I have searched thru a lot of questions that have been posted by other people and I still can't find what's wrong with my code. There isn't much I could find out there similar to mine and mostly I found is in OO method.
I have tried this:
$query = "SELECT * FROM userinfo WHERE (username = '?')";
if($stmt = mysqli_prepare($mysqli, $query))
{
mysqli_stmt_bind_param($stmt, "s", $login_username);
mysqli_stmt_execute($stmt);
}
AND:
$query = "SELECT re_password FROM userinfo WHERE (username = '?')";
if($stmt = mysqli_prepare($mysqli, $query))
{
mysqli_stmt_bind_param($stmt, "s", $login_username);
mysqli_stmt_execute($stmt);
}
And I still getting this message : mysqli_stmt_bind_param() [function.mysqli-stmt-bind-param]: Number of variables doesn't match number of parameters in prepared statement
I seriously need some big help. I used to do in mySQL and I don't know or rather have no idea on preparing statement way of doing. Now I'm learning mySQLi by myself and learning how to code by using preparing statement at the same time. No matter how I look at the manual I still don't understand.
Also, is there any preference or advantages/disadvantages to code in OO or in procedural method?
Thanks guys!
Try replacing the '?' with ?:
$query = "SELECT * FROM userinfo WHERE username = ?";
if($stmt = mysqli_prepare($mysqli, $query))
{
mysqli_stmt_bind_param($stmt, "s", $login_username);
mysqli_stmt_execute($stmt);
}
Related
I am updating my current unprotected queries to parameterized ones to protect from SQL Injection.
I have spent a few hours trying to sort this however cant find the issue, any help much appreciated.
BEFORE (echo $row['storeID'];) works before
$storeName = mysqli_real_escape_string($conn,$_GET['store']);
$query = "SELECT * FROM stores WHERE storeName = '$storeName'";
$results = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($results);
AFTER
$storeName = $_GET['store'];
$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");
mysqli_stmt_bind_param($stmt, "s", $storeName);
mysqli_stmt_execute($stmt);
$row = mysqli_stmt_fetch($stmt);
This echo should work but using statements it does not
echo $row['storeID'];
If you look at the documentation for mysqli_stmt_fetch you'll see this description:
Fetch results from a prepared statement into the bound variables
So if you want to go this route, you'll need to ue mysqli_stmt_bind_result as well:
$storeName = $_GET['store'];
$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");
mysqli_stmt_bind_param($stmt, "s", $storeName);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $col1, $col2, $col3,...);
while (mysqli_stmt_fetch($stmt)) {
// do stuff with $col1, $col2, etc.
}
Now, with each iteration of the loop, the bound result variables are given the value from the result set.
However, I'd strongly suggest moving to PDO, which is far less verbose:
$storeName = $_GET['store'];
$stmt = $db->prepare("SELECT * FROM stores WHERE storeName = ?");
$stmt->execute([$storeName]);
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
// now you have a simple array with all your results
foreach ($rows as $row) {
// do stuff with $row
}
You were missing a call to mysqli_stmt_get_result before fetching the row:
$storeName = $_GET['store'];
$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");
mysqli_stmt_bind_param($stmt, "s", $storeName);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);
echo $row['id'];
I finished developing my website on my local PC, and it's working fine. Now, after I shifted the PHP scripts and file to my web host directory, I started facing issues especially with Prepared Statements.
Briefly, when I execute prepared statement against a table, it returns value, but when executing it against a view, it doesn't.
$con = mysqli_connect($a["server"], $a["username"], $a["password"], $a["database"]);
$sql = "SELECT ID FROM table WHERE ALIAS = ?";
$stmt = mysqli_prepare($con,$sql);
mysqli_stmt_bind_param($stmt, "s", $_GET["alias"]);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
echo "ID: $id";
$id has value, but when I select from view
$sql = "SELECT ID FROM view WHERE ALIAS = ?";
$stmt = mysqli_prepare($con,$sql);
mysqli_stmt_bind_param($stmt, "s", $_GET["alias"]);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
echo "ID: $id";
$id is empty, and if I select from view using mysqli_query(), then it would get a value. Can you please help in resolving this issue.
Note: at beginning I set
mysqli_report(MYSQLI_REPORT_OFF);
Thanks
This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 4 years ago.
