I am having problems getting an sql query correct to update user profiles. I use (basically) the same query to INSERT the data and it works fine (just without the WHERE id=clientid and without clientid in the execute array. The query below does not update any data in the database.
I tested and made sure that all the variables are being posted and they are. As a sidenote, is this query safe from sql injection?
$conn = new PDO("mysql:host=$DB_HOST;dbname=$DB_DATABASE",$DB_USER,$DB_PASSWORD);
// Deal with the POST variables here...(excluded)
$sql = "UPDATE clients (firstname, lastname, origincountry, dob, gender, email, phone, address, postal, city, province, referred, notes)
VALUES (:firstname, :lastname, :origincountry, :dob, :gender, :email, :phone, :address, :postal, :city, :province, :referred, :notes)
WHERE id = :clientid" ;
$q = $conn->prepare($sql);
$q->execute(array(':firstname'=>$firstname,
':lastname'=>$lastname,
':origincountry'=>$origincountry,
':dob'=>$dob,
':gender'=>$gender,
':email'=>$email,
':phone'=>$phone,
':address'=>$address,
':postal'=>$postal,
':city'=>$city,
':province'=>$province,
':referred'=>$referred,
':notes'=>$notes,
':clientid'=>$clientid));
Your SQL is invalid. See UPDATE. (thanks to #rambocoder for pointing that out).
Use this SQL:
UPDATE clients SET firstname = :firstname, lastname = :lastname, origincountry = :origincountry, dob = :dob, gender = :gender, email = :email, phone = :phone, address = :address, postal = :postal, city = :city, province = :province, referred = :referred, notes = :notes
WHERE id = :clientid
Related
I'm getting the following error
Link to DBconfig.php ->
Link to code ->
Can you guys please help me ;)
thank you!
My code ->
<?php
include '../header.php';
include '../dbconfig.php';
if(isset($_POST['registreer'])){
$naam = $_POST['naam'];
$email = $_POST['email'];
$wachtwoord = $_POST['wachtwoord'];
$insert = $db->prepare("INSERT INTO klant(naam, adres, postcode, email, password)
values(:name, :adres, :postcode, :woonplaats, :email, :pass) ");
$insert->bindParam(':naam',$naam);
$insert->bindParam(':adres',$adres);
$insert->bindParam(':postcode',$postcode);
$insert->bindParam(':woonplaats',$woonplaats);
$insert->bindParam(':email',$email);
$insert->bindParam(':wachtwoord',$wachtwoord);
$insert->execute();
}
?>
values(:name, :adres, :postcode, :woonplaats, :email, :pass) ");
You have parameters :name and :pass but in your bindings you have spelled them in Dutch:
$insert->bindParam(':naam',$naam);
$insert->bindParam(':wachtwoord',$wachtwoord);
PDO doesn't know how to translate parameter names between English and Dutch. :-)
You are sending to many parameters.
$insert = $db->prepare("INSERT INTO klant(naam, adres, postcode, email, password) values(:name, :adres, :postcode, :woonplaats, :email, :pass) ");
You have the insert into " naam, adres, postcode, email and password" (that's 5)
And you are trying to insert 6 values.
"Name, adres, postcode, woonplaats, email and pass.
Sorry for the poor formating, I am on mobile.
According to everything I've found and seen, this seems correct. When I print $query the outcome is the following:
"INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (?,?,?,?,?,?,?,?,?)"
The parameters should have been filled in with the variables in bindValues(). So, for example ...
INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (Bill, A, Hopkins, 123 Ave, ....)
I'd like to stick with this method - it is surrounded by a try/catch block. From printing the query variable out I can see that is where the issue is.
What am I missing? I really appreciate you looking!
