|
PHP - Mdb2 Prepare Statements Php + Mysql
hey... found this website when googling for a php help forum... hopefully this is the right place.
I am about to start a major project for a new high profile company contract my company is presently bidding on. One of the requirements is a web interface to communicate between the 2 companies. I recently read (and have been reading more into it) that MDB2 is (one of) the best methods to communicate with a database (using prepared statements). It seems to be extremely popular, and not to difficult to use... however, for some reason, it just wont work for me. Code: [Select] <?php require_once '/include/MDB2.php'; function connect(){ $SQL = array( 'driver' => 'mysql', 'user' => '***', 'pass' => '***', 'host' => '127.0.0.1', 'dbname' => '***', ); $SQL['sql'] = $SQL['driver']."://".$SQL['user'].":".$SQL['pass']."@".$SQL['host']."/".$SQL['dbname']; $mdb2 = MDB2::connect($SQL['sql']); $mdb2->setOption('emulate_prepared',true); if(PEAR::isError($mdb2))die("Error while connecting : " . $mdb2->getMessage()); return $mdb2; } $mdb2 = connect(); $statement = $mdb2->prepare("INSERT INTO `test` (id,name) VALUES (?, ?)", array('integer','text'), MDB2_PREPARE_MANIP); $statement->execute(array(1,'someuser')); $statement->free(); ?> For some reason, this is not working? However if I just execute a normal query, it works no problem: Code: [Select] <?php $mdb2 = connect(); $statement = $mdb2->query("INSERT INTO `test` (id,name) VALUES (1,'someuser')"); ?> So, I am connecting properly, everything is good... but this prepared statement just hates me Any help please? Similar TutorialsI'm updating some PHP/MySQL code and struggling to get it to work correctly. At the moment I have the code as follows:
if (strlen($number) < "9" AND $number1 <> "101"){
}
else if (strlen($number) > "14") {
}
else {
...........the rest of the code goes here to action after filtering out the above.
I want the first if command to match if the length is less than 9 characters long, and the $number1 is either 101 or (I want to add in 102). I've tried amending the first IF statement to read as follows, but that fails:
if (strlen($number) < "9" AND ($number1 <> "101") OR ($number1 <> "102")){
}
I'm expecting it to be something very straightforward, but I've looked at it for so long now I just cannot see it. Thanks in advance for any help.
I swear I had read a tutorial on this site, but I must be mistaken as I can't find it. I did some googling on it.. but not to happy with the tutorials. Just wondering if someone could point me in a better direction. I'm wondering if I can take advantage of these. Like if I put these in a "config" file that is called on every PHP page and I have 2 or 3 SQL queries that I always want to run, a SELECT and UPDATE (maybe a delete). I could call these at will.. right? Without having to rewrite the query a million times? Any help is most appreciated. I have a checkbox when it is checked i garb its value ---meaning the id i take that id and i would like to use it in my where mysql_query statement then I would like to insert the array from the other foreach one after another with a prov meaning provider here is my code print "<select name='prov[]'>"; print '<option value=""></option>'; mysql_connect("localhost", "root", "root") or die(mysql_error()); mysql_select_db("db1") or die(mysql_error()); $query2 = "SELECT * FROM admin"; $result2 = mysql_query($query2) or die(mysql_error()); while($row2 = mysql_fetch_array($result2)) { if ($row2['priv']==prov){print '<option value="'.$row2['user'].'">'.$row2['user'].'</option>';} } print '</select>'; print '</div>'; <?php if (!empty($_POST[submitdeletetic])) { foreach ($_POST["delete"] as $key => $id) foreach ($_POST["prov"] as $prov) { mysql_query("UPDATE tickets SET prov='$prov' WHERE id='".(int)$id."'") or die(mysql_error()); } } ?> I have a prepared statement class for MYSQL, since in PHP 5 this is now changing to mysqli; I'm looking for some help in changing the code from my existing class to the new mysqli.
I have done some research online about changing from mysql to mysqli but the changes I made seems to only cause issues with connecting to the database.
After many hours of changing the existing file using the research online, I've decided to start again and ask others if they would be ever so kind to help this noob out and point out which parts of the script needs to be changed.
Thank you for reading.
