I am trying to start getting to grips with PHP and also PDO. As I am starting now, I hear that PDO is more beneficial, that is why I am not using the more popular mysqli.
I am having trouble getting data inserted into my db using PDO. I wanted to try and use prepared statements to minimize sql injection. I have tried many ways and keep hitting a brick wall.
I could do with some pointers please.
here is the error message.
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\wamp\www\test-search\insert_property.php on line 61
This is the relevant php code.
// Insert Property
// Include db
include 'db_connect_pdo.php';
include 'defines.php';
try {
// create SQL
$sql = "INSERT INTO property (pid, title, intro_en, description_en, bedrooms,
bathrooms, address, city, country, stype, ptype, price)
VALUES(:pid, :title, :intro_en, :description_en, :bedrooms, :bathrooms, :address,
:city, :country, :stype, :ptype, :price)";
// prepare the statement
$stmt = $conn->prepare($sql);
// bind the parameters and execute the statement
$stmt->bindValue(':pid', $pid);
$stmt->bindValue(':title', $title);
$stmt->bindValue(':intro_en', $intro_en);
$stmt->bindValue(':description_', $description_en);
$stmt->bindValue(':bedrooms', $bedrooms);
$stmt->bindValue(':bathrooms', $bathrooms);
$stmt->bindValue(':address', $address);
$stmt->bindValue(':city', $city);
$stmt->bindValue(':country', $country);
$stmt->bindValue(':stype', $stype);
$stmt->bindValue(':ptype', $ptype);
$stmt->bindValue(':price', $price);
// execute the statement
$stmt->execute();
}
catch (Exception $e)
{
echo $e->getMessage();
}
$conn = null;
?>
</blockquote></code>
Not sure where it is going wrong, any advice will be greatly appreciated.
Your error is this line:
$stmt->bindValue(':description_', $description_en);
Should be:
$stmt->bindValue(':description_en', $description_en);
Related
I'm trying to insert with PDO id_facebook (mysql bigint), name(mysql varchar) and email(mysql varchar), but can not resolve this error, the PDO syntax looks correct, what can be?
public static function inserirUsuarioFacebook($id_facebook, $nome, $email)
{
try
{
$pdo = Conexao::getInstance();
$consulta = $pdo->prepare("INSERTO INTO usuario_facebook (id_facebook, nome, email) VALUES (:id_facebook, ':nome', ':email')");
$consulta->bindParam(':id_facebook', $id_facebook, PDO::PARAM_INT);
$consulta->bindParam(':nome', $nome, PDO::PARAM_STR);
$consulta->bindParam(':email', $email, PDO::PARAM_STR);
$consulta->execute();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
You don't quote placeholders. That turns them into strings, not placeholders:
... VALUES(:id_facebook, :nome, :email)
^----^-^-----^--- note the lack of quotes
is all that's required
The whole point of placeholders is to remove any need for quoting/escaping. The DB engine takes care of all that for you.
I've been trying to get prepared statements working - however, I keep running into the following error
<b>Fatal error</b>: Call to a member function bindParam() on a non-object on line <b>41</b><br />
I have copied exactly many tutorials and even the provided code did not work and threw the same error.
My code is below:
$mysqli = new mysqli(connect, username,pass, datatbase);
$name = 'Tester';
if (mysqli_connect_errno()) {
echo "Can't connect to MySQL Server. Errorcode: %s\n", mysqli_connect_error();
}
$stmt = $mysqli->prepare("INSERT INTO Parks VALUES (null,?,?,?,?,?,?,?,?,?,?,?,?,?,Now(),?,?,?, 0, 0, 0)");
if ($stmt === FALSE) {
die ("Mysql Error: " . $mysqli->error);
}
$stmt->bind_param('ssssssssssssssss', $name, $theme, $size, $mountains, $hills, $river, $lake, $island, $setofislands, $ocean, $waterfalls, $file, $image, $description, $author,$cs);
$stmt->execute();
$stmt->close();
$mysqli->close();
It's the BindParam Line causing the error.
thanks in advance :)
EDIT: Error resolved, however, no data is being inserted into the database.
EDIT: Updated query, database contains VARCHARs except for Description which is LONGTEXT. The final 3 are ints/doubles and there is a current date field.
bindParam is the PDO function. You are using mysqli so try bind_param instead. Where you have 'name' should also be the type definition, so you need 's' for string.
