if statement does not work anymore
if (count($items) >0 && $lev <= 10 ){ // found get sponsor id for the next computation
$sponsorid = $items->upline; //sponsor id
but when i remove the
if ($pointsreach>=$tempunilevel ){
mysql_query("UPDATE `incentives_table` SET pointsreach = pointsreach +500 where userid = '$newsponsorid' ");
the statement works perfectly ...
$query = " UPDATE `#__eds_incentives_table` SET `temp` = `temp` + 25 where `userid` = '$sponsorid' ";
$db->setQuery($query);
$db->query();
$mote = $this->entryuni($sponsorid, $lev + 1, +25);
}
else {
return 'ok';
}
This is the code
public function entryuni($newsponsorid = null, $lev = 2, $fpv = 0)
{
$db = & JFactory::getDBO();
$query = "SELECT upline,fslot FROM `table` where userid = '$newsponsorid' ";
$db->setQuery($query);
$items = $db->loadObject();
$items = (!empty($items)) ? $items : array();
$queryreach = mysql_query("SELECT * FROM incentives_table WHERE userid = '$newsponsorid' ");
$fetchreach = mysql_fetch_array($queryreach);
$pointsreach=$fetchreach['pointsreach'];
$tempunilevel=$fetchreach['temp_unilevel'];
if ($pointsreach>=$tempunilevel ){
mysql_query("UPDATE `incentives_table` SET pointsreach = pointsreach +500 where userid = '$newsponsorid' ");
if (count($items) >0 && $lev <= 10 ){ // found get sponsor id for the next computation
$sponsorid = $items->upline; //sponsor id
$query = " UPDATE `#__eds_incentives_table` SET `temp` = `temp` + 25 where `userid` = '$sponsorid' ";
$db->setQuery($query);
$db->query();
$mote = $this->entryuni($sponsorid, $lev + 1, +25);
}
else {
return 'ok';
}
I got a problem with PDO...
I have this code:
<center>
<?php
/*
$payid = $_GET["payid"];
$data = mysql_connect('localhost','cheapacc_ross2','dsaikoepwq2312','cheapacc_account');
mysql_select_db('cheapacc_account',$data);
$pay1 = mysql_query("SELECT ID,Categorie,Naam,Email,md5_ID FROM acount_Betalingen WHERE md5_ID = '".$payid."' ");
$pay = mysql_fetch_object($pay1);
if($pay){
echo 'betaling is gelukt';
}else{
echo 'Oops jij liegt ons voor?? '.$pay->md5_ID .mysql_error();
}
*/
$flag=0;
require_once '../../include/config.php';
require_once '../../include/processes.php';
$Login_Process = new Login_Process;
$Login_Process->check_status($_SERVER['SCRIPT_NAME']);
$type = base64_decode($_GET["t"]);
$amount = (int)base64_decode($_GET["a"]);
$host = "localhost";
$username = "root";
$password = "20101998";
$dbname = "ross23";
try
{
$db = new PDO("mysql:host=" . $host . ";dbname=" . $dbname, $username, $password);
}
catch(PDOException $e)
{
exit("Error database connection. E: " . $e);
}
$info = $_SESSION['info'];
if(!isset($_GET["t"]) || !isset($_GET["a"]) || !isset($_GET["h"]) || sha1(md5($info)) != $_GET["h"])
{
exit("1: FOUT! / You may not change the url, or you get a ip ban!");
}
if(isset($_GET["t"]) && isset($_GET["a"]) && isset($_GET["h"]) && sha1(md5($info)) == $_GET["h"])
{
$q = $db->query("SELECT COUNT(*) FROM account_" . $type . " ");
$count = $q->fetchColumn();
if($count < $amount)
{
die("Er zijn te weinig accounts voor jouw betaling, meld dit aan de administrator!");
}
for($i = 0; $i < $amount; $i++)
{
$flag=0;
$getid = $db->prepare("SELECT id FROM account_".$type." WHERE used = ?");
$getid->execute( array('0') );
$pid = $getid->fetch();
if($pid[0] == null)
{
exit("Er zijn geen accounts over, meld dit aan de administrator!");
}
$id = $pid[0];
$stmt = $db->prepare("SELECT * FROM account_" . $type . " WHERE id = ? AND used = ?");
$stmt->execute( array($id, '0') );
$result = $stmt->fetch();
if(!$result)
{
exit("2: FOUT! / You may not change the url, or you get a ip ban.");
}
$userinfo = $db->prepare("SELECT userid FROM cw_users WHERE info = ?");
$userinfo->execute( array($info) );
$userinfo = $userinfo->fetch();
$sql = $db->prepare("INSERT INTO account_lijst SET user_id = ? WHERE account = ?");
$sql->execute(array($userinfo[0], $result));
$user_id = $_SESSION['userid'] ;
// query
$sql = "INSERT INTO account_lijst (user_id,soort) VALUES (:user_id,:soort)";
$q = $db->prepare($sql);
$q->execute(array(':author'=>$user_id,
':title'=>$type));
$account_info = explode(":", $result[1]);
$html = "Account Username: " . $account_info[0] . "<br />";
$html .= "Account Password : " . $account_info[1];
$html .= "<br /><br />";
$flag = 1;
if ($flag==1){
$sql = $db->prepare("UPDATE account_" . $type . " SET used = ? WHERE ID = ?");
$sql->execute( array("1", $id) );
echo $html;
}
echo 'test';
}
}
The most of the part works but by INSERT INTO account_lijst
It doesn't works...
But i checked everything but i think everything is fine:S...
Can someone help me with this code please?
*EDIT SQL
CREATE TABLE IF NOT EXISTS `account_lijst` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_id` int(11) NOT NULL,
`account` text NOT NULL,
`date` text NOT NULL,
`soort` text NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
On your query :
$sql = $db->prepare("INSERT INTO account_lijst SET user_id = ? WHERE account = ?");
$sql->execute(array($userinfo[0], $result));
Try that instead :
$sql = $db->prepare("INSERT INTO account_lijst SET user_id = :user_id WHERE account = :account");
$sql->bindValue(':user_id', $userinfo['0']);
$sql->bindValue(':account', $result);
$sql->execute();
Should work perfectly if the parameters you gave are the good ones?
If you it doesn't can you please dump the parameters used into the query and the table's structure so we can debug deeper? :)
Check your code i guess (probably) there is an error near of this line due to the way you wrote the where clause:
$userinfo = $db->prepare("SELECT userid FROM cw_users WHERE info = ?");
Try this instead:
$userinfo = $db->prepare("SELECT userid FROM cw_users WHERE info = ' ? ' ");
As well in your insert you should use simple apostrophe in ordert o execute that insert:
$sql = $db->prepare("INSERT INTO account_lijst SET user_id = ? WHERE account = ?");
Hope it heps!!