i am trying to use prepared statements but having trouble getting it to successfully run.
here is my code:
function addAlbum($album){
$connection = mysqli_connect(HOST,USER,PASS,DATABASE);
/*$sql = 'INSERT INTO `'.TABLE_ALBUMS.'` (albumName) VALUES ("'.$album.'")';
$result = mysqli_query($connection,$sql);*/
$stmt = $dbh->prepare('INSERT INTO `'.TABLE_ALBUMS.'` (albumName) VALUES ("'.$album.'")');
$stmt->bindParam(':albumName', $album);
$result = $stmt->execute();
if($result){
header("Location: index.php?success");
} else {
header("Location: index.php?fail");
}
}
i have ran this in firefox with errors on and this is what i get:
Fatal error: Call to undefined method
mysqli_stmt::bindParam() in
/Applications/MAMP/htdocs/PHPproject/includes/functions.inc.php
on line 16
could any one please tell me where i am going wrong?
many thanks
First argument for bind should be the type of variable:
$stmt->bind_param("s", $album);
Also you should check the return value of execute() and not the $stmt:
$result = $stmt->execute();
if($result){
echo "yes";
}
else {
echo "no";
}
Also I'd say that it's not a good ideea to prepare the statement each time you insert something. Prepared statements should be class variables or if you're not in oop, global variables, so you don't prepare the statement each time you call the function. Just write a function init() that will prepare all the statements that you'll use.
Related
I'm new to php. I'm trying to execute the queries below. I know I have to use mysqli_multi_query but all my tries so far have given me error. How do I execute these queries? I've read and tried to run other examples with failure.
<?php
include_once 'connect.php';
$user_values = json_encode($_POST['user_values']);//get a json object
$data = json_decode($user_values);
$sql = "";
if (isset($data->phone)) {
$sql .= "CALL new_company_phone('$data->name', $data->phone)";
}
/*procedure that inserts value of "phone" to the corresponding "name" row */
if (isset($data->street)) {
$sql .= "CALL new_company_street('$data->name', '$data->street')";
}
if (isset($data->street_num)) {
$sql .= "CALL new_company_street_num('$data->name' , $data->street_num)";
}
if(isset($data->city)){
$sql .= "CALL new_company_city('$data->name', '$data->city')";
}
if(isset($data->country)){
$sql .= "CALL new_company_country('$data->name', '$data->country')";
}
/* execute multi query */
if (!mysqli_multi_query($con, $sql)) {
echo "error"; }
On the contrary! You should never use mysqli_multi_query()! If you think you found a good use for this function, then you should rethink your approach.
What you should be using are prepared statements with parameter binding. Each CALL() should be a separate statement. You can create a function to make it easier to call each one if you want.
For example:
function callSP(mysqli $mysqli, string $sql, array $params) {
$stmt = $mysqli->prepare($sql);
$stmt->bind_param(str_repeat("s", count($params)), ...$params);
$stmt->execute();
}
if (isset($data->phone)) {
callSP($con, "CALL new_company_phone(?,?)", [$data->name, $data->phone]);
}
if (isset($data->street)) {
callSP($con, "CALL new_company_street(?,?)", [$data->name, $data->street]);
}
// and so on...
It's difficult to say what your stored procedures actually do. You might have to tweak the way you call them from PHP depending on whether they return results, and whether they use cursors. In general, I would recommend avoiding stored procedures whenever possible; you can do the same in PHP directly.
I got an error when I prepare my $query.
Here are the lines :
$query="INSERT INTO bm(title,season) VALUES(:title, :season)";
$stmt = $mysqli->prepare($query);
//$stmt->bind_param("ss", $title, $season);
$stmt->execute(array(':title' => $title, ':season' => $season));
I put the line with bind_param in //
I saw on others that could solve but error became roughly the same :
Fatal error: Call to a member function bind_param() on a non-object
So, I thought of my query but it's so simple I can't see anymore clearly. It's driving me nuts. :-/ I also tested the var $titleand $season with an echo just before the $query line to be sure, like this :
echo $title." et ".$season;
but nothing is wrong, values are ok. These are strings var. Any help would be very appreciated. Thanks.
