Reputation: 122
php prepared statement (INSERT not working)
I'm trying to use prepared stmt to avoid sql injection and it is not working. I've surrounded my code with some alert statements to know where the problem is. It is at the bind_param statement. Everything after never executes. Hope I can find some help!
Been searching for an answer for the last 3 hours nothing have solved it so far. P.S the table has 6 columns. one id that auto increments, and the rest is as u can see form the code
$db = new PDO("mysql:port=3302;dbname=thedoctors", "root", "");
$Data = $_POST["post"];
$postData = $db->quote($_POST["post"]); //user's post
$user = $db->quote($_SESSION["user"]); //user's email
$stmt = $db->prepare("INSERT INTO post (body,timee,likes,comments,userem) VALUES (?, NOW(), ?, ?, ?);");
// set parameters and execute
$first = ".$postData.";
$like = 0;
$comment = 0;
$stmt->bind_param("siis", $first, $like, $comment, $user);
echo "<script>alert('hello');</script>";
// $result = $stmt->get_result();
// header("location:activity.php");
if (strlen($Data) > 3000 || strlen($Data) < 1) {
echo "<script>alert('Make sure your post is of correct length!');</script>";
} else {
$stmt->execute();
echo "<script>alert('Post uploaded! You can check it in your profile!');</script>";
}
Upvotes: 1
Views: 904
Answers (1)
Reputation: 917
As you are using PDO not mysqli interface you need to use named parameters in SQL query like exlained here: https://www.php.net/manual/en/pdo.prepare.php
Currently you are relying on bind_param which is a method on mysqli interface.
Based on PDO docs:
<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>
Additionally I would recommend to use bindValue to make it more explicit that you are setting some values to placeholders like this:
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindValue(':calories', $calories, PDO::PARAM_INT);
$sth->bindValue(':colour', $colour, PDO::PARAM_STR);
$sth->execute();
?>
Upvotes: 1
Related Questions
- INSERT not working with PDO prepared statement
- MySQLi prepared insert statement fails
- PHP MySQLi prepared statement not inserting data into table
- INSERT INTO SQL php Function does not work
- Mysqli Prepare Statement Insert Not Inserting
- broken prepared statement for insert
- PHP mysqli prepared insert statement fails
- MYSQLi prepared insert not working..
- PHP: cannot INSERT into MYSQL table using PDO
- MySQLi Prepare Statement not Inserting into Database Table