I am having a strange issue that I am just not finding a solution to. The problem is that the prepared sql statement is not binding in values, parameters or even passing them through the execute function. Instead, it inserts the ':blah' placeholder. As I said, I have tried bindParam, bindValue and this method all without result. However, I will try them all again now.
I outputted the parameters being sent right before the execute call.
Array ( [:username] => schenn [:salt] => NW5552wekj5155cNr52O54q56 [:hashpass] => 5e54240aec6294873d11d6ac3e5b135136a1b671 [:email] => monkey#monkey.com [:state] => OR [:country] => USA [:last_login] => 12/08/2011 )
Below is the code:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login)
VALUES (':username', ':salt', ':hashpass', ':email', ':state', ':country', ':last_login')";
$stmt = $pdoI->prepare($query);
$params = array(":username" => $this->username, ":salt" => $this->salt, ":hashpass" => $this->hashpass,
":email" => $this->email, ":state" => $this->state, ":country" => $this->country, ":last_login" => $this->last_login );
$stmt->execute($params);
You shouldnt be quoting the placeholders in the SQL. Try the following as your SQL string:
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country,
last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
You don't quote the binded values in the SQL statement when binding variables.
$query = "INSERT INTO player_acct (username, salt, hashpass, email, state, country, last_login) VALUES (:username, :salt, :hashpass, :email, :state, :country, :last_login)";
Also make sure $this->email, etc... is set correctly.
Related
So bassically I can't seem to send the array with the input values to my database.
I tried sending it seperately, it works, but it only sends the array or the way around. There are no errors.
if (isset($_POST['submit'])) {
$services = implode ("|", $_POST['services']);
mysqli_query($mysqli, "INSERT INTO klientai (package, name, surname, email, phone, message, services) VALUES('$_POST[package]', '$_POST[name]', '$_POST[surname]', '$_POST[email]', '$_POST[phone]', '$_POST[message]', '$services'");
}
mysql_query function is deprecated and is not secured, You should use another option.
You can use PDO for example:
https://www.php.net/manual/en/book.pdo.php
open connection
$pdo = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
insert method 1
$sql = "INSERT INTO users (name, surname, sex) VALUES (?,?,?)";
$stmt= $pdo->prepare($sql);
$stmt->execute([$name, $surname, $sex]);
insert method 2
$data = [
'name' => $name,
'surname' => $surname,
'sex' => $sex,
];
$sql = "INSERT INTO users (name, surname, sex) VALUES (:name, :surname, :sex)";
$stmt= $pdo->prepare($sql);
$stmt->execute($data);
also check https://phpdelusions.net/pdo_examples/insert and
https://www.startutorial.com/articles/view/pdo-for-beginner-part-1
In this method, you don't need to escape your strings for SQL injection and it should also solve your problem.
I try to insert the data from my form (createBuilder) into my Database, using PDO and a custom prepare request:
public function createUser($data)
{
$connect = $this->connectBDD();
$rq = " INSERT INTO user (email, password, firstname, lastname, salt, role, addf, addl)
VALUES (:email, :password, :firstname, :lastname, :salt, :role, NULL, NULL)";
$t = $connect->prepare($rq);
$t->execute([
':email' => $data["email"],
':password' => $data["plainPassword"],
':firstname' => $data["firstname"],
':lastname' => $data["lastname"],
':salt' => $data["salt"],
':role' => 'ROLE_USER'
]);
return true;
}
But I get the following error:
SQLSTATE[42601]: Syntax error: 7 ERREUR: erreur de syntaxe sur ou près de « user »
LINE 1: INSERT INTO user (email, password, firstname, lastname, sal...
^
Is this because of the two 'NULL' last values ? I don't think so because if I add 2 more variables into my array, I still get the error...
Thanks for help
':email' is a string with the characters :, e, m, etc... :email (WITHOUT the ') is a placeholder.
Placeholders should never be quoted - quoting them turns into not-placeholders.
