Ok, before I get started I just want to say that I've read every answer on this site pertaining to this issue, and I still can't get it right. I know PHP is throwing this error because the prepare statement is not returning an object. I just have no idea why. Here's my code:
$stmt = $this->db->prepare("INSERT INTO locations (type, time, street, city, state, country, age, admission, rsvp_limit, keyword1, keyword2, keyword3, description, latitude, longitude, date_posted, member_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, now(), '1')");
var_dump($stmt);
if (!$stmt->bind_param("sssssssiissssdd", $type, $date, $street, $city, $state, $country, $age, $admission, $rsvp, $keyword1, $keyword2, $keyword3, $description, $latitude, $longitude)) {
throw new ErrorException($stmt->error, $stmt->errno);
}
$stmt->execute();
$stmt->close();
Here's the values being echoed that are sent to this statement:
TYPE: Party DATE: 1969-12-31 19:12:00 STREET: 50 Barret Parkway CITY: Marietta STATE: Georgia COUNTRY: United States AGE: 25+ ADMISSION: 20 RSVP: 1000 KEYWORD1: key1test KEYWORD2: key2test KEYWORD3: key3test DESCRIPTION: Description test LATITUDE: 33.950500 LONGITUDE: -84.535900
Now keep in mind, the previous string is just an echo string so the all caps words are not actually being sent to the db, just the statements after the colons. I've 20-drupled check the database and all the spellings are correct to the rows in the db all with adequate space and the correct types.
I've been staring at this problem for the past 5 hours while taking breaks to scour the internet for an answer and I draw blanks. Anybody know what's up. If it's any consolation I can add fields in to the database manually by hand and retrieve them with a $_GET variable just fine.
Related
Testing the statement from all side, but failed to find a solution for it.
// Insert the new user into the database
if( $insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)")){
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2,
$reg_ip, $random_salt, $countryname, $ref_code, $hashed_pin, $user_id3,
$user_id4);
$insert_stmt->execute();
This never executes or gets inside the if statement.
I debugged it by removing the if part, that shows bind_param() is boolean error.
$insert_stmt = $mysqli->prepare("INSERT INTO client (username, email,
password, reg_ip, salt, country, ref_id, pin, ref_by, ref_by_2) VALUES ( ?,
?, ?, ?, ?, ?, ?, ?, ?, ?)");
$insert_stmt->bind_param("ssssssssii", $username, $email, $pass_2, $reg_ip,
$random_salt, $countryname, $ref_code, $hashed_pin, $user_id3, $user_id4);
if($insert_stmt->execute()){
Fatal error: Call to a member function bind_param() on boolean
I have done following test:
All 10 variables data type test = OK (with gettype() function)
Variables data value = OK (printed all data value for checking)
Mysql query statement = OK (tested on MYSQL directly with inputted data, mysql is inserting values)
There is no syntax error either.
Variable alignment is = Ok
Data connection is = ok (as it runs other prepare statements without errors on same page)
Then where is the mistake?
I figure it out.
Solution:
It was not working because of the previous prepare statement $stmt_aff connection was not closed.
Once I closed it. Next Prepare statement $insert_stmt started working.
A good lesson learned why bind_param boolean error get produced if there are multiple prepare statement on the same page.
$stmt_aff->close();
I am receiving error 'Number of variables doesn't match number of parameters in prepared statement'
$stmt = $this->conn->prepare( "INSERT INTO user
(
st1, u1, e1, sa1,
h1, roles_id, name_titles_id, first_name,
last_name, phone, mobile, address_road,
address_area, address_region, post_code, city,
country_id, creation_date, activated_at, modified_date_time,
created_by, referred_by, gender, ad1, status
)
VALUES
(
?, ?, ?, ?,
?, ?, ?, ?,
?, ?, ?, ?,
?, ?, ?, ?,
?, ?, ?, ?,
?, ?, ?, ?, ?
)"
)
$stmt->bind_param('i',$st1);
$stmt->bind_param('s',$u1);
$stmt->bind_param('s',$e1);
$stmt->bind_param('s',$sa1);
$stmt->bind_param('s',$h1);
$stmt->bind_param('i',$roles_id);
$stmt->bind_param('i',$name_titles_id);
$stmt->bind_param('s',$first_name);
$stmt->bind_param('s',$last_name);
$stmt->bind_param('s',$phone);
$stmt->bind_param('s',$mobile);
$stmt->bind_param('s',$address_road);
$stmt->bind_param('s',$address_area);
$stmt->bind_param('s',$address_region);
$stmt->bind_param('s',$post_code);
$stmt->bind_param('s',$city);
$stmt->bind_param('i',$country_id);
$stmt->bind_param('s',$creation_date);
$stmt->bind_param('s',$activated_at);
$stmt->bind_param('s',$modified_date_time);
$stmt->bind_param('i',$created_by);
$stmt->bind_param('i',$referred_by);
$stmt->bind_param('s',$gender);
$stmt->bind_param('s',$ad1);
$stmt->bind_param('i',$status);
Edit:
Just make a small test and it confirms, we can't use multiple bind_param with mysqli.
Not work:
$stmt->bind_param('s',$a);
$stmt->bind_param('s',$b);
Work:
$stmt->bind_param('ss',$a, $b);
Hopefully it'll be useful for future searches.
Your problem is simple. You are trying to do the thing manually, while the number of data asks for the automated process. You have to make a program to create a query for you.
