CODEWITHSUNDEEP
phpmysqlmysqli
adshocker
adshocker

Reputation: 65

mysqli does not save to my database

I need help in my PHP code running MySQL.

For my stored procedure in MySQL, I have the following:

create procedure register ( out userid              int
                           ,in username             varchar(30)
                           ,in unencryptedpassword  varchar(100)
                           ,in description          varchar(100)
                           ,in emailaddress         varchar(100) )
begin
  declare salt char(25);
  declare createdById int;
  declare createdDate datetime;
  declare lastUpdatedById int;
  declare lastUpdatedDate datetime;
  set salt = 'abcdefghijklmnopqrstuvwxy';
  set createdById = -1;
  set createdDate = now();
  set lastUpdatedById = -1;
  set lastUpdatedDate = now();
  insert into Users ( userId
                    , userName
                    , encryptedPassword
                    , description
                    , emailAddress
                    , createdById
                    , createdDate
                    , lastUpdatedById
                    , lastUpdatedDate ) 
             values ( null
                    , username
                    , password(concat(username, salt, unencryptedpassword))
                    , description
                    , emailAddress
                    , createdById
                    , createdDate
                    , lastUpdatedById
                    , lastUpdatedDate );
  set userid = last_insert_id();
  commit;
end;
/

For my register.php page, I have the following:

<?php
$host="localhost";
$db="mydb";
$uname="myuser";
$pword="mypass";

$firstname=$_POST["firstname"];
$lastname=$_POST["lastname"];
$emailaddress=$_POST["emailaddress"];
$newpassword=$_POST["newpassword"];

$mysqli = new mysqli( $host, $uname, $pword, $db );
$res = $mysqli->multi_query( "call register(@userid,$emailaddress,$newpassword,$firstname,$emailaddress)" );
$mysqli->close();

$_SESSION["sessionId"] = 1;
?>

Problem is it never gets inserted into my database. Can anyone help me with this.

Thanks.

Upvotes: 1

Views: 676

Answers (1)

Marc B
Marc B

Reputation: 360632

Any reason you're using multi_query? You're only executing the one 'call' query. And it's chock full of SQL injection vulnerabilities, since you're not escaping any of those 4 values you pull from the _POST array.

mysql_multi_query returns boolean FALSE if the first query in the call fails. You should check $res for that:

$res = $mysqli->multi_query(...);
if ($res === FALSE) {
   die("Mysql error: " . $mysqli->error);
}

Upvotes: 1

Related Questions