What am I missing? - PDO + transaction +multiple queries - - php

UPDATED - SEE THE ADDITION BELOW
OK, straight away, I'm not a developer (maybe someday), I know almost nothing, classes, functions, methods, wrappers, foos, bars, and most of all OOP confuse the ever-loving-S out of me. That being said, I'm sure there are lots of things I could do better, and invite your criticism and knowledge. However...
My specific question is this: Am I missing some vital condition of the interaction between the WSDL I'm receiving the data from, and the PHP+PDO, MySQL combo, and everything is going to fall apart as soon as I push?
The three tables in the code below must normalize a rather large dataset received via a clients Web Service, this portion is an automated process (cron job) that pulls code from 6 other files. I had to make some changes to the database to accommodate a new client, and I figured WTH, let's give PDO a try again. Only now I don't feel like I'm nearly confused enough by the code I see for it to possibly be doing it right (yes I've tested it many times today, multiple imports, all went off without a hitch) I'm getting ready to push the latest update sometime tomorrow, and I'm honestly a little worried I missed something major, and will wind up with a bunch of corrupt data while I'm out of town this week. Sorry if it seems unimportant, but I've spent alot of time on sites like these, and knowing as little as I do, most of the info either assumes too much, or dives into things I'm not competent in yet (see list at top).
Did I do something wrong here, or is this exactly why PDO is awesome? If no, can I do this more eloquently? Am I missing some circumstance in which ON DUPLICATE KEY UPDATE is not going to keep doing it's job etc...?
FYI: The last table has no unique data in it except my autonumber primary. There is a composite unique key made from 3 fields including a foreign from the previous insert. Business rules allow for this type of reasoning. All 3 are related, table1 is the ultimate parent of them, 2 the next etc...
<pre><code><?php
// connect to db Mysqli style
require_once 'MysqliCurrentLoginQuery.file'; //get the variables not supplied below
/*~~~~~~~~~~~~~~~~SET YOUR VARIABLES HERE~~~~~~~~~~~~~~~~~*/
/*A bunch of soap variables to be passed to MySOAPReq.file*/
/*~~~~~~~~~~~~~~~~SET YOUR VARIABLES HERE~~~~~~~~~~~~~~~~~*/
require_once 'MySOAPRequest.file'; //This is where $soapresult is passed from
//convert array to ph objects for use in prepared stmt
$xmlResponse = new SimpleXMLElement($soapresult);
foreach ($xmlResponse->xmlWorkOrders->workOrder as $order) {
try {
require 'MyPDOdbConfigAndConnection.file'; //where $conn is passed from
$conn->beginTransaction();
try {
$query1 = "INSERT INTO table(`id`,`b`,`c`,`d`)
VALUES ('" . "','". 1 . "','". 1 . "','". $order->D . "')
ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id),d=$order->D";
$result1 = $conn->prepare($query1);
$result1->execute();
$lastid = $conn->lastInsertID();
} catch(PDOExecption $e) {
$conn->rollback();
print "Error!: " . $e->getMessage() . "</br>";
}
try {
$query2 = "INSERT INTO table2(`id`, `f`, `g`)
VALUES ('" . "','" . $order->F . "','" . $lastid . "')
ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id), f=$order->F";
$result2 = $conn->prepare($query2);
$result2->execute();
$lastid = $conn->lastInsertID();
print "<br />" . $conn->lastInsertID() . "<br />";
} catch(PDOExecption $e) {
$conn->rollback();
print "Error!: " . $e->getMessage() . "</br>";
}
try {
$dnsdateparts=explode(' ',$order->H);
$query3 = "INSERT INTO table3(`id`, `g`, `h`, `i`)
VALUES ('" . "','" . $order->G . "', STR_TO_DATE('" . $dateparts[0] . "','%m/%d/%Y'),'" . $dateparts[1] . "')
ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id), g=G, h=H, i=$lastid";
$result3 = $conn->prepare($query3);
$result3->execute();
$conn->commit();
} catch(PDOExecption $e) {
$conn->rollback();
print "Error!: " . $e->getMessage() . "</br>";
}
} catch( PDOExecption $e ) {
print "Error!: " . $e->getMessage() . "</br>";
}
}
?><code><pre>
ADDITION
UPDATE To appease the Gods of forumland, here is what I learned. Also for the 1 guy 3 years from now who will actually read this, and be mad it was never answered! This is for you dude!