E.g:
$stmt->bind_param('s', $name);
Edit: Although saying that, the error doesn't say the function is incorrect. It says the object doesn't exist... Running this could would give you information as to why the prepare is failing.
$stmt = $mysqli->prepare("INSERT INTO 'Parks' VALUES(null, ?");
if ($stmt === FALSE) {
die ("Mysql Error: " . $mysqli->error);
}
Most likely the prepare is failing as the SQL is incorrect (My guess is the table name 'Parks' should NOT be in qutoes)
Edit 2: My guess for it still not working is:
$stmt->bindParam('name', $name);
Where you have 'name' should actually be the variable type, as in integer, double, string, etc. This is so the database knows what your variable is.
Try replacing that line with:
$stmt->bindParam('s', $name);
So, I'm getting the following error using PHP's PDO:
SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
Now, as far as I understand, this error only occurs when a parameter is used in a query, but then never properly bound. Typos, for example, make this a common error.
The problem is... I can't seem to find the issue! I've gone through each parameter several times, and can't find any disparities. Could something else be causing this issue? Am I just scrolling over an obvious typo that requires a second set of eyes to see? Any help would be hugely appreciated! Note that the error is occurring on the execute(), if that matters to you.
$sth = $dbh->prepare("
INSERT INTO administrators
(
org_id,
admin_email,
passwd,
passwd_salt,
announcements,
logo,
design,
content,
layout,
services,
contributions_edit,
contributions_report,
contributions_enable,
pledges,
calendar,
event,
survey,
email,
caller,
bulletin,
prayer,
email_newsletter,
member_add,
member_edit,
passwd_reset,
spotlight,
profile_status,
groups,
attendance,
sermons,
church_info,
mail_merge,
file_upload,
admin_name,
administrators,
newsletter,
outreach,
charts,
streaming
)
VALUES
(
:org_id,
:admin_email,
:passwd,
:passwd_salt,
:announcements,
:logo,
:design,
:content,
:layout,
:services,
:contributions_edit,
:contributions_report,
:contributions_enable,
:pledges,
:calendar,
:event,
:survey,
:email,
:caller,
:bulletin,
:prayer,
:email_newsletter,
:member_add,
:member_edit,
:passwd_reset,
:spotlight,
:profile_status,
:groups,
:attendance,
:sermons,
:church_info,
:mail_merge,
:file_upload,
:admin_name,
:administrators,
:newsletter,
:outreach,
:charts,
:streaming
)
");
$sth->bindParam(':org_id,', $org_id);
$sth->bindParam(':admin_email', $admin_email);
$sth->bindParam(':passwd', $passwd);
$sth->bindParam(':passwd_salt', $passwd_salt);
$sth->bindParam(':announcements', $announcements);
$sth->bindParam(':logo', $logo);
$sth->bindParam(':design', $design);
$sth->bindParam(':content', $content);
$sth->bindParam(':layout', $layout);
$sth->bindParam(':services', $services);
$sth->bindParam(':contributions_edit', $contributions_edit);
$sth->bindParam(':contributions_report', $contributions_report);
$sth->bindParam(':contributions_enable', $contributions_enable);
$sth->bindParam(':pledges', $pledges);
$sth->bindParam(':calendar', $calendar);
$sth->bindParam(':event', $event);
$sth->bindParam(':survey', $survey);
$sth->bindParam(':email', $email);
$sth->bindParam(':caller', $caller);
$sth->bindParam(':bulletin', $bulletin);
$sth->bindParam(':prayer', $prayer);
$sth->bindParam(':email_newsletter', $email_newsletter);
$sth->bindParam(':member_add', $member_add);
$sth->bindParam(':member_edit', $member_edit);
$sth->bindParam(':passwd_reset', $passwd_reset);
$sth->bindParam(':spotlight', $spotlight);
$sth->bindParam(':profile_status', $profile_status);
$sth->bindParam(':groups', $groups);
$sth->bindParam(':attendance', $attendance);
$sth->bindParam(':sermons', $sermons);
$sth->bindParam(':church_info', $church_info);
$sth->bindParam(':mail_merge', $mail_merge);
$sth->bindParam(':file_upload', $file_upload);
$sth->bindParam(':admin_name', $admin_name);
$sth->bindParam(':administrators', $administrators);
$sth->bindParam(':newsletter', $newsletter);
$sth->bindParam(':outreach', $outreach);
$sth->bindParam(':charts', $charts);
$sth->bindParam(':streaming', $streaming);
$sth->execute();
Thanks so much!
