PHP - MYSQL Prepared Statement Error

[grahamb314]

I've decided to move over to using Prepared statements for security purposes, however I'm having problems with the following code.

 

Any help or suggestions would be appreciated

 

Output:

 

You are Logged In 

Fatal error: Call to a member function bindParam() on a non-object in [b]xxxxxxx[/b]/login.php on line 34

 

Code:

<?php
include "functions.php";
$db_connection = db_connect();
$db_connection2 = db_connect();

$login_statement = 			$db_connection->prepare("SELECT COUNT(*) AS accounts FROM `accounts` WHERE `email` = ? AND `password` = ?");
$test_stmt =		 		$db_connection2->prepare("INSERT INTO `test` (`test`) VALUES (:tst)");



login($_POST[email],$_POST[password],$login_statement);
log_login($test_stmt);

function login($email,$password,$login_statement){

$login_statement->bind_param("ss", $email, $password);
$login_statement->bind_result($accounts);
$login_statement->execute() or die ("Could not execute statement");

while ($login_statement->fetch()) { 

	if ($accounts==1){
		echo "<br/> You are Logged In <br/>";
	}

	else{
		echo "<br/>Credentials Invalid<br/>";	
    	} 
}
}

function log_login($test_stmt){

$test_stmt->bindParam(':tst', $tst);  //< ********LINE 34*******
$tst="blah";
$test_stmt->execute()  or die ("Could not execute statement");
}
?>

[fenway]

That's a php error from a DB class -- no idea.

[DavidAM]

"Call to a member function ... on a non-object" means the object you used to call the method is NOT actually an object. In your case, $test_stmt is NOT an object. This means the call to $db_connection2->prepare() failed to return an object, which implies that there is something wrong with the query string.

 

As far as I know, the parameters you want to bind to are indicated by a "?" -- of course, I don't use prepared statements much, so I'm not 100% sure, but I don't think ":tst: is a valid parameter for binding.

 

Also, you are binding a variable that you do not define until AFTER the bind. I don't know if this works or not, but I would define the variable BEFORE binding it.

 

By the way, I don't know any reason that you need two database connections, unless they are separate servers. I would think you could do all of this on a single connection.

 

[PFMaBiSmAd]

I don't see any use of the ->stmt_init(); method to create either $login_statement or $test_stmt.

 

Ref: http://us3.php.net/manual/en/mysqli-stmt.prepare.php

 

[mikosiko]

PFM...

 

I don't see any use of the ->stmt_init(); method to create either $login_statement or $test_stmt.

Ref: http://us3.php.net/manual/en/mysqli-stmt.prepare.php

 

I haven't found a clear explanation in the documentation, but this 2 pieces of code are equivalents:

 

     $mysqli = new mysqli(.....);
     $stmt =  $mysqli->stmt_init();   //Initializes a statement and returns an object for use with mysqli_stmt_prepare
     $stmt->prepare($sql_query);  // $sql_query a valid prepared sql sentence
     etc..etc

 

// No using ->stmt_init() explicitly
   $mysqli = new mysqli(.....);
   $stmt =  $mysqli->prepare($sql_query);  // Prepare the statement to execute  ($stmt initialization implicit... doesn't seems to be clearly documented)
   $stmt->prepare($sql_query);
   etc..etc

 

I have been using both method for some time without any problem... my tendency is to use the 2nd just for simplicity, but maybe is a better practice to use the method 1.

 

[grahamb314]

Just using the one connection solved this issue.

I had two for checking something earlier and never bothered to change the ocde back to using the one. Perhaps the mysql service had reached it's maximum number of permitted connections or something?

 

Anyhow, the problem no longer exists.

 

Thanks for all your help