<?php
class Database {
private $host;
private $user;
private $pass;
private $name;
private $link;
private $error;
private $errno;
private $query;
function __construct($host, $user, $pass, $name = "", $conn = 1) {
$this -> host = $host;
$this -> user = $user;
$this -> pass = $pass;
if (!empty($name)) $this -> name = $name;
if ($conn == 1) $this -> connect();
}
function __destruct() {
@mysql_close($this->link);
}
public function connect() {
if ($this -> link = mysql_connect($this -> host, $this -> user, $this -> pass, TRUE)) {
if (!empty($this -> name)) {
if (!mysql_select_db($this -> name, $this->link)) $this -> exception("Could not connect to the database!");
}
} else {
$this -> exception("Could not create database connection!");
}
}
public function close() {
@mysql_close($this->link);
}
public function query($sql) {
if ($this->query = @mysql_query($sql, $this->link)) {
return $this->query;
} else {
$this->exception("Could not query database!");
return false;
}
}
public function num_rows($qid) {
if (empty($qid)) {
$this->exception("Could not get number of rows because no query id was supplied!");
return false;
} else {
return mysql_num_rows($qid);
}
}
public function fetch_array($qid) {
if (empty($qid)) {
$this->exception("Could not fetch array because no query id was supplied!");
return false;
} else {
$data = mysql_fetch_array($qid);
}
return $data;
}
public function fetch_array_assoc($qid) {
if (empty($qid)) {
$this->exception("Could not fetch array assoc because no query id was supplied!");
return false;
} else {
$data = mysql_fetch_array($qid, MYSQL_ASSOC);
}
return $data;
}
public function fetch_object($qid) {
if (empty($qid)) {
$this->exception("Could not fetch object assoc because no query id was supplied!");
return false;
} else {
$data = mysql_fetch_object($qid);
}
return $data;
}
public function fetch_all_array($sql, $assoc = true) {
$data = array();
if ($qid = $this->query($sql)) {
if ($assoc) {
while ($row = $this->fetch_array_assoc($qid)) {
$data[] = $row;
}
} else {
while ($row = $this->fetch_array($qid)) {
$data[] = $row;
}
}
} else {
return false;
}
return $data;
}
public function last_id() {
if ($id = mysql_insert_id()) {
return $id;
} else {
return false;
}
}
private function exception($message) {
if ($this->link) {
$this->error = mysql_error($this->link);
$this->errno = mysql_errno($this->link);
} else {
$this->error = mysql_error();
$this->errno = mysql_errno();
}
if (PHP_SAPI !== 'cli') {
?>
<div class="alert-bad">
<div>
Database Error
</div>
<div>
Message: <?php echo $message; ?>
</div>
<?php if (strlen($this->error) > 0): ?>
<div>
<?php echo $this->error; ?>
</div>
<?php endif; ?>
<div>
Script: <?php echo @$_SERVER['REQUEST_URI']; ?>
</div>
<?php if (strlen(@$_SERVER['HTTP_REFERER']) > 0): ?>
<div>
<?php echo @$_SERVER['HTTP_REFERER']; ?>
</div>
<?php endif; ?>
</div>
<?php
} else {
echo "MYSQL ERROR: " . ((isset($this->error) && !empty($this->error)) ? $this->error:'') . "\n";
};
}
}
?>
Hello,
I am pretty new to PDO but have heard that it is good to use prepared statements to help avoid mysql injections.
What I'm wondering is, when using prepare, does one need to bind parameters or would one be able to do something like the following without risking security?
$db = new PDO(..);
$r = $db->prepare("SELECT * FROM test WHERE col=$_POST['col']");
$r->execute();
Thanks
I'm trying to clean up all my functions with any queries which take dynamic parameters using PDO prepared statements. I originally thought I was using prepared statements and was told later I wasn't so it's been on my to-do list to go and clean them up. I have cleaned up a lot of them and tested them and they are working fine. This one is giving me a problem though..
/*fetch production data*/
if( isset( $field ) && isset( $type ) && isset( $value ) ) {
$sql = 'SELECT id, job_number, enterprise, description, line_item, as400_ship_date
FROM production_data
WHERE :field :type :value
ORDER BY enterprise, job_number, line_item LIMIT :offset, :records_per_page';
$stmt = $pdo->prepare($sql);
$stmt->execute( [ 'field' => $field, 'type' => $type, 'value' => $value, 'offset' => $offset, 'records_per_page' => $records_per_page ] );
} else {
$sql = 'SELECT id, job_number, enterprise, description, line_item, as400_ship_date
FROM production_data
ORDER BY enterprise, job_number, line_item LIMIT '. $offset . ', '. $records_per_page;
}
It takes values from some drop downs (I'm using tabulator to generate a table and this part is related to it's pagination functions)...here is the HTML for those elements.