First of all, I still can't do classes right, OOP is a difficult jump for my brain for some reason, but if they will change my code-life as much as functions did, I can't wait (yes I did finally wrap my simple mind around functions, sort of).
PDO IS AWESOME!!!
Un-escaped, or improperly escaped data sucks! Wore my X for hat for a week because of a person named O'malley, and a street named CRS'Road. If you don't know what it means, WASTE YOUR TIME AND READ ABOUT IT! Wish I slowed down and did from the start.
LASTLY AND MOST IMPORTANT - I'm still a student, a very green and hungry one at that. So once again, I'M SURE I have done some things here that are not good, or not-best. I invite your criticism, and in fact look forward to it!
<pre><code>
<?php
// I actually got some functions to work!!
// So everything necesary self-requires from one required file
require_once ('/path/to/this/file/some.functions.php');
/*~~~~~~~~~~~~~~~~SET YOUR VARIABLES HERE~~~~~~~~~~~~~~~~~*/
/*A bunch of soap variables to be passed to MySOAPReq.file*/
/*~~~~~~~~~~~~~~~~SET YOUR VARIABLES HERE~~~~~~~~~~~~~~~~~*/
// Uses function from some.functions.php
$soapresult = mySoapClientMaker($avariable, $anothervariable);
//convert array to ph objects for use in prepared stmt
$xmlResponse = new SimpleXMLElement($soapresult);
foreach ($xmlResponse->xmlWorkOrders->workOrder as $order) {
try {
//$conn is now already there from some.functions.php
$conn->beginTransaction();
try {
// Create the query string and store it in a variable
$query1 = "INSERT INTO table(`id`,`b`,`c`,`d`) "
. "VALUES (:col1, :col2, :col3, :col4)"
. "ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id),d=" . $order->D;
// Prepare the query i.e. assemble the pieces of the string
$result1 = $conn->prepare($query1);
// Bind Values/Params
// PDO will not properly escape everything in the inserts without this
// This was the source of the broken import, lesson learned
$result1 ->bindValue(':col1', NULL, PDO::PARAM_NULL);
$result1 ->bindValue(':col2', 1, PDO::PARAM_INT);
$result1 ->bindValue(':col3', 1, PDO::PARAM_INT);
$result1 ->bindValue(':col4', $order->D, PDO::PARAM_STR);
// Execute (still in try mode) the now prepared/escaped query
$result1->execute();
// Remember the primary key from this insert to use as
// the foreign key in the next insert
$lastid = $conn->lastInsertID();
} catch(PDOExecption $e) {
// If your insert breaks, here everything
// goes back to its pre-insert state.
$conn->rollback();
print "Error!: " . $e->getMessage() . "</br>";
}
// Repeat as above
try {
$query2 = "INSERT INTO table2(`id`, `f`, `g`) "
. "VALUES (:col1, :col2, :col3) "
. "ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id), f=" . $order->F;
$result2 = $conn->prepare($query2);
$result2 ->bindValue(':col1', NULL, PDO::PARAM_NULL);
$result2 ->bindValue(':col2', 1, PDO::PARAM_INT);
$result2 ->bindValue(':col3', $order->D, PDO::PARAM_INT);
$result2->execute();
$lastid = $conn->lastInsertID();
} catch(PDOExecption $e) {
$conn->rollback();
print "Error!: " . $e->getMessage() . "</br>";
}
// Repeat as above again
try {
$dateparts=explode(' ',$order->H);
$query3 = "INSERT INTO table3(`id`, `g`, `h`, `i`) "
. "VALUES (:col1, :col2, :col3, :col4) "
. "ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id), g=G, h=H, i=" . $lastid;
VALUES ('" . "','" . $order->G . "', STR_TO_DATE('" . $dateparts[0] . "','%m/%d/%Y'),'" . $dateparts[1] . "')
$result3 = $conn->prepare($query3);
$result3 ->bindValue(':col1', NULL, PDO::PARAM_NULL);
$result3 ->bindValue(':col2', $order->G, PDO::PARAM_INT);
$result3 ->bindValue(':col3', "STR_TO_DATE(" . $dnsdateparts[0] . "','%m/%d/%Y')", PDO::PARAM_STR);
$result3 ->bindValue(':col4', $dateparts[1], PDO::PARAM_STR);
$result3->execute();
// NOW if everything made it this far without error
// it will all be committed to the db
$conn->commit();
} catch(PDOExecption $e) {
$conn->rollback();
print "Error!: " . $e->getMessage() . "</br>";
}
} catch( PDOExecption $e ) {
print "Error!: " . $e->getMessage() . "</br>";
}
}
?>
<code><pre>
P.S. Thanks to Mike Purcell for the quick and simple answer he offered someone else, to my latest question.
PDO not escaping quotes

