I'm trying to convert a site to use prepared mysql statements, however I'm having some trouble replacing my use of fetch_array().
The comments on php.net offer a solution which I would have thought should work but for some reason I'm getting strange undefined constant errors when calling a function via call_user_func_array() can someone suggest a better way of doing it?
Here's the function I'm using at the moment. I've dumbed it down a bit for posting on here (it's part of a larger class which extends mysqli and handles error catching etc) so sorry if I've made any mistakes copy and pasting it.
public static function stmt_bind_assoc(&$stmt, &$out) {
$data = mysqli_stmt_result_metadata($stmt);
$fields = array();
$out = array();
$fields[0] = $stmt;
$count = 1;
while($field = mysqli_fetch_field($data)) {
$fields[$count] = &$out[$field->name];
$count++;
}
call_user_func_array(mysqli_stmt_bind_result, $fields);
}
public function fetch_array($rawQuery) {
$stmt = $this->prepare($rawQuery);
$row = array();
self::stmt_bind_assoc($stmt, $row);
$result = $stmt->fetch();
$stmt->free();
return $result;
}
The errors I get are:
Notice: Use of undefined constant mysqli_stmt_bind_result - assumed 'mysqli_stmt_bind_result'
Fatal error: Call to undefined method mysqli_stmt::free()
The first error comes from your call_user_func_array statement: you need quotes around the mysqli_stmt_bind_result, otherwise PHP assumes it's a constant.
And there's no free() function in mysqli_stmt, use $stmt->free_result() instead.
$servername = "localhost"; $username = "root"; $password = ""; $dbnam = "test";
// Create connection $conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection if (mysqli_connect_errno()) {
die("Connection failed: %s\n" . mysqli_connect_errno()); }
$stmt = mysqli_prepare($conn, "SELECT * FROM myguests") or
die(mysqli_error($conn)); mysqli_stmt_execute($stmt);
$data = mysqli_stmt_result_metadata($stmt);
$fields = array();
$out = array();
$fields[0] = &$stmt;
$count = 1;
while($field = mysqli_fetch_field($data)) {
$fields[$count] = &$out[$field->name];
$count++;
}
call_user_func_array("mysqli_stmt_bind_result", $fields);
while(mysqli_stmt_fetch($stmt)) print_r($out);
$stmt->close(); $conn->close();
Works great on me, hope it helps
Related
Adapting an answer from here to try and pass an array as the parameter for a WHERE clause in MySQL. Syntax seems okay but I'm just getting null back form the corresponding JSON. I think understand what it is supposed to do, but not enough that I can work out where it could be going wrong. The code for the function is;
public function getTheseModulesById($moduleids) {
require_once 'include/Config.php';
$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD);
// Check connection
if (!$con)
{
die("Connection error: " . mysqli_connect_error());
}
// selecting database
mysqli_select_db($con, DB_DATABASE) or die(mysqli_connect_error());
$in = join(',', array_fill(0, count($moduleids), '?'));
$select = "SELECT * FROM modules WHERE id IN ($in)";
$statement = $con->prepare($select);
$statement->bind_param(str_repeat('i', count($moduleids)), ...$moduleids);
$statement->execute();
$result = $statement->get_result();
$arr = array();
while($row = mysqli_fetch_assoc($result)) {
$arr[] = $row;
}
mysqli_close($con);
return $arr;
}
And the code outwith the function calling it looks like;
$id = $_POST['id'];
$player = $db->getPlayerDetails($id);
if ($player != false) {
$pid = $player["id"];
$moduleids = $db->getModulesByPlayerId($pid); //this one is okay
$modules = $db->getTheseModulesById($moduleids); //problem here
$response["player"]["id"] = $pid;
$response["player"]["fname"] = $player["fname"];
$response["player"]["sname"] = $player["sname"];
$response["modules"] = $modules;
echo json_encode($response);
[EDIT]
I should say, the moduleids are strings.
I currently working on dashboard using PHP. I need to fetch data from database inside SQLyog, and transfer it into a graph. The problem is I keep getting this error; Fatal error: Call to undefined method MDB2_Error::execute() on line 30 in the class coding. The error is on $res = $query->execute($data); Can someone help me with my coding?
Here is the code for class.