Here is the complete code :
<?php
include("connexion.php");
// Get vars from previous form
//$id="";
$title = isset($_POST['title']) ? $_POST['title'] : "";
$season = isset($_POST['season']) ? $_POST['season'] : "";
// Testing vars
if (empty($titre) && empty($saison))
{
echo '<font color="red">Must be filled...</font>';
}
// Vars ok : could be inserted in "bm" table
else
{
// Protect - inject SQL
$title=$mysqli->real_escape_string(strip_tags($title));
$season=$mysqli->real_escape_string(strip_tags($season));
// Test
echo $title." et ".$season;
// Insert method
$query="INSERT INTO bm(title,season) VALUES(:title, :season)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("ss", $title, $season);
$stmt->execute(array(':title' => $title, ':season' => $season));
// Insert ok ?
if ($stmt) {
echo "Insert ok.";
}
else {
echo "Insert failed !";
}
}
//Close connexion
$mysqli->close();
?>
Try to change your database call as follows:
$query="INSERT INTO bm(title,season) VALUES(?, ?)";
$stmt = $mysqli->prepare($query);
//could be false if prepared statemant is somehow wrong
if ($stmt === false){
echo "Insert failed !";
}
else{
//bind the params to the variables
$stmt->bind_param("ss", $title, $season);
//no parameters allowed for execute method according to the doc
$success = $stmt->execute();
//check for $success if true/false
}
Why not use the most common used queing to fetch data from the database? The most commonly used is by using while loop for fetching data from the database right? I think that your approach(based on your code) perfectly works if you are using sqlsrv, but mysql and mysqli has almost the same syntax unlike from sqlsrv wherein it uses params to pass data, just my opinion :D
If you reference the documentation on PHP MYSQLI (http://php.net/manual/en/mysqli.prepare.php) you will notice that FALSE is returned when an error occurs in the prepare.
mysqli_prepare() returns a statement object or FALSE if an error occurred.
Instead of the call being from a mysqli_stmt object, it is from a FALSE boolean.
My assumption would be that the error occurs in your connection string if you are passing in proper variables. More code would be needed to troubleshoot further.
I'm trying to make the following code work but I can't reach the execute() line.
$mysqli = $this->ConnectLowPrivileges();
echo 'Connected<br>';
$stmt = $mysqli->prepare("SELECT `name`, `lastname` FROM `tblStudents` WHERE `idStudent`=?");
echo 'Prepared and binding parameters<br>';
$stmt->bind_param('i', 2 );
echo 'Ready to execute<br>'
if ($stmt->execute()){
echo 'Executing..';
}
} else {
echo 'Error executing!';
}
mysqli_close($mysqli);
The output that I get is:
Connected
Prepared and binding parameters
So the problem should be at line 5, but checking the manual of bind_param() I can't find any syntax error there.
When binding parameters you need to pass a variable that is used as a reference:
$var = 1;
$stmt->bind_param('i', $var);
See the manual: http://php.net/manual/en/mysqli-stmt.bind-param.php
Note that $var doesn't actually have to be defined to bind it. The following is perfectly valid:
$stmt->bind_param('i', $var);
foreach ($array as $element)
{
$var = $element['foo'];
$stmt->execute();
}
here it is just a simple explaination
declare a variable to be bind
$var="email";
$mysqli = $this->ConnectLowPrivileges();
echo 'Connected<br>';
$var="email";
$stmt = $mysqli->prepare("SELECT name, lastname FROM tablename WHERE idStudent=?" LIMIT=1);
echo 'Prepared and binding parameters<br>';
$stmt->bindparam(1,$var);
Your actual problem is not at line 5 but rather at line 1.
You are trying to use unusable driver.
While PDO does exactly what you want.
$sql = "SELECT `name`, `lastname` FROM `tblStudents` WHERE `idStudent`=?"
$stm = $this->pdo->prepare($sql);
$stm->execute(array(2));
return $stm->fetch();
After all the years passed since this answer has been written, a new PHP feature emerged, called "argument unpacking". So, since version 5.6 you can pass a value into bind_param:
$stmt->bind_param('i', ...[2]);
But still you have a trouble with getting your data back out of a prepared statement :)
I am using two prepared statements in PHP/MySQLi to retrieve data from a mysql database. However, when I run the statements, I get the "Commands out of sync, you can't run the command now" error.
