i`m trying to make a login form using prepare statements, but the code is includin in my sql only zeros in the fields here is my code, thank you for helping me!
$con=mysqli_connect('localhost','mupcku', '123', 'dbproject');
mysqli_set_charset($con, 'utf8');
if(!$con){
echo mysqli_connect_error($con);
echo 'Cannot connect to database!';
exit;
}
$sql="INSERT INTO users (user_name, pass) VALUES (user_name=?, pass=?)";
$stmt=mysqli_prepare($con, $sql);
mysqli_stmt_bind_param($stmt, 'ss', $username, $pass);
mysqli_stmt_execute($stmt);
if(!$stmt){
echo 'Грешка!';
die(mysqli_error($stmt));
}
This is the error which i can see Warning: mysqli_stmt_bind_param() expects parameter 1 to be mysqli_stmt, boolean given in C:\xampp\htdocs\dbproject\reg.php
Also i use this
if(isset($_POST['username']) && isset($_POST['pass'])){
$username= trim($_POST['username']);
$pass= trim($_POST['pass']);
to assign values.
Related
How do I insert the following string into MySQL:
$myValue ouputs: [Hey, this is a multi text file that has special characters like this ' and this '' and this ,,"", and this ''' and this '''' and this !#$ and whatever]
But the following will not work because of special characters:
$sql = "UPDATE `mytable` SET NEWS=('$myValue') WHERE _id='1'";
I do not want to manually escape every character (like adding an ' before every ')
Update/Insert should should start at [ and end at ] (as seen in $myValue)
EDIT (mysqli)
$_myValue = mysqli_real_escape_string($myValue);
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "UPDATE `mytable` SET NEWS='$_myValue' WHERE _id='1'";
if ($conn->query($sql) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}
From the syntax of your code I assume that php is used to submit the queries to mysql.
If you just want to escape special characters in a string variable passed to a field, then use
PDO::quote() (if you use PDO)
mysqli_real_escape_string() (if you use mysqli)
mysql_real_escape_string() (if you use mysql, although you should not)
If you are looking for a more generic solution gainst sql injection, then consider using prepared statements. See this landmark SO topic on how to prevent SQL injection in php-mysql environment.
If your using php you could look at using PDO;
$conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$sql = "UPDATE `mytable` SET NEWS=:myValue WHERE _id=1";
$st = $conn->prepare( $sql );
$st->bindValue(":myValue", $myValue, PDO::PARAM_STR);
$st->execute();
This will input all the data stored in $myValue. I would look at sanatising the input too.
define('DB_NAME','swiftx');
define('DB_USER','root');
define('DB_PASSWORD','123456');
define('DB_HOST','localhost');
if (isset($_POST['submit'])){
$connection = mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD);
if (!$connection) {
die("Database connection failed: " . mysqli_error());
}else{
echo("Database Connected");
}
// 2. Select a database to use
$db_select = mysqli_select_db($connection, DB_NAME);
if (!$db_select) {
die("Database selection failed: " . mysqli_error());
}
$value = $_POST['name'];
$value2 = $_POST['attendance'];
$sql = "INSERT INTO people (Name,Email) VALUES ('$value','$value2')";
if(!mysqli_query($sql)){
die ("ERROR:". mysqli_error()); //error here <<<<<<<<
}
}
mysqli_close($connection);
why is mysql returing error "mysqli_query() expects at least 2 parameters"
i am following a website tutorial , i double check again and again , i have done noting wrong , can anyone help me fix it ? i have no idea what i doing wrong.
for mysqli_query() we need to pass two parameters
$query
$link_identifier
in your case $query is $sql and $link_identifier is $connection..it mean you need to use mysqli_qeury() in this way
mysqli_query($sql, $connection)
Your error "mysqli_query() expects at least 2 parameters" is pretty self-explanatory. It expects two parameters you are giving just one.
Try this:
if(!mysqli_query( $connection, $sql) ){
I have been trying to get this code to update, and it just will not work. I've been re-reading it and looking at other examples for hours and need some help to get this to work. It is a basic UPDATE script for a membership table in mysql database. I have mysql version 5.0.91. Nothing I have tried is working. When uploaded and tested in browser, returns echo "update query failed" I bolded the part where it is failing. I just can't find out why. When I check mysqladmin, the table is not updated.
$host="mysqlhost"; // Host name
$username="mysqlusername"; // Mysql username
$password="mysqlpassword"; // Mysql password
$db_name="mydbname"; // Database name
$tbl_name="brothers"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$mymname=$_POST['mymname'];
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myconfirmpassword=$_POST['myconfirmpassword'];
$mysnumber=$_POST['mysnumber'];
$myemail=$_POST['myemail'];
if ($mypassword !== $myconfirmpassword) {
die ("passwords do not match. Try again!");
if (isset($_COOKIE['fname'])) {
$myfname = ($_COOKIE['fname']);
}
else {
die('could not find cookie fname');
}
if (isset($_COOKIE['lname'])) {
$mylname = ($_COOKIE['lname']);
}
else {
die('could not find cookie lname');
}
$sql="SELECT * FROM $tbl_name WHERE fname='$myfname' AND lname='$mylname'";
$result=mysql_query($sql)or die("no sql");
while($row = mysql_fetch_array($result))
{
$fname=$row['fname'];
if (!$fname) {
die('variable not received');
}
$lname=$row['lname'];
$position=$row['position'];
$committee=$row['committee'];}
if($mypassword==$myconfirmpassword) {
$query= "UPDATE brothers
SET `mname`='$mymname' WHERE `fname` ='$fname'";
$chechresult= mysql_query($query) or die (mysql_error());
if (!$checkresult) echo 'update query failed';
elseif ($checkresults) {
echo'update query success';
setcookie('position', $position, time()+86400,'/');
setcookie('committee', $committee, time()+86400,'/');
$headsuccess=header( "location:done_registration.php");
$headsuccess;
if (!$headsuccess) {
die('Could not redirect success registration'); }
}
}
else{
$headlogin=header( "location:error_registration.php");
$headlogin;
if (!$headlogin) {
die('Could not redirect registration error'); }
}
$chechresult= mysql_query($query) or die (mysql_error());
if (!$checkresult) echo 'update query failed';
you misspelled "k" with "h" in "$chechresult="
Try to print $query string that contains the UPDATE order and after execute it in mysql console.