Related

MySQL unwanted automatic replacing \n to linebreaks when storing data

I am using PHP to pass a query like this:
"UPDATE `prove750_mrdias`.`stringsMrDias`
SET `conteudo` = '$conteudo'
WHERE `stringsMrDias`.`ID` = $id;"
when I echo $conteudo I get Sobre\nmim as expected.
But after the query, I look at the database and the value stored is the formatted string:
'sobre
mim'
That's causing all sorts of problems when parsing the data back to my application.
If I go to phpMyAdmin and pass the value of $conteudo manually it maintains the expected behavior, only when querying the replace is happening without calling it.
Any ideas?
I suspect it's an issue of interpolation. You can kill two birds with one stone by using prepared statements. By using prepared statements
your data won't be corrupted or need to be manually handled by you,
your application will not be subject to security issues a la SQL injection.
This might look like:
$sql = "UPDATE `prove750_mrdias`.`stringsMrDias` SET `conteudo` = ? WHERE `stringsMrDias`.`ID` = ?";
$preparedStatement = $pdo_handle->prepare( $sql );
$preparedStatement->execute([$conteudo, $id]);
That is, you first tell the database the form of the query you want executed, and then -- in a separate call -- you send the arguments to that query.
Try http://php.net/manual/en/function.nl2br.php
Example,
$conteudo = nl2br($conteudo);
Then store into database.
Prepared statements was the right direction.
After looking at the mysqli documentation I ended up with a code like this:
`$sql = "UPDATE `prove750_mrdias`.`stringsMrDias` SET `conteudo` = (?) WHERE `stringsMrDias`.`ID` = (?)";
if (!($stmt = $con->prepare($sql))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
if (!$stmt->bind_param('ss', $conteudo,$id)) {
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}`
Had to use the bind_param() as execute() don't accept any parameters.