$query = 'INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (?,?,?,?,?,?,?,?,?)';
echo $query;
$statement = $db->prepare($query);
$statement->bindValue(1, $firstName);
$statement->bindValue(2, $middle);
$statement->bindValue(3, $lastName);
$statement->bindValue(4, $address);
$statement->bindValue(5, $city);
$statement->bindValue(6, $state);
$statement->bindValue(7, $zip);
$statement->bindValue(8, $email);
$statement->bindValue(9, $gender);
$success = ($statement->execute());
We need more code considering the error but you can try this with prepared statements:
$query = 'INSERT INTO customers (FirstName, MiddleInit, LastName, Address, City, State, Zip, Email, Gender) VALUES (:firstName, :middle, :lastName, :address, :city, :state, :zip, :email, :gender)';
$statement = $db->prepare($sql);
$statement->execute(array(':firstName'=>$firstName, ':middle'=>$middle, ':lastName'=>$lastName, ':address'=>$address, ':city'=>$city, ':state'=>$state, ':zip'=>$zip, ':email'=>$email, ':gender'=>$gender));
I am having a slight issue adding a record into the database.
For some reason it is not adding the record into the database.
I have a form in HTML and serialize it with jQuery to use in an AJAX request. I know this works as I used to use it with the old mysql commands.
This is what I have in the insert.php file:
$ln=($_POST['lastname']);
$fn=($_POST['firstname']);
$dob=($_POST['dob']);
$un=($_POST['username']);
$a1=($_POST['address1']);
$a2=($_POST['address2']);
$town=($_POST['town']);
$county=($_POST['county']);
$pc=($_POST['postcode']);
$country=($_POST['country']);
$lat=($_POST['lat']);
$lng=($_POST['lng']);
$lp=($_POST['landline']);
$mp=($_POST['mobile']);
$e1=($_POST['email1']);
$e2=($_POST['email2']);
$web=($_POST['web']);
$notes=($_POST['notes']);
$fb=($_POST['fbid']);
$tw=($_POST['twitter']);
$cat=($_POST['cat']);
$it=($_POST['Time']);
$idate=($_POST['Date']);
$iip=($_POST['ipaddress']);
$ib=($_POST['browser']);
$ios=($_POST['os']);
These are the posted values being used from the form.
I then have the following queries (I have 5 different ones as they are writing to 5 tables. As I say, this worked with the old mysql commands, but not the PDO commands.
$sqlp = $conn->prepare("INSERT INTO ".PERSON." (lastname, firstname, dob, adbkid) VALUES(:ln, :fn, :dob, :un)");
$sqlp->execute();
$idp = $conn->lastInsertId();
$sqla = $conn->prepare("INSERT INTO ".ADDRESS." (address1, address2, town, county, postcode, country, lat, lng, personID) VALUES (:a1, :a2, :town, :county, :pc, :country, :lat, :lng, :un)");
$sqla->execute();
$ida = $conn->lastInsertId();
$sqlc = $conn->prepare("INSERT INTO ".CONTACT." (landline, mobile, email1, email2, personID) VALUES (:lp, :mp, :e1, :e2, :un)");
$sqlc->execute();
$idc = $conn->lastInsertId();
$sqlm = $conn->prepare("INSERT INTO ".MISC." (web, notes, photo, fbid, twitter, cat, personID) VALUES (:web, :notes, :pic, :fb, :tw, :cat, :un)");
$sqlm->execute();
$idm = $conn->lastInsertId();
$sqlv = $conn->prepare("INSERT INTO ".VARI." (Time, Date, ipaddress, browser, os, personID) VALUES (:it, :idate, :ip, :ib, :ios, :un)");
$sqlv->execute();
$idv = $conn->lastInsertId();
$sqlp->bindValue(':ln', $ln);
$sqlp->bindValue(':fn', $fn);
$sqlp->bindValue(':dob', $dob);
$sqlp->bindValue(':un', $un);
$sqla->bindValue(':a1', $a1);
$sqla->bindValue(':a2', $a2);
$sqla->bindValue(':town', $town);
$sqla->bindValue(':county', $county);
$sqla->bindValue(':pc', $pc);
$sqla->bindValue(':country', $country);
$sqla->bindValue(':lat', $lat);
$sqla->bindValue(':lng', $lng);
$sqlc->bindValue(':lp', $lp);
$sqlc->bindValue(':mp', $mp);
$sqlc->bindValue(':e1', $e1);
$sqlc->bindValue(':e2', $e2);
$sqlm ->bindValue(':web', $web);
$sqlm ->bindValue(':notes', $notes);
$sqlm ->bindValue(':pic', $pic);
$sqlm ->bindValue(':fb', $fb);
$sqlm ->bindValue(':tw', $tw);
$sqlm ->bindValue(':cat', $cat);
$sqlv ->bindValue(':it', $it);
$sqlv ->bindValue(':idate', $idate);
$sqlv ->bindValue(':iip', $iip);
$sqlv ->bindValue(':ib', $ib);
$sqlv ->bindValue(':ios', $ios);
I have ran these with a try catch to see if I can figure out what is going on and I get the following error:
"SQLSTATE[HY093]: Invalid parameter number: no parameters were bound"
I have echoed out what is being put into each of the values and it corresponds with what I have in entered into the form.
