使用准备好的语句 PHP 返回 MySQL 错误代码和自定义响应

Question

I have created a MySQL database and sending POST requests to it through my Flutter application and using Prepare Statement to prevent SQL Injection . I am returning the error messages in a raw form using mysqli->error . Here is my code.

<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT );
include("connection.php");

$query=$connection->prepare("insert into parent_child_table(`parent_id`, `child_reg_number`) values(?,?)");
$query->bind_param("is",$parent_id,$reg_number);

$parent_id=$_POST["parent_id"];
$reg_number=$_POST["reg_number"];

if ($query->execute()) {
echo "1";
} else {
  echo("$mysqli -> error");
}?>

What's the problem? / Current Response in case of error

The error message is in the raw form whenever the database throws an error like this.

: Uncaught mysqli_sql_exception: Cannot add or update a child row: a foreign key constraint fails ( parent_child_table , CONSTRAINT FK_child_reg_number FOREIGN KEY ( child_reg_number ) REFERENCES Student ( reg_number )) in /storage/ssd1/900/12273900/public_html/add_new_child.php:11
Stack trace:
0 /storage/ssd1/900/12273900/public_html/add_new_child.php(11): mysqli_stmt->execute()
1 {main}thrown in on line

What I want to do?
I want to send a MySQL response code or a formatted error message (which I'll be writing for sure based on the error code). How can I achieve that? Is there any pre-build method? I am a newbie to PHP. I hope someone would suggest me a better solution to my problem. Thanks
Expected Response

• Child Already Registered (in case of Primary key violation. I am using composite Primary Key)
• Wrong Reg # or the Reg # doesn't exist (in case of Foreign Key Violation)

Answer 1

First of all you have to understand that echoing error messages right away is not recommended . As a rule, your application do not expose its internal workings, error messages included.

Therefore, echo $mysqli->error; (which is the correct syntax for the operation. Neither quotes nor braces are used with echo statements.) is not acceptable behavior.

However, checking the actual error message and creating a custom response is a good practice. To achieve that you can catch the exception thrown. And write a code to handle your situation. In your case it would be like this

<?php
ini_set('display_errors', 0); // this will prevent PHP from displaying errors
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT ); // has to be moved in connection.php
include("connection.php");

$sql = "insert into parent_child_table(`parent_id`, `child_reg_number`) values(?,?)";
$query = $connection->prepare($sql);
$query->bind_param("is",$parent_id,$reg_number);

$parent_id=$_POST["parent_id"];
$reg_number=$_POST["reg_number"];

try {
    $query->execute();
} catch (mysqli_sql_exception $e) {
    if ($e->getCode() == /* the code for Foreign Key Violation */ ) {
        echo "Wrong Reg # or the Reg # doesn't exist";
    } elseif ($e->getCode() == /* the code for Primary key Violation */ ) {
        echo "Child Already Registered";
    } else {
        throw $e; // the most important part - ALL OTHER errors won't go unnoticed
    }
}

So there are three main changes to your script

• exposing errors turned off (has to be done on a live site)
• try catch added in order to catch the error
• an else statement added to the error handler so you will be informed of all other errors that may occur. You may want to configure PHP to log errors in order to see them.