PHP code for inserting non-duplicate values into MySQL

I have basic PHP/MySQL experience, having taken an introductory class. My knowledge is literally limited to the following PHP codes:
if(!($stmt = $mysqli->prepare...)
if(!($stmt->bind_param...)
if(!$stmt->execute...)
I'm currently trying to write a program that allows a user to enter a new password, and checks the password against existing passwords in the database.
Here is what I have:
<?php
foreach($Password){
$dupesql = "SELECT PasswordID Passwords WHERE (Password = '$Password')";
$duperaw = mysql_query($dupesql);
if(mysql_num_rows($duperaw){
echo nl2br("$Password has already been used \n");
}
else{
echo "Password added \n";
}
}
?>
I got the code from this post: Check for duplicates before inserting
I'm not sure if the code itself has problems or if I need to add anything else to my PHP code to get this working, as it's currently producing an "Error 500".
MySQL extension is deprecated and probably you have PHP 7.0 from where it is removed. Rewrite your code to MySQLi or PDO. Check this question on how to convert to MySQLi: How could I change this mysql to mysqli?
Also, your code just doesn't add a password (never). Probably you expect to add it before the "Password Added" message, but be aware: the solution you want to use is not ideal, because there is a risk of race condition between checking the password for existence and adding it. This means that it is possible to add a password twice.
To solve this problem, you might want to use transactions. More details are covered in this question: PHP + MySQL transactions examples
I decided to go an entirely different route, which is to set the Password column as unique.
Then I did a simple INSERT that would prompt an error if the user attempts to add a duplicate:
<?php
if(!($stmt = $mysqli->prepare("INSERT INTO Heroes(HeroName, FirstName, LastName, Age, HomeCountry, RoleID) VALUES (?,?,?,?,?,?)"))){
echo "Prepare failed: " . $stmt->errno . " " . $stmt->error;
}
if(!($stmt->bind_param("sssisi",$_POST['HeroName'],$_POST['FirstName'],$_POST['LastName'],$_POST['Age'],$_POST['HomeCountry'],$_POST['RoleID']))){
echo "Bind failed: " . $stmt->errno . " " . $stmt->error;
}
if(!$stmt->execute()){
echo "Execute failed: " . $stmt->errno . " " . $stmt->error;
} else {
echo "Added " . $stmt->affected_rows . " row to Heroes.";
}
?>

failed to insert multiple data in mysqli using loop

I want to store one's friends of facebook into a table. The result of below code shows only a single record is inserted. It wasn't the problem of my loop because I echo the name, it all appeared.
foreach($user_friends['data'] as $friend){
//echo $friend['name'] . "</br>";
$userImg = "https://graph.facebook.com/".$friend['id']."/picture?width=200&height=200";
$friendsName = $friend['name'];
$stmt3 = $db->prepare("INSERT INTO allfriend(`uId`,`name`,`img`,`friendOf`) VALUES (?,?,?,?)");
$stmt3->bind_param('ssss', $user_fbid, $friendsName, $userImg, $user_fbid);
$stmt3->execute();
}
You're misusing the prepare / bind feature slightly. You only need to prepare once, but you do need to reset the statement after each use.
Also, you should check for failure of your statements. If you do that you may find out why things might work differently from what you expect.
Is it possible your column friend.uID is in fact a primary key? The code you've shown tries to insert the same value into multiple rows. That could be your problem.
Try this:
$stmt3 = $db->prepare
("INSERT INTO allfriend(`uId`,`name`,`img`,`friendOf`) VALUES (?,?,?,?)")
|| die "prepare failed: ". $db->error;
foreach($user_friends['data'] as $friend) {
//echo $friend['name'] . "</br>";
$userImg = "https://graph.facebook.com/".$friend['id']."/picture?width=200&height=200";
$friendsName = $friend['name'];
$stmt3->bind_param('ssss', $user_fbid, $friendsName, $userImg, $user_fbid)
|| die "bind_param failed " . $db->error;
$stmt3->execute()
|| die "execute failed " . $db->error;
$stmt3->reset()
|| die "reset failed " . $db->error;
}