<div class="table-controls">
<div class="form-row">
<div class="col">
<label for="filter-field" class="col-form-label-sm">Field: </label>
<select id="filter-field" class="form-control form-control-sm">
<option></option>
<option value="Job Number">Job Number</option>
<option value="Enterprise">Enterprise</option>
</select>
</div>
<div class="col">
<label for="filter-type" class="col-form-label-sm">Type: </label>
<select id="filter-type" class="form-control form-control-sm">
<option value="like" selected="selected">Like</option>
<option value="=">Equal to</option>
</select>
</div>
<div class="col">
<label for="filter-value" class="col-form-label-sm">Value: </label>
<input id="filter-value" class="form-control form-control-sm" style="float: left;" type="text" placeholder="Value to filter...">
</div>
<div class="col d-flex align-content-end flex-wrap">
<button id="filter-clear" class="btn btn-primary btn-sm rounded-0">Clear Filters & Sorting</button>
</div>
</div>
</div>
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '? ? ORDER BY enterprise, job_number, line_item LIMIT ?, ?' at line 3 in C:\wamp64\www\test\scripts\order_status.php on line 125
I'd love to use anonymous placeholders on my ecommerce site project. I am writing half with php and half with golang. On the three examples below, when run, gives the following exception, " Error: Call to a member function execute() on string. " I tried it with a decimal too. Thanks in advance.
$stmt = $dbo->prepare = ("SELECT * FROM products WHERE ProductName = ?");
//this one calls exception
$stmt->execute();
$stmt = $dbo->prepare = ("SELECT * FROM products WHERE ProductName = ?");
//this one calls exception
$stmt->bindParam(1, $productID, PDO::PARAM_INT);
$stmt->execute();
$stmt = $dbo->prepare = ("SELECT * FROM products WHERE ProductName = ?");
//this one calls exception
$stmt->bindValue(1, $productID, PDO::PARAM_INT);
$stmt->execute();
Here is the rest of the code :
<?php
$filename = "";
$keyword1 = $_GET['keyword'];
$titleOfSelectedDropDown = $_GET['val1'];
$fileID = "";
$imageID = "a";
$displayID = "";
$keyword1 = "test";
$titleOfSelectedDropDown = "cc";
$host = 'localhost';
$user = 'root';
$pass = '';
$database = 'ecommerce';
$options = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_EMULATE_PREPARES => false
);
$gKeyword1 = "";
$gKeyword2 = "";
$gKeyword3 = "";
$key1ID = "";
$key2ID = "";
$key3ID = "";
$string1 = "<center><h1><u>Search Results</u><h1></center></p>";
$dbo = new PDO("mysql:host=$host;dbname=$database", $user, $pass, $options);
$stmt = $dbo->prepare = ("SELECT * FROM products WHERE ProductName = ?");
$test = "1";
$stmt->execute([ $test ]);
Edited March 17 by JoshEir mistake I have this at the top of my index.php:
<?php
session_start();
// start of script every time.
// setup a path for all of your canned php scripts
$php_scripts = '/home/larry/web/test/php/'; // a folder above the web accessible tree
// load the pdo connection module
require $php_scripts . 'PDO_Connection_Select.php';
require $php_scripts . 'GetUserIpAddr.php';
//*******************************
// Begin the script here
$ip = GetUserIpAddr();
if (!$pdo = PDOConnect("foxclone")):
{
echo "Failed to connect to database" ;
exit;
}
else:
{
$stmt = $pdo->prepare("INSERT INTO 'download' ('IP_ADDRESS', 'FILENAME') VALUES (?, ?");
$stmt->bindParam(1, $ip);
$stmt->bindParam(2, $filename);
$stmt->execute();
}
endif;
//exit();
?>
I'm getting the following error at the $pdo->prepare line:
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''download' ('IP_ADDRESS','FILENAME') VALUES (?, ?' at line 1 in /home/larry/web/test/public_html/index2.php:23
Stack trace: #0 /home/larry/web/test/public_html/index2.php(23):
PDO->prepare('INSERT INTO 'do...') #1 {main} thrown in /home/larry/web/test/public_html/index2.php on line 23
I verified the format of the statement at https://www.w3schools.com/php/php_mysql_prepared_statements.asp but am unsure if it needs to be in the PDO_Connection_Select.php, or it belongs where I have it since the db is already connected. with php pdo, the bindParam is not working. The query outputs :words and instead of the $words value. How can i get this code working?