Here is my code:
$stmt = $mysqli->prepare("SELECT id, username, password, firstname, lastname, salt FROM members WHERE email = ? LIMIT 1";
$stmt->bind_param('s', $loweredEmail);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $firstname, $lastname, $salt);
$stmt->fetch();
$stmt->free_result();
$stmt->close();
while($mysqli->more_results()){
$mysqli->next_result();
}
$stmt1 = $mysqli->prepare("SELECT privileges FROM delegations WHERE id = ? LIMIT 1");
//This is where the error is generated
$stmt1->bind_param('s', $user_id);
$stmt1->execute();
$stmt1->store_result();
$stmt1->bind_result($privileges);
$stmt1->fetch();
What I've tried:
Moving the prepared statements to two separate objects.
Using the code:
while($mysqli->more_results()){
$mysqli->next_result();
}
//To make sure that no stray result data is left in buffer between the first
//and second statements
Using free_result() and mysqli_stmt->close()
PS: The 'Out of Sync' error comes from the second statement's '$stmt1->error'
In mysqli::query If you use MYSQLI_USE_RESULT all subsequent calls will return error Commands out of sync unless you call mysqli_free_result()
When calling multiple stored procedures, you can run into the following error: "Commands out of sync; you can't run this command now".
This can happen even when using the close() function on the result object between calls.
To fix the problem, remember to call the next_result() function on the mysqli object after each stored procedure call. See example below:
<?php
// New Connection
$db = new mysqli('localhost','user','pass','database');
// Check for errors
if(mysqli_connect_errno()){
echo mysqli_connect_error();
}
// 1st Query
$result = $db->query("call getUsers()");
if($result){
// Cycle through results
while ($row = $result->fetch_object()){
$user_arr[] = $row;
}
// Free result set
$result->close();
$db->next_result();
}
// 2nd Query
$result = $db->query("call getGroups()");
if($result){
// Cycle through results
while ($row = $result->fetch_object()){
$group_arr[] = $row;
}
// Free result set
$result->close();
$db->next_result();
}
else echo($db->error);
// Close connection
$db->close();
?>
I hope this will help
"Commands out of sync; you can't run this command now"
Details about this error can be found in the mysql docs. Reading those details makes it clear that the result sets of a prepared statement execution need to be fetched completely before executing another prepared statement on the same connection.
Fixing the issue can be accomplished by using the store result call. Here is an example of what I initially was trying to do:
<?php
$db_connection = new mysqli('127.0.0.1', 'user', '', 'test');
$post_stmt = $db_connection->prepare("select id, title from post where id = 1000");
$comment_stmt = $db_connection->prepare("select user_id from comment where post_id = ?");
if ($post_stmt->execute())
{
$post_stmt->bind_result($post_id, $post_title);
if ($post_stmt->fetch())
{
$comments = array();
$comment_stmt->bind_param('i', $post_id);
if ($comment_stmt->execute())
{
$comment_stmt->bind_result($user_id);
while ($comment_stmt->fetch())
{
array_push($comments, array('user_id' => $user_id));
}
}
else
{
printf("Comment statement error: %s\n", $comment_stmt->error);
}
}
}
else
{
printf("Post statement error: %s\n", $post_stmt->error);
}
$post_stmt->close();
$comment_stmt->close();
$db_connection->close();
printf("ID: %d -> %s\n", $post_id, $post_title);
print_r($comments);
?>
The above will result in the following error:
Comment statement error: Commands out of sync; you can't run this command now
PHP Notice: Undefined variable: post_title in error.php on line 41
ID: 9033 ->
Array
(
)
Here is what needs to be done to make it work correctly:
<?php
$db_connection = new mysqli('127.0.0.1', 'user', '', 'test');
$post_stmt = $db_connection->prepare("select id, title from post where id = 1000");
$comment_stmt = $db_connection->prepare("select user_id from comment where post_id = ?");
if ($post_stmt->execute())
{
$post_stmt->store_result();
$post_stmt->bind_result($post_id, $post_title);
if ($post_stmt->fetch())
{
$comments = array();
$comment_stmt->bind_param('i', $post_id);
if ($comment_stmt->execute())
{
$comment_stmt->bind_result($user_id);
while ($comment_stmt->fetch())
{
array_push($comments, array('user_id' => $user_id));
}
}
else
{
printf("Comment statement error: %s\n", $comment_stmt->error);
}
}
$post_stmt->free_result();
}
else
{
printf("Post statement error: %s\n", $post_stmt->error);
}
$post_stmt->close();
$comment_stmt->close();
$db_connection->close();
printf("ID: %d -> %s\n", $post_id, $post_title);
print_r($comments);
?>
A couple things to note about the above example:
The bind and fetch on the statement still works correctly.