You've misspelled $chechresult - should be $checkresult; also, $fname should be $myfname!
It is probably worth echoing out $query to the screen, and trying that directly in your database - either on your console or in phpMyAdmin. Since $fname is empty (wrong var) your WHERE clause is wrong; at a guess it is affecting zero rows, and so is executing correctly.
Bear in mind that you have some SQL injection security issues in this code - make sure you escape your values before adding them to a query. Better yet, if you upgrade to PDO, you can use parameterisation, which will do the escaping for you.
So I'm getting this error:
Error: Column count doesn't match value count at row 1
(Very common, and I've checked through google, and my issue is that most of the issues are actual comlumn mismatches as it describes)
My location table has "user", "latitude", "longitude", "posttext", user and posttext are both varchar, and lat and long are int. For the time being, I'm just trying to insert values with user and posttext values. I've taken the query out of my php, and run it in the SQL part of phpmyadmin and it runs fine, so I'm not sure why I'm getting the error.
A php form supplies the post data from text boxes, and this is the php processing code:
<?php
error_reporting(E_ALL);
$username = $_POST['user'];
$textToPost = $_POST['textToPost'];
$con = mysql_connect("127.0.0.1","*","*");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test");
$sql= "INSERT INTO location(user, posttext)
VALUES ('.$username.,.$textToPost.')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
echo $username;
echo $textToPost;
?>
So I'm hoping it's a very basic syntax error on my part, but could someone help?
You're missing some quotes:
$sql= "INSERT INTO location(user, posttext)
VALUES ('".$username."','".$textToPost."')";
Shouldn't the query be like this?
$sql= "INSERT INTO location(user, posttext)
VALUES ('".$username."','".$textToPost."')";
Try with
$sql= "INSERT INTO location(user, posttext)
VALUES ('".$username."','".$textToPost."')";
Remember you MUST always sanitize user input before using it in a query!!
It could be better using prepared statements...
Whenever I try to insert data into my database 'users' I always get a blank page. It doesn't give me any errors, it doesn't include 'mainmenu.php', or return any feedback what so ever. Can someone help me out? Here is the code:
<?php
include("mainmenu.php");
$con = mysql_connect("localhost", "root", "*********");
if (!$con) {
die('Connection failure.' . mysql_error());
}
//Variable def
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$usrname = $_POST['usrname'];
$password = $_POST['password'];
mysql_select_db("users",$con) or die(mysql_error());
mysql_query("INSERT INTO data (usrname, fname, lname, password, email) VALUES ($usrname, $fname, $lname, $password, $email)") or die(mysql_error());
mysql_close($con)
echo("Thank you for registering!")
?>
It looks right to me.
don't you getting any syntax error?
first
mysql_close($con)
echo("Thank you for registering!")
change to
mysql_close($con);
echo("Thank you for registering!");
second, please quote your $_POST and escape it properly
read this - Escaping single quote in PHP when inserting into MySQL)
No errors? Add this at the top of the script:
<?php
error_reporting( E_ALL );
ini_set( 'display_errors', 1 );
First of all: Strings need delimiting:
mysql_query("INSERT INTO data (usrname, fname, lname, password, email) VALUES ('$usrname', '$fname', '$lname', '$password', '$email')";
Second: never ever pass un-checked user data into a database query. Use mysql_real_escape_string() on each value first.
mysql_query("INSERT INTO data (usrname, fname, lname, password, email) VALUES ($usrname, $fname, $lname, $password, $email)") or die(mysql_error());
Use this instead
$insert_sql = sprintf("INSERT INTO users (usrname, fname, lname, password, email) " .
"VALUES ('%s' ,'%s', '%s', '%s', %d); ",
mysqli_real_escape_string($conn, $usrname),
mysqli_real_escape_string($conn, $fname),
mysqli_real_escape_string($conn, $lname),
mysqli_real_escape_string($conn, md5($password)),
mysqli_real_escape_string($conn, $email),
mysqli_insert_id($conn));
Then Query The Above String
mysqli_query($conn, $insert_sql);
Then a Conditionals
if($insert_sql){
$usrname = $_SESSION['user_id'];
//url.ext e.g could be "home.php" or "you.html"
//header is used for redirecting a page
header("Location: url.ext");
}else{
$msg = "error inserting";
header("Location: " . $_SERVER['HTTP_REFERER'] . "?Message= ". $msg );
}