I am also trying to echo out the last inserted ID's for each table and it isn't echoing that out.
I have had a look around Google and php.net and here and from what I read I am doing everything as they say I should be.
I am at a loss as to what is happening.
If you had any pointers they would be most welcome.
you have to bind the params first and then execute it
i.e:
$sqlp = $conn->prepare("INSERT INTO ".PERSON." (lastname, firstname, dob, adbkid) VALUES(:ln, :fn, :dob, :un)");
$sqlp->bindValue(':ln', $ln);
$sqlp->bindValue(':fn', $fn);
$sqlp->bindValue(':dob', $dob);
$sqlp->bindValue(':un', $un);
$sqlp->execute();
$idp = $conn->lastInsertId();
...
I dont get any errors, but when I refresh my database nothing seems to be going through. The connection credentials are definitely correct.
$query = $pdo->prepare('INSERT INTO direct_transfer (fname, lname, add, city, post, country, email, nummag, donate) VALUES (:fname, :lname, :add, :city, :post, :country, :email, :nummag, :donate)');
$query->execute(array(':fname'=>$fname,
':lname'=>$lname,
':add'=>$add,
':city'=>$city,
':post'=>$post,
':country'=>$country,
':email'=>$email,
':nummag'=>$nummag,
':donate'=>$donate));
When you use reserved words in mysql, you need to escape them in backticks:
... (fname, lname, `add`, city, post, country, email, nummag, donate) ...
You should also add error handling so that PDO tells you right away what is wrong.
You can tell PDO to throw exceptions by adding this after you connect to the database:
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
You can also set the error handling mode when you open the connection, see the manual.
Without ':' in the array.
$query = $pdo->prepare('INSERT INTO `direct_transfer` (`fname`, `lname`, `add`, `city`, `post`, `country`, `email`, `nummag`, `donate`) VALUES (:fname, :lname, :add, :city, :post, :country, :email, :nummag, :donate)');
$query->execute(array('fname'=>$fname,
'lname'=>$lname,
'add'=>$add,
'city'=>$city,
'post'=>$post,
'country'=>$country,
'email'=>$email,
'nummag'=>$nummag,
'donate'=>$donate));
how can i insert data from query results and other variables in one insert query?
sample:
$id = $_POST['id'];
$address = $_POST['address'];
$email = $_POST['email'];
$query = "INSERT INTO info_table(fname, lname, address, email) VALUES (SELECT fname, lname, FROM info WHERE id = '$id')";
$result = db->prepare($query);
$result->execute();
how can i insert $address and $email together with the select results variables?
This should do the trick for the query:
INSERT INTO info_table (
fname,
lname,
address,
email
)
SELECT
fname,
lname,
':address',
':email'
FROM
info
WHERE
id = ':id'
You aren't using the prepare right here. You really should bind to the paramters :address, :email, and :id
$result = db->prepare($query);
$result->bindParam(':id', $id, PDO::PARAM_STR);
$result->bindParam(':email', $email, PDO::PARAM_STR);
$result->bindParam(':address', $address, PDO::PARAM_STR);
$result->execute();
Answering precisely to your question:
$query = "INSERT INTO MyInsecureTable (fname, lname, address, email) SELECT fname, lname, '$address', '$email' FROM info WHERE id = '$id'";
But it is scares the . out of me.