Make sure the results are freed when the processing is done.
For those of you who do the right thing and use stored procedures with prepared statements.
For some reason mysqli cannot free the resources when using an output variable as a parameter in the stored proc. To fix this simply return a recordset within the body of the procedure instead of storing the value in an output variable/parameter.
For example, instead of having SET outputVar = LAST_INSERT_ID(); you can have SELECT LAST_INSERT_ID(); Then in PHP I get the returned value like this:
$query= "CALL mysp_Insert_SomeData(?,?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("is", $input_param_1, $input_param_2);
$stmt->execute() or trigger_error($mysqli->error); // trigger_error here is just for troubleshooting, remove when productionizing the code
$stmt->store_result();
$stmt->bind_result($output_value);
$stmt->fetch();
$stmt->free_result();
$stmt->close();
$mysqli->next_result();
echo $output_value;
Now you are ready to execute a second stored procedure without having the "Commands out of sync, you can't run the command now" error. If you were returning more than one value in the record set you can loop through and fetch all of them like this:
while ($stmt->fetch()) {
echo $output_value;
}
If you are returning more than one record set from the stored proc (you have multiple selects), then make sure to go through all of those record sets by using $stmt->next_result();
I have been getting the following error when I uploaded to a live server. It works OK on localhost which I thought was strange.
Fatal error: Call to a member function close() on a non-object....
The line it refers to
$stmt->close();
The connection to the DB
$connection=new mysqli($MYSQL_HOST,$MYSQL_USER,$MYSQL_PASS,$DB)or die(mysqli_error($connection));
The class itself.
function getTimes(){ //this method just pulls the results of the query and returns them as an array
global $connection;
$route = $this->route;
$station = $this->station;
$day = $this->day;
// create a prepared statement
if ($stmt = $connection->prepare("select time from timetable where route=? and day=? and station=?")) {
$stmt->bind_param("sss", $route, $day, $station); // bind parameters for markers
$stmt->execute(); //execute query
$stmt->bind_result($col1); //bind result variables
while ($stmt->fetch()){
$results[]=$col1;
}
}
$stmt->close();//close statement
return $results;
}
You should put $stmt into you if clause. There is a possiblity that if (false) and still get to your $stmt->close();
Your problem was that the $stmt object was instantiated as part of an if condition test. In the cases it failed, i.e. when it returns false, you were still trying to call ->close() on it anyway. I moved the method call within the if block.
Now you need to add an else clause to handle the fact that your script couldn't prepare the statement and given you say this works locally but not on your live server, I suggest there is some configuration difference causing a problem here. You need to turn on error handling with display_errors('1') and error_reporting(E_ALL). Don't forget to turn these off before letting the world at your new script. :)
function getTimes(){ //this method just pulls the results of the query and returns them as an array
global $connection;
$route = $this->route;
$station = $this->station;
$day = $this->day;
// create a prepared statement
if ($stmt = $connection->prepare("select time from timetable where route=? and day=? and station=?")) {
$stmt->bind_param("sss", $route, $day, $station); // bind parameters for markers
$stmt->execute(); //execute query
$stmt->bind_result($col1); //bind result variables
while ($stmt->fetch()){
$results[]=$col1;
}
$stmt->close();//close statement
}
return $results;
}
Move the close() call into your if statement, so that it will only be called if a $stmt was successfully created.
// create a prepared statement
if ($stmt = $connection->prepare("select time from timetable where route=? and day=? and station=?")) {
$stmt->bind_param("sss", $route, $day, $station); // bind parameters for markers
$stmt->execute(); //execute query
$stmt->bind_result($col1); //bind result variables
while ($stmt->fetch()){
$results[]=$col1;
}
$stmt->close();//close statement
}
I suspect on your local machine you don't have errors turned on, but on the server you upload to, errors are on.
The root issue to address here is the fact that prepare() is failing. The problem there most likely is the database on the server is missing the timetable table or that table is missing one or more fields route, day or station. As said by cbuckley, check $connection->error for the full error message.
When you uploaded to the server, did you remember to also make any database structure changes on the server?