<?php
class fetch_ranking extends MDB2{
var $con;
var $tbl_user;
var $tbl_isi_scopus_webo;
function fetch_ranking ($dsn) {
$this->con =& MDB2::singleton($dsn, $options=null);
//echo $this->con->getMessage();
if (PEAR::isError($this->con)) {
die($this->con->getMessage());
}
$this->tbl_user = 'user';
$this->tbl_isi_scopus_webo = 'ISI_SCOPUS_WEBO';
}
function fetch_webojuly16(){
$types = array();
$sql = "select university, criteria_rank as presence
from isi_scopus_webo
where month='july'
and year='2016'
group by university" ;
$query = $this->con->prepare($sql,$types,MDB2_PREPARE_RESULT);
$data = array();
$res = $query->execute($data);
if (PEAR::isError($res)) {
die($res->getMessage());
}
$this->con->setFetchMode(MDB2_FETCHMODE_ASSOC);
$valrec = $res->fetchAll();
return $valrec;
}
}?>
And this is for the graph.
<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/config/siteconf.php');
require_once($basehome.'/config/default.php');
require_once($basedir.'/mod/ppsg/dsn.php');
require_once($basehome.'/mod/ppsg/class/fetch_data_from_db_isi_scopus_webo.php');
$current_year = date('Y', strtotime(date('Y')));
//$fhObj = new fetch_ranking($ranking);
$hostname="192.168.111.55";
$username="devopt";
$password="G0devopt$";
$dbname="ranking";
//Connect to the database
$connection = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
mysql_select_db($dbname, $connection)
or die("Could not select examples");
$xdata=array();
$ydata=array();
$xdata['name'] = 'PRESENCE';
$ydata['name'] = 'UNIVERSITY';
$ydata['color'] = '#ABEBC6';
//Call to a member function fetch_webojuly16() on a non-object
$webojuly16 = $fhObj->fetch_webojuly16();
foreach($webojuly16 as $wj16){
$xdata['data'][] = $wj16['presence'];
$ydata['data'][] = $wj16['university'];
}
$json_arr = array($xdata,$ydata);
print json_encode($json_arr, JSON_NUMERIC_CHECK);
?>
This is the coding for graph
The $this->con->prepare($sql,$types,MDB2_PREPARE_RESULT); call might return a MDB2_Error object in case the prepare() statement fails, as documented on http://pear.php.net/package/MDB2/docs/latest/MDB2/MDB2_Driver_Common.html#methodprepare. You have to check with PEAR::isError if that is the case or not. In your case it is, so you cannot call $res = $query->execute($data); on a MDB2_Error object, and that's exactly what the error message is telling you.
Add the if statement to check for errors on the $query variable and check the error messages you get.
Ok, so I am having a lot of trouble with Prepared statements. I've done hours of research and still can't seem to fully understand everything...
I really feel like I need to understand Prepared statements because I was just about to release a few new free APIs on my website (which require API Key to execute API) but I recently realized how insecure everything is.... I can simply use SQL injection to bypass API Key check, e.g. 'OR'1'='1
Here is how I validate API Key:
$apikey = $_GET['key'];
$sql = "SELECT * FROM `table` WHERE `key` = '$apikey'";
$query = mysqli_query($con, $sql);
if($query)
{
$fetchrow = mysqli_fetch_row($query);
if(isset($fetchrow[0]))
{
echo "API Key is valid!";
}
else
{
echo "API KEY is invalid";
}
}
And like mentioned above this can easily be bypassed by executing my API like this
http://website.com/api.php?key='OR'1'='1
This really scared me at first, but then I did some research and learned a good way to prevent any form of SQL injection is to use prepared statement, so I did a lot of research and it just seems quite complicated to me :/
So I guess my question is, how can I take my above code, and make it function the same way using prepared statements?