I wanted to make this query with a prepare statement, but somehow it doesnt fetch any data. The username I type in the form is in the database, I guess the problem must be somewhere in the prepare stmt.
if(isset($_POST['login'])){
$typed_username = mysqli_real_escape_string($connection, $_POST['login_username']);
$typed_password = $_POST['login_password'];
$column = "username";
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE ? = ?");
mysqli_stmt_bind_param($stmt, "ss", $column, $typed_username);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_password);
if(mysqli_stmt_num_rows($stmt) < 1){
echo "no results";
}
if(password_verify($typed_password, $user_password)){
echo "login yeah!";
}
}
I get "no results" no matter what I try.
Although I've added a comment on how to solve this, I guess for your learning purpose I should add the solution here.
This becomes a very simple solution if $column = "username"; never changes.
If this is the case; you must change your prepare from this:
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE ? = ?");
to this:
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE username = ?");
Following that change, you no longer need to bind $column (mysql says binding a column is pointless anyway because it won't accept it.)
So your bind_param changes from:
mysqli_stmt_bind_param($stmt, "ss", $column, $typed_username);
to this (you no longer need to myqsli_real_escape_string so you can throw the $_POST directly into the query:
mysqli_stmt_bind_param($stmt, "s", $_POST['login_username']);
Therefore, your overall code now looks like:
if(isset($_POST['login'])){
$typed_password = $_POST['login_password'];
$stmt = mysqli_prepare($connection, "SELECT user_password FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, "s", $_POST['login_username']);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user_password);
//you where missing fetch
mysqli_stmt_fetch($stmt);
//store the result
mysqli_stmt_store_result($stmt);
//now we can use mysqli_stmt_num_rows
if(mysqli_stmt_num_rows($stmt) < 1){
echo "no results";
}
//added an else here as I said in the comments
else if(password_verify($typed_password, $user_password)){
echo "login yeah!";
}
}
I am trying to execute two sql queries in the same time with mysqli:: multi_query and it works. Using this method I am not preventing SQL Injections. Multi_query method is not supported for prepared statements so I searched in Internet what to do instead of this. "TRANSACTIONS" was the Solution. I wrote my code like this but it doesn't work. None of these queries is executed. I want them to execute in the same time. Can anyone tell me where I am wrong ?
<?php
$conn = new mysqli('localhost', 'root', '', 'security')
mysqli_autocommit($conn, FALSE);
$sql = 'update users set name=?,surname=?,nickname=?,rfidcode=? where rfidcode=?';
$sql2="delete from access_rights where users_rfidcode=?";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, 'sssss', $name,$surname,$nickname,$rfid,$rfidcode);
$stmt1 = mysqli_prepare($conn, $sql2);
mysqli_stmt_bind_param($stmt1, 's', $rfidcode);
mysqli_stmt_execute($stmt);
mysqli_stmt_execute($stmt1);
?>
Queries are ok because I have tested them and they work fine. Where can the problem be ?
I have recently updated the PHP on my server to 5.4 and I was going through my code updating it to match. When I got to the point of upgrading my database queries I began having problems that I cannot solve. Everything worked before and all I have been changing about the SQL is the procedural call function names. For example:
$stmt = mysqli_prepare($mysqli, “SQL query”);
now becomes,
$stmt = mysqli_stmt_init($mysqli);
mysqli_stmt_prepare($stmt, $sqlReq);
$sqlReq = "SQL query";
I have gone through many forms of error checking and now know that,
mysqli_stmt_prepare($stmt, $sqlReq);
is returning “false” so I get the error:
Warning: mysqli_stmt_bind_param(): invalid object or resource mysqli_stmt in /file/location/
for the bind parameters. In the code below I have removed the error checking because I know that it will fail any error checking but I don’t understand why. So what I am asking is, what am I doing wrong with the new mysqli for PHP 5.4
$mysqli = mysqli_connect('localhost', 'my_user', 'my_password', 'my_db');
$sqlReq = "SELECT * FROM table_name WHERE column_name = ?";
$stmt = mysqli_stmt_init($mysqli);
mysqli_stmt_prepare($stmt, $sqlReq);
mysqli_stmt_bind_param($stmt, "s", $variable0);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
mysqli_stmt_bind_result($stmt, $variable1, $variable2, $variable3);
mysqli_stmt_close($stmt);
mysqli_close($mysqli);