$sth->bindParam(':org_id,', $org_id);
^
|
|_____________ This , is intentional? i guess not.
$sth->bindParam(':admin_email', $admin_email);
$sth->bindParam(':passwd', $passwd);
$sth->bindParam(':passwd_salt', $passwd_salt);
$sth->bindParam(':announcements', $announcements);
$sth->bindParam(':logo', $logo);
$sth->bindParam(':design', $design);
$sth->bindParam(':content', $content);
$sth->bindParam(':layout', $layout);
$sth->bindParam(':services', $services);
$sth->bindParam(':contributions_edit', $contributions_edit);
$sth->bindParam(':contributions_report', $contributions_report);
$sth->bindParam(':contributions_enable', $contributions_enable);
$sth->bindParam(':pledges', $pledges);
$sth->bindParam(':calendar', $calendar);
$sth->bindParam(':event', $event);
$sth->bindParam(':survey', $survey);
$sth->bindParam(':email', $email);
$sth->bindParam(':caller', $caller);
$sth->bindParam(':bulletin', $bulletin);
$sth->bindParam(':prayer', $prayer);
$sth->bindParam(':email_newsletter', $email_newsletter);
$sth->bindParam(':member_add', $member_add);
$sth->bindParam(':member_edit', $member_edit);
$sth->bindParam(':passwd_reset', $passwd_reset);
$sth->bindParam(':spotlight', $spotlight);
$sth->bindParam(':profile_status', $profile_status);
$sth->bindParam(':groups', $groups);
$sth->bindParam(':attendance', $attendance);
$sth->bindParam(':sermons', $sermons);
$sth->bindParam(':church_info', $church_info);
$sth->bindParam(':mail_merge', $mail_merge);
$sth->bindParam(':file_upload', $file_upload);
$sth->bindParam(':admin_name', $admin_name);
$sth->bindParam(':administrators', $administrators);
$sth->bindParam(':newsletter', $newsletter);
$sth->bindParam(':outreach', $outreach);
$sth->bindParam(':charts', $charts);
$sth->bindParam(':streaming', $streaming);
$sth->execute();
I'm having a slight problem with the PHP PDO library and prepared statements. As far as I can see the prepared statement below should work but it doesn't, instead I get: "PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens".
My PHP code for this section looks like:
$sql = 'INSERT INTO '.POLYGON_TABLE.' (user_id, polygon, polygon_type) VALUES (:userId, PolygonFromText(\'POLYGON((:polygonArea))\'), :polygonType)';
$sth = $this->pdo->prepare($sql);
$sth->bindValue(':userId', $polygon->getUserId(), \PDO::PARAM_INT);
$sth->bindValue(':polygonArea', $polygon->getPolygonAsText(), \PDO::PARAM_STR);
$sth->bindValue(':polygonType', $polygon->getPolygonType(), \PDO::PARAM_STR);
if($sth->execute()) {
return true;
} else {
return false;
}
I have done a var_dump of $polygon->getUserId(), $polygon->getPolygonAsText() and $polygon->getPolygonType() and get the following:
string(1) "1"
string(226) "53.897910476098765 -1.739655277929728, 53.865530797116 -2.080231449804728, 53.67235280490181 -2.006073734960978, 53.68862047002787 -1.621552250585978, 53.89305512284903 -1.539154789648478, 53.897910476098765 -1.739655277929728"
string(7) "commute"
The issue is with $polygon->getPolygonAsText() as commenting out this particular bindValue call and the PolygonFromText(\'POLYGON((:polygonArea))\') from the SQL statement causes the query to work.
I'm now completely at a loss. Anyone know what's wrong here? I can't see anything wrong with the text contained within $polygon->getPolygonAsText(). I have searched high and low for a solution to this and spent several hours this evening tinkering with the code but to no avail.
I have even tried the suggestions in these 2 stack overflow topics but they didn't work either:
Invalid parameter number on PDO Prepared Statement
PHP PDO prepared statements
Any help would be much appreciated...
Did you try passing in the entire expression as the bind value?