Probably everything you need:
class Database {
private static $mysqli;
Connect to the DB:
public static function connect(){
if (isset(self::$mysqli)){
return self::$mysqli;
}
self::$mysqli = new mysqli("DB_HOST", "DB_USER", "DB_PASS", "DB_NAME");
if (mysqli_connect_errno()) {
/*Log error here, return 500 code (db connection error) or something... Details in $mysqli->error*/
}
self::$mysqli->query("SET NAMES utf8");
return self::$mysqli;
}
Execute statement and get results:
public static function execute($stmt){
$stmt->execute();
if ($mysqli->error) {
/*Log it or throw 500 code (sql error)*/
}
return self::getResults($stmt);
}
Bind results to the pure array:
private static function getResults($stmt){
$stmt->store_result();
$meta = $stmt->result_metadata();
if (is_object($meta)){
$variables = array();
$data = array();
while($field = $meta->fetch_field()) {
$variables[] = &$data[$field->name];
}
call_user_func_array(array($stmt, "bind_result"), $variables);
$i = 0;
while($stmt->fetch()) {
$array[$i] = array();
foreach($data as $k=>$v)
$array[$i][$k] = $v;
$i++;
}
$stmt->close();
return $array;
} else {
return $meta;
}
}
Class end :)
}
Example of usage:
public function getSomething($something, $somethingOther){
$mysqli = Database::connect();
$stmt = $mysqli->prepare("SELECT * FROM table WHERE something = ? AND somethingOther = ?");
$stmt->bind_param("si", $something, $somethingOther); // s means string, i means number
$resultsArray = Database::execute($stmt);
$someData = $resultsArray[0]["someColumn"];
}
Resolving your problem:
public function isKeyValid($key){
$mysqli = Database::connect();
$stmt = $mysqli->prepare("SELECT * FROM table WHERE key = ? LIMIT 1");
$stmt->bind_param("s", $key);
$results = Database::execute($stmt);
return count($results > 0);
}
PHP automatically closes DB connection so no worries about it.
$sql = "SELECT * FROM `table` WHERE `key` = ?";
if(stmt = $mysqli->prepare($sql)) {
$stmt->bind_param("i", $apikey);
$stmt->execute();
$stmt->bind_result($res);
$stmt->fetch();
$stmt->close();
}
See more - http://php.net/manual/en/mysqli.prepare.php
I have no records in a table called assessment
I have a function:
function check_assessment_record($p_id, $a_id, $c){
$dataexistsqry="SELECT * FROM assessments WHERE (pupil_id=$p_id && assessblock_id=$a_id)" ;
$resultt = $c->query($dataexistsqry);
if ($resultt->num_rows > 0) {
echo '<p>set $de = true</p>';
$de=TRUE;
}else{
echo '<p>set $de = false</p>';
$de=FALSE;
}
return $de;
$dataexists->close();
}; //end function
I call the function thus:
$thereisdata = check_assessment_record($pupil_id, $assessblock_id, $conn);
However my function is printing out nothing when I was expecting FALSE. It prints out true when there's a record.
When I get the result in $thereisdata I want to check for if its TRUE or FALSE but its not working.
I looked at the php manual boolean page but it didn't help
It seems that you are passing the database connection as an object using the variable $c in your function parameter. This tells me that you would greatly benefit by creating a class and using private properties/variables. Also, there are many errors in your code that shows me what you are trying to achieve, some errors are the way you are closing your db connection using the wrong variable, or how you place the close connection method after the return, that will never be reached.
Anyway, I would create a database class where you can then call on specific functions such as the check_assessment_record() as you wish.
Here's how I would redo your code:
<?php
class Database {
private $conn;
function __construct() {
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "test";
// Create connection
$this->conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($this->conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
}
function check_assessment_record($p_id, $a_id) {
$sql = "SELECT * FROM assessments WHERE (pupil_id=$p_id && assessblock_id=$a_id)";
$result = $this->conn->query($sql);
if ($result->num_rows > 0) {
echo '<p>set $de = true</p>';
$de = TRUE;
} else {
echo '<p>set $de = false</p>';
$de = FALSE;
}
return $de;
}
function __destruct() {
$this->conn->close();
}
}
$p_id = 1;
$a_id = 2;
$db = new Database();
$record = $db->check_assessment_record($p_id, $a_id);
var_dump($record);
?>
are you using PDO's correctly?
A call for me would normally look like;
$aResults = array();
$st = $conn->prepare( $sql );
$st->execute();
while ( $row = $st->fetch() ) {
//do something, count, add to array etc.
