php prepared statement (INSERT not working)
Question
I'm trying to use prepared stmt to avoid sql injection and it is not working. I've surrounded my code with some alert statements to know where the problem is. It is at the bind_param statement. Everything after never executes. Hope I can find some help!
Been searching for an answer for the last 3 hours nothing have solved it so far. PS the table has 6 columns. one id that auto increments, and the rest is as u can see form the code
$db = new PDO("mysql:port=3302;dbname=thedoctors", "root", "");
$Data = $_POST["post"];
$postData = $db->quote($_POST["post"]); //user's post
$user = $db->quote($_SESSION["user"]); //user's email
$stmt = $db->prepare("INSERT INTO post (body,timee,likes,comments,userem) VALUES (?, NOW(), ?, ?, ?);");
// set parameters and execute
$first = ".$postData.";
$like = 0;
$comment = 0;
$stmt->bind_param("siis", $first, $like, $comment, $user);
echo "<script>alert('hello');</script>";
// $result = $stmt->get_result();
// header("location:activity.php");
if (strlen($Data) > 3000 || strlen($Data) < 1) {
echo "<script>alert('Make sure your post is of correct length!');</script>";
} else {
$stmt->execute();
echo "<script>alert('Post uploaded! You can check it in your profile!');</script>";
}
1 answers
solution1
1 ACCPTED 2019-04-28 10:27:38
As you are using PDO not mysqli interface you need to use named parameters in SQL query like exlained here: https://www.php.net/manual/en/pdo.prepare.php
Currently you are relying on bind_param which is a method on mysqli interface.
Based on PDO docs:
<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>
Additionally I would recommend to use bindValue to make it more explicit that you are setting some values to placeholders like this:
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindValue(':calories', $calories, PDO::PARAM_INT);
$sth->bindValue(':colour', $colour, PDO::PARAM_STR);
$sth->execute();
?>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.