Suppose You have an array with data already. All you need is to define the list of fields to insert
$fields = "st1,u1,e1,sa1,h1,roles_id,name_titles_id,first_name,last_name,phone,";
$fields .= "mobile,address_road,address_area,address_region,post_code,city,";
$fields .= "country_id,creation_date,activated_at,modified_date_time,";
$fields .= "created_by,referred_by,gender,ad1,status" ;
$fields = explode(",",$fields);
and then use some programming. Luckily, it's already done:
include 'safemysql.class.php';
$db = new safeMysql();
$insert = $db->filterArray($_POST,$fields);
$db->query("INSERT INTO user SET ?u", $insert);
And yeah, you are using bind_param wrong way. Correct usage can be seen in the manual page.
Im currently using mysqli, and I want a way to properly sanitize every single user input. Im looking for the most simple lightweight way to do this, as I understand that Im NOT supposed to use mysql_real_escape....
my query is like so
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
as i understand i'm supposed to use the function bindParam... If i use it like so, am i completley securing my user inputs?
$stmt->bind_param('sssssssss', $_POST[msg], ('$ip'), ('$date'), '$_POST[main]', '$_POST[twit]', ('$cit'), ('$lat'), ('$lon'), '$_POST[lang]');
$stmt->execute();
$stmt->close();
If this isn't securing my user inputs how do i properly do so?
You need to prepare the statement to be safe. Something like below (its probably not 100% but gives you an idea)
$sql = new mysqli("localhost", "my_user", "my_password", "world");
$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssssss",$_POST[msg], $ip, $date, $_POST[main], $_POST[twit], $cit, $lat, $lon, $_POST[lang]);
$stmt->execute();
First of all you have to follow basic PHP syntax
'$_POST[msg]' would be inserted as a literal $_POST[msg] string, while you expecting a value for $_POST['msg'] variable.
I'm building a simple "little" movie cataloging database system for my own use. The problem right now is that I've got a mySQL query that works MOST of the time but not all. Basically it works by using a 3rd party IMDB API. I use that to search and pull the values I need which works just fine. It displays on my preview screen and everything. The problem I'm running into that that while most movies work, a few do not and I can't figure out the reason.
For example, The Fellowship of the Ring stores just fine while The Return of the King simply won't pass the query. I can't find any differences.
Here's my query:
$query = "INSERT INTO movies
(title, year, releaseDate, actors, image, runtime, genre, director, rating, watchedDate, category, series, comments, owned, ownedFormat, seen, plot, favorite, uploadDate)
VALUES ('$title', '$year', '$releaseDate', '$actors', '$newImg', '$runtime', '$genre', '$director', '$rating', '$watchedDate', '$category', '$series', '$comments', '$owned', '$ownedFormat', '$seen', '$plot', '$favorite', '$curDate')";
mysql_query($query) or die ('Error');
I'm not sure what else I need to provide. It seems like some kind of difference in the movies is causing the error but I don't know.
Thanks!
** EDIT ***
So I tried switching over to mysqli. Here's my new code:
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO movies (title, year, releaseDate, actors, image, runtime, genre, director, rating, watchedDate, category, series, comments, owned, ownedFormat, seen, plot, favorite, uploadDate) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {
/* Bind our params */
$stmt->bind_param('sssssssssssssssssis', $title, $year, $releaseDate, $actors, $newImg, $runtime, $genre, $director, $rating, $watchedDate, $category, $series, $comments, $owned, $ownedFormat, $seen, $plot, $favorite, $curDate);
/* Execute the prepared Statement */
$stmt->execute();
/* Echo results */
echo "Inserted {$title} into database\n";
}
However, now i'm getting an error that reads:
Fatal error: Call to a member function prepare() on a non-object on the line where the if statement starts.
I'm assuming this is because something my query isn't an object?
Thanks
The most likely reason for this is that you are putting the raw values between single quotes. If one of the values has a single quote in it, then you will get a syntax error.
A better way to do what you want is by binding parameters. You can read more about that here.
Without more information about the actually returned value it is hard to say. It is possible that the returned value contains a character that breaks your code such as a semicolon or quote. Try stripping all non alphanumeric characters away using regex.
$result = preg_replace("/[^a-zA-Z0-9]+/", "", $s);
And you have a sql injection vulnerablility. Consider using PDO instead of the depreciacted mysql functions.
http://php.net/manual/en/book.pdo.php
Using the code
# the data we want to insert
$data = array($first_name, $last_name, $email_from, $telephone, $dateofbirth, $addresslone, $addressltwo, $townnm, $countynm, $typeapp, $issubscribed);
$STH = $dbh->prepare("INSERT INTO members (fname, sname, email, phone, dob, addressl1, addressl2, town, county, type, subscribed) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$STH->execute($data);
?>
<!--<!DOCTYPE html>
<head><title></title></head><body> commented out during testing -->
Thank you for contacting us We will be in touch with you very soon.
<!-- </body></html> -->
The user is presented with the success message:
Thank you for contacting us We will be in touch with you very soon.
There are no php errors recorded.
This is to insert into this database
Error reporting is in the form of the PDO try catch:
catch(PDOException $e)
{
echo $e->getMessage();
}
Despite it looking as if it is working perfectly, however, the database seems unable to receive updates. :/
As per your database structure screenshot, table name is member and you used members into your insert query