$aResults[] = $row;
}
// return the results if there is, else returns null
if(!empty($aResults)){return $aResults;}
if you didnt want to put the results into an array you could just check if a column is returned;
$st = $conn->prepare( $sql );
$st->execute();
if(! $st->fetch() ){
echo 'there is no row';
}
Here is the code
function check_assessment_record($p_id, $a_id, $c){
$dataexistsqry="SELECT * FROM assessments WHERE (pupil_id=$p_id && assessblock_id=$a_id)" ;
$resultt = $c->query($dataexistsqry);
if ($resultt->num_rows > 0) {
echo '<p>set $de = true</p>';
$de=TRUE;
}else{
echo '<p>set $de = false</p>';
$de=FALSE;
}
return $de;
$dataexists->close();
}; //end function
You can check the return value using if else condition as
$thereisdata = check_assessment_record($pupil_id, $assessblock_id, $conn);
if($thereisdata){ print_f('%yes data is present%'); }
else{ print_f('% no data is not present %'); }
The reason is , sometime function returning Boolean values only contain the true value and consider false value as null , that's why you are not printing out any result when data is not found.
Hope this will help you. Don't forget to give your review and feedback.
This question already has answers here:
Call to undefined method mysqli_stmt::get_result
(10 answers)
Closed 11 months ago.
I'm quite new to prepared statements and am not sure I am doing this right.
Here is what I try:
$currgame = 310791;
$sql = "SELECT fk_player_id, player_tiles, player_draws, player_turn, player_passes, swapped FROM ".$prefix."_gameplayer WHERE fk_game_id = ?";
$stmt = $mysqli->stmt_init();
$data = array();
if($stmt->prepare($sql)){
$stmt->bind_param('i', $currgame);
$stmt->execute();
$fk_player_id = null; $player_tiles = null; $player_draws = null; $player_turn = null; $player_passes = null; $swapped = null;
$stmt->bind_result($fk_player_id, $player_tiles, $player_draws, $player_turn, $player_passes, $swapped);
$res = $stmt->get_result();
while ($row = $res->fetch_assoc()){
$data[] = $row;
}
$stmt->close();
}
// to display own games
foreach ($data as $row) {
if ($row['fk_player_id'] == $playerid) {
$udraws = $row['player_draws']+1;
$upass = $row['player_passes'];
$uswaps = $row['swapped'];
echo 'uDraws: '.$udraws.'<br>';
echo 'uPass: '.$upass.'<br>';
echo 'uSwaps: '.$uswaps.'<br><br>';
}
}
// to display other games
foreach ($data as $row) {
if ($row['fk_player_id'] != $playerid) {
$opponent = $row['fk_player_id'];
$oppTiles = $row['player_tiles'];
$odraws = $row['player_draws']+1;
$opass = $row['player_passes'];
$oswaps = $row['swapped'];
echo 'oID: '.$opponent.'<br>';
echo 'oTiles: '.$oppTiles.'<br>';
echo 'oDraws: '.$odraws.'<br>';
echo 'oPass: '.$opass.'<br>';
echo 'oSwaps: '.$oswaps.'<br><br>';
}
}
I get an "ServerError" when trying to run this: It is the $res = $stmt->get_result(); that makes the error, but not sure why.
PHP Fatal error: Call to undefined method mysqli_stmt::get_result() in /home/mypage/public_html/TEST/preparedstatement.php on line 61
Depending on your PHP/MySQL setup you may not be able to use get_result().
The way to get around this is to bind the results.
For example:
$stmt->execute();
$fk_player_id = null; $player_tiles = null; $player_draws = null; $player_turn = null; $player_passes = null; $swapped = null;
$stmt->bind_result($fk_player_id, $player_tiles, $player_draws, $player_turn, $player_passes, $swapped);
while ($stmt->fetch()) { // For each row
/* You can then use the variables declared above, which will have the
new values from the query every time $stmt->execute() is ran.*/
}
For more information click here
Since I don't see it in your code, make sure you're instantiating the mysqli object before trying to query on it:
$mysqli = new mysqli("127.0.0.1", "user", "password", "mydb");
if($mysqli->connect_error){
die("$mysqli->connect_errno: $mysqli->connect_error");
}
Also, a ServerError would certainly show up in your logs and point you in the right direction.
while (mysqli_stmt_fetch($stmt)) {
printf ("%s (%s)\n", $name, $code);
}
This might help you:
http://php.net/manual/en/mysqli-stmt.fetch.php