$sql = 'INSERT INTO '.POLYGON_TABLE.' (user_id, polygon, polygon_type) VALUES (:userId, PolygonFromText(:polygonArea), :polygonType)';
$sth = $this->pdo->prepare($sql);
$area = sprintf("POLYGON((%s))", $polygon->getPolygonAsText());
$sth->bindValue(':userId', $polygon->getUserId(), \PDO::PARAM_INT);
$sth->bindValue(':polygonArea', $area, \PDO::PARAM_STR);
$sth->bindValue(':polygonType', $polygon->getPolygonType(), \PDO::PARAM_STR);
It appears that you're trying to use a named parameter inside a string:
PolygonFromText(\'POLYGON((:polygonArea))\')
This would be akin to doing something like this:
UPDATE foo SET bar = 'blah blah :wontwork blah blah'
What you should try instead is binding the whole string in the query:
PolygonFromText(:polygonArea)
And then including the rest of the string in the bound value:
$sth->bindValue(':polygonArea', 'POLYGON((' . $polygon->getPolygonAsText() . '))', \PDO::PARAM_STR);
Last resort you could do this:
$sql = "INSERT INTO ".POLYGON_TABLE." (user_id, polygon, polygon_type) "
."VALUES (:userId, PolygonFromText('POLYGON(". $polygon->$getPolygonAsText
.")'),:polygonType)";
But I think you should try the ? params first and see how that goes.
$sql = "INSERT INTO ".POLYGON_TABLE." (user_id, polygon, polygon_type) "
."VALUES (?, PolygonFromText('POLYGON(?)'), ?);";
$data = array($polygon->getUserId(), $polygon->getPolygonAsText(), $polygon->getPolygonType());
$query->execute($data);
Btw, I also think those single quotes around the POLYGON(?) function are dodgy... usually you don't quote a method call do you?
Just as usual i was looking around best practices with PHP, and prepared statements seems the kind of stuff i should now how do with my eyes closed. So i started playing around with some examples i've found.
I've got this error when running the script:
Fatal error: Call to a member function
bindParam() on a non-object in
/opt/lampp/htdocs/phpSecurity/PreparedStatments/Insert-Multi-Binded-Params/Insert
Simple Method.php on line 10
Here it goes the code.
Insert Simple Method.php
<?php
require_once '../config.php';
$stmt = $db->prepare("INSERT INTO coisas (nome, telefone, bi) VALUES (?, ?, ?)");
$nome = 'Fabio Antunes';
$telefone = 916810641;
$bi = 123093456;
$stmt->bindParam(1, $nome);
$stmt->bindParam(2, $telefone);
$stmt->bindParam(3, $bi);
$stmt->execute();
$stmt->close();
$db->close();
?>
config.php
<?php
$server_host = 'localhost';
$server_user = 'root';
$server_password = '';
$server_db = 'PreparedStatements';
$db = new mysqli($server_host, $server_user, $server_password, $server_db);
?>
Not sure what i'm doing wrong here, this is similar example found at php.net, why isn't working?
PS: I think the mysqli connection isn't the problem because I've used it to do some prepared statements with SELECT SQL commands. And worked pretty well.
EDIT
The Resolution and why.
Well in the example i should use bind_param() for each value in the query. But thanks to Bart, he managed to solve the problem with my code.
Where it is:
$stmt->bindParam(1, $nome);
$stmt->bindParam(2, $telefone);
$stmt->bindParam(3, $bi);
It should be:
$stmt->bind_param("sii", $nome, $telefone, $bi);
Now for those who might wondering what is "sii".
Well bind_param for what i see it binds the "$var" to each question mark "?" in order.
So with one bind_param() i can bind them all at the same time, and the normal use of bind_param() requires to specify the type of data being binded.
My first value to be binded is $nome a String, specified by the "s";
And the others $telefone and $bi are Integers for that he have "i";
For others that have a similar problem here it goes other data types (from php.net).
i = Integer;
s = String;
d = Double;
b = Blob;
If someone as a better explanation please post it or comment. So i can improve my own.
Thanks.
You may think there's nothing wrong with the connection, but you should check to make sure:
$db = new mysqli($server_host, $server_user, $server_password, $server_db);
if (mysqli_connect_errno()) {
printf("DB error: %s", mysqli_connect_error());
exit();
}
EDIT:
What happens when you do:
$stmt = $db->prepare("INSERT INTO coisas (nome, telefone, bi) VALUES (?, ?, ?)");
$stmt->bind_param("sii", $nome, $telefone, $bi);
$stmt->execute();
?
Is the table coisas spelled properly?
do a print_r on $stmt after you get it back on line 4. Is it a real object? I am guessing no.