$sql = "... VALUES(:email, :password, :firstname, etc...";
I have a problem trying to insert new data into database,
i don't even get any error
$db = new MyPDO();
$datauser = array(
'account' => $acc,
'tid' => $tid,
'email' => $email,
'amount' => $amount,
'date' => 'NOW()',
'obj_id' => $object_id);
$sql = $db->query("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
$sql->execute($datauser);
Checking database after running the script and see no new rows..
Any ideas how can i fix hat?
You need to prepare your statement instead of running a query directly with placeholders.
Change:
$sql = $db->query("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
To:
$sql = $db->prepare("INSERT INTO account_reg_log
(account, tid, email, amount, date, obj_id) VALUES
(:account, :tid, :email, :amount, :date, :obj_id)");
You should also add error handling in your MyPDO class so that PDO will throw exceptions and tell you exactly what goes wrong when it goes wrong.
I am creating a user registration system using PDO, and am attempting to insert the users form data into a database table. Very simple, however the wrong value is entered into the database. The values entered into the database are :username, :password, :email_address, :city, etc, rather than the value passed to the function from my form. Any idea as to what I am doing wrong? I tried using bindParam and bindValue but had similar results, and based on other posts I concluded that using an array is the best way to do it. help!
function add_user($username, $password, $email, $fName, $lName, $address, $city, $state, $zip, $phone ) {
global $db;
$sql = "INSERT INTO alumni_user_info
(username, password, email_address, first, last, address, city, state, zip_code, phone)
VALUES
(':username', ':password', ':email_address', ':first', ':last', ':address', ':city', ':state', ':zip_code', ':phone')";
$sth = $db->prepare($sql);
$result = $sth -> execute(array(':username' => $username, ':password' => $password, ':email_address' => $email, ':first' => $fName, ':last' => $lName, ':address' => $address, ':city' => $city, ':state' => $state, ':zip_code' => $zip, ':phone' => $phone));
if ($sth->execute()) {
$success = "Registration successful";
return $success;
} else {
var_dump($result->errorInfo());
$success = "Registration failed";
return $success;
}
Do not use quotes for parameters. It will be escaped because you're binding parameters already.
$sql = "INSERT INTO alumni_user_info
(username, password, email_address, first, last, address, city, state, zip_code, phone)
VALUES
(:username, :password, :email_address, :first, :last, :address, :city, :state, :zip_code, :phone)";
If you do something like this ':username' PDO will treat it as string.
I've been trying out my PHP skills and it seems when I try to send out the information from my Android app to the PHP, it seems to send just the parameter names(The database shows :Lname as an example.) out to the database. We are using PDO as the way to communicate with the MySQL Database.
Here is the coding as follows:
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword ) VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
//Again, we need to update our tokens with the actual data:
$query_params = array(
':Lname' => $_POST['LName'],
':Fname' => $_POST['FName'],
':Address' => $_POST['Address'],
':City' => $_POST['City'],
':State' => $_POST['State'],
':ZIP' => $_POST['ZIP'],
':Phone' => $_POST['Phone'],
':myusername' => $_POST['username'],
':mypassword' => $_POST['password']
);
//time to run our query, and create the user
try {
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch (PDOException $ex) {
// For testing, you could use a die and message.
//die("Failed to run query: " . $ex->getMessage());
//or just use this use this one:
$response["success"] = 0;
$response["message"] = $ex->getMessage();
die(json_encode($response));
}
You have included literal values in your query string.
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword )
VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";
should be
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword )
VALUES ( :Lname, :Fname, :Address, :City, :State, :ZIP, :Phone, :myusername, :mypassword)";
You need to remove the quotes from your SQL values, as its being interpreted as literal strings. If you remove them, you should be all good :)
$query = "INSERT INTO Customer ( Lname, Fname, Address, City, State, ZIP, Phone, myusername, mypassword ) VALUES ( ':Lname', ':Fname', ':Address', ':City', ':State', ':ZIP', ':Phone', ':myusername', ':mypassword')";