Return the id of the last MySQL insert in PHP

I'm trying to grab the id of the last inserted auto-increment row and cannot successfully grab it.
error_reporting(E_ALL);
ini_set('display_errors', 1);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$title = mysqli_real_escape_string($conxn,$_POST['blog_title']);
$entry = mysqli_real_escape_string($conxn,$_POST['blog_entry']);
$sourceName = mysqli_real_escape_string($conxn,$_POST['blog_source_name']);
$sourceLink = mysqli_real_escape_string($conxn,$_POST['blog_source_link']);
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql="INSERT INTO blog (blog_title, blog_entry, blog_source, blog_link)
VALUES ('$title','$entry','$sourceName','$sourceLink')";
$lastID = $mysqli->insert_id;
if (!mysqli_query($conxn,$sql)) {
die('Error: ' . mysqli_error($conxn));
}
When I echo $lastID a "0" is returned after every submit.
You need to place the $mysqli->insert_id() after the actual mysqli_query(). See below.
if (!mysqli_query($conxn,$sql)) {
die('Error: ' . mysqli_error($conxn));
}
$lastID = $mysqli->insert_id;
That said, there are other issues with your code. First & foremost, you are mixing up the Object oriented style of calling mysqli_* with the procedural style. For example the OOP method of $mysqli->real_escape_string equates to the procedural method of mysqli_real_escape_string.
So this:
$lastID = $mysqli->insert_id;
Should be this:
$lastID = mysqli_insert_id($conxn);
So without seeing the rest of your code, unclear how to handle. Know the difference & experiment. But here are my suggestions in good faith based on the code you have presented.
For example, your references to $_POST values do not have single quotes, so I added that. Also, since you are using double quotes—which handle string substitution—you can condense your INSERT variable setting by getting rid of the . concatenation.
$title = mysqli_real_escape_string($conxn, $_POST['blog_title']);
$entry = mysqli_real_escape_string($conxn, $_POST['blog_entry']);
$sourceName = mysqli_real_escape_string($conxn, $_POST['blog_source_name']);
$sourceLink = mysqli_real_escape_string($conxn, $_POST['blog_source_link']);
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql="INSERT INTO blog (blog_title, blog_entry, blog_source, blog_link)
VALUES ('$title','$entry','$sourceName','$sourceLink')";
if (!mysqli_query($conxn,$sql)) {
die('Error: ' . mysqli_error($conxn));
}
$lastID = mysqli_insert_id($conxn);
That done, this code chunklet can be cleaned up even more, and this is how I would handle it. I have made an array of the $_POST values you are grabbing so you don’t have to repeat code. Also added comments to make it clearer what is happening. And I have used the procedural format for all commands here. If OOP is what you want, then you need to change all of the commands to match OOP format.
// Set all of the `$_POST` values into an array.
$post_items = array('blog_title','blog_entry','blog_source_name', 'blog_source_link');
// Roll through those values with a `foreach` loop.
foreach ($post_items as $post_item) {
$$post_item = mysqli_real_escape_string($conxn, $_POST[$post_item]);
}
// MySQL connection error check.
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// Set the SQL values.
$sql = "INSERT INTO blog (blog_title, blog_entry, blog_source, blog_link)
VALUES ('$blog_title','$blog_entry','$blog_source_name','$blog_source_link')";
// Run the query.
if (!$mysqli_query($conxn, $sql)) {
die('Error: ' . mysqli_error($conxn));
}
// Get the last insert ID via object oriented method.
// $lastID = $mysqli->insert_id;
// Get the last insert ID via procedural method.
$lastID = mysqli_insert_id($conxn);

Why is PHP mysqli prepared statement working but inserting all NULL values?

What would cause this? Code follows:
$m = new mysqli($host,$user,$pass,$db);
if(mysqli_connect_errno()) die('Connect failed: ' . mysqli_connect_error());
$PrepSQL = "INSERT INTO Products (" . implode(',',$this->cols) . ") VALUES (";
$PrepSQL .= '?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
$stmt = $m->prepare($PrepSQL);
if(!$stmt) die('Could not prepare: ' . $m->error . "\n$PrepSQL\n");
$ret = $stmt->bind_param('isissssddssssssssssssssssssssssssisssssss',
$contents[0], ... bunch of these here ... );
if(!$ret) die('bind_param failed: ' . $m->error);
Then in a loop I have:
$contents = explode('|',$NL); // NL is pipe delimited data
print_r($contents);
if(!$stmt->execute()) die("Statement failed: " . $m->error);
And the script doesn't halt but every value is null in MySQL. Most of the types are strings and I would assume they would at least fill in even if the numeric types are wrong. The print_r is printing values correctly.
Can you show the complete code from preparing the statement to executing it?
I suspect that $contents in the first part is not the same $contents as in the second part. They need to be references to the same array, since you're populating it after binding it by reference.

Categories