$sql = "SELECT count(*) FROM posts WHERE MATCH (comments) AGAINST (':words' IN BOOLEAN MODE)";
$stmt = $db->prepare($sql);
$stmt->bindParam(':words', $words);
$stmt->execute();
which code example is more safe? The code below now has $words instead of :words but is missing bindParam.
$stmt = $db->prepare(SELECT count(*) FROM posts WHERE MATCH (comments) AGAINST ('$words' IN BOOLEAN MODE)");
$stmt->execute();
$words is passed through both php $_get and $_post
Hey, I am coding this forum and the following PDO prepare query calls the topic details. The prepare query works perfectly well, however when I add it into a function within another class and then call it, the script does not seem to work. I get errors like the following: Fatal error: Call to a member function fetch() on a non-object in C:\wamp\www\new\sources\forum\new.php on line 117 The prepare query fails to excute, this is because I do not know how to add it into a function. This is what I tried: Code: [Select] class FUNC { function userDetails($table, $column, $cVaulue, $oBy, $ASDSC) { global $dbh; $sth = $dbh->prepare('SELECT * FROM `'.$table.'` WHERE `'.$column.'` = '.$cVaulue.' ORDER BY `'.$oBy.'` '.$ASDSC.''); $sth->bindParam(':id', $id, PDO::PARAM_INT); $sth->execute(); } } The FUNC class is called as the $load variable, and in my forum class I have decalred it in my global so the variable can be passed: Code: [Select] $id = $forum_data['id']; $load->userDetails('db_topics', 't_forum_id', ':id', 't_whenlast', 'DESC'); $coll=$sth->fetch(PDO::FETCH_ASSOC); $this->html->RightForum($coll); The code is very silly, but the fact is I did not know how to do this.. Please help me put this query into a function because I need to make use of it in many other parts of the forum and I don't want to constantly declare this query. Hello, I have this code
<?php
$stmt = $db->prepare("INSERT INTO `members` (`playername`,`player_login_name`,`player_login_pass`,`my_email`,
`my_gender`,`signup_IP`,`signup_time`)
VALUES(?,?,?,?,?,?,?)");
$stmt->bind_param("ssssssi",$_POST['email'],$_POST['email'],md5($_POST['pass']),$_POST['email'],$_POST['gender'],$_POST['REMOTE_ADDR'],time());
$stmt->execute();
$stmt->close();
?>
and i will not insert into my database. I have check the syntax and there is no error, can anyore help me
thanks
Hi, I will be creating pdf in php using following library. http://sourceforge.net/projects/pdf-php/ After creating pdf ,I want to send PDF data in byte[] to web service. Any idea how to read pdf and prepare pdf data in byte[] array. With Kind Regards, Zohaib. Excerpts of code:
function addUser() {
$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$bio = $_POST['bio'];
$email = $_POST['email'];
$c_status = 0;
//$avatar =
//$username_query = $pdo->prepare("SELECT * from profiles001 WHERE username=':username'");
//$username_query->bindValue(':username', $username);
//$username_query->execute();
$query = $pdo->prepare("INSERT into profiles001 (username, password, email, c_status, bio) VALUES (:username, :password, :email, :cstat, :bio)");
$query->bindValue(':username', $username);
$query->bindValue(':password', $password);
$query->bindValue(':email', $email);
$query->bindValue(':cstat', $c_status);
$query->bindValue(':bio', $bio);
$query->execute();
setAvatar();
}
function setAvatar() {
// check if avatar is set, if not give default avatar
if (isset($file) && $fileError === UPLOAD_ERR_OK) {
$file = $_FILES['userfile'];
$fileName = $file['name'];
$fileTmpName = $file['tmp_name'];
$fileSize = $file['size'];
$fileError = $file['error'];
$fileType = $file['type'];
$fileExt = explode('.', $fileName);
$fileActualExt = strtolower(end($fileExt));
$allowedExtensions = array('jpg', 'jpeg', 'png');
}
// if user has not assigned avatar, assign the default.
if (empty($file)) {
$avatar = "assets/soap.jpg";
$query = $pdo->prepare("INSERT INTO profiles001 (avatar) VALUES (:avatar)");
$query->bindValue(':avatar', $avatar);
$query->execute();
}
}
addUser();
}
From the database file:
<?php
$host = "localhost";
$database = "soapbox";
$username = "drb";
$password = "m1n3craft";
// Create connection
$pdo = new PDO('mysql:host=localhost;dbname=soapbox;', $username, $password);
/*
Print error message and or code to the screen if there is an error.
*/
?>
NOTE: I also require dbcon.php at the top of the confirmation.php file which is NOT included in the excerpt at the top. Making pdo a global variable would probably fix it, but from what I heard globals are frowned upon. Hi All, I have the following code which works fine:
$mysqli = new mysqli("server", "user", "pass", "database");
if($mysqli->connect_error) {
exit('Could not connect');
}
$sql = "SELECT customer_contactname, customer_companyname, customer_phonenumber, customer_emailaddress, customer_address1, customer_address2, customer_city, customer_postcode
FROM ssm_customer WHERE customer_id = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param("s", $_GET['q']);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($ccontname, $ccompname, $cphoneno, $cemail, $cad1, $cad2, $ccity, $cpost);
$stmt->fetch();
$stmt->close();
however, when i use my dbconn.php as an include rather than the top section of this code, i get the following error: function prepare() on null The error references the following $stmt = $mysqli->prepare($sql); In my database connection file, i am using the following: $conn = mysqli_connect($db_servername, $db_username, $db_password, $db_name); This seems to be the issue and i believe i am mixing procedural and object based but not sure why there should be a difference here? when i used my database connection file, i do change $mysqli->prepare to $conn->prepare Kind Regards Edited February 4, 2019 by AdamhumbugThe below is constantly loading the password page no matter what is enter in the password input on the form (on another page). I have checked the $login variable by echoing it and it is carrying the value from the field. <?php $off="yes"; $login=$_POST['login']; if($off=="yes" && (!isset($_SESSION['login']) || $_SESSION['login']!="pass")){ if($login=="" || $_SESSION['login']!="pass"){ header('Location: ./index2.html'); exit(); } elseif(!isset($_SESSION['login'])){ session_start(); $_SESSION['login']=$login; header('Location: ./index.php'); exit(); } } elseif($off=="no" || $_SESSION['login']=="pass"){ content goes here. } ?> How to write 2 "if" statements together? if($userResult==$myResult) and ($userResult<0) { I am trying to write an if statement that checks to make sure the information put in the text box is an imbedded file. Does anyone know how to do that? Hello, I am learning PDO SQL statements, I have mananged to connect using PDO: Code: [Select] try { $this->link = $dbh = new PDO('mysql:host='.$this->dbhost.';dbname='.$this->dbname.'', $this->dbuser, $this->dbpass); } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } I am not getting any error, so I guess that is a good start. I then tried the PDO SQL statement out. My old mySQL query is commented out in the Code: [Select] if (isset($_SESSION['id']) && isset($_SESSION['password'])) { $_SESSION['id'] = ( isset( $_SESSION['id'] ) ) ? $_SESSION['id'] : FALSE; $_SESSION['password'] = ( isset( $_SESSION['password'] ) ) ? $_SESSION['password'] : FALSE; //$logged = mysql_query("SELECT * FROM `db_members` WHERE `id`='".$_SESSION['id']."' AND `password` = '".$_SESSION['password']."'"); //$logged = mysql_fetch_array( $logged ); // the new pdo statement $ff = $dbh->prepare('SELECT * FROM db_members WHERE id = '.$_SESSION['id'].' AND password = '.$_SESSION['password'].''); $ff->execute(); $logged = $ff->fetchAll(); echo $logged['username']; } I am trying to assign the session to logged variable. So all I am asking is go into db_members and check the id and password that is the same as session id and password and collect the rows data such as username. My login script and everything works perfectly, even session id and password is valid when echo'd but I cannot assign it to the logged variable like my old sql statements. Code: [Select] $logged = mysql_query("SELECT * FROM `db_members` WHERE `id`='".$_SESSION['id']."' AND `password` = '".$_SESSION['password']."'"); $logged = mysql_fetch_array( $logged ); I used other PDO statements and it works perfectly but I just don't understand why this is not working.... can I please get some help if you have any solution to this? Hey guys, is there any way to have a LIKE condition on an IF statement? Something like: Code: [Select] if $GET_['WTV'] LIKE %LOVE% { $category=romance Any clues? Thanks in advance. Anything wrong with this because I got a parse error ONLY after adding to create this. <?php $visible = array('Yes', 'No'); foreach($visible as $visible): $visible2 = array('yes', 'no'); foreach($visible2 as $visible2): ?> |
|||||||