PHP PDO quote() returning error

[HDFilmMaker2112]

The PDO quote() function is returning an error for me, lost as to why.

 

Fatal error: Call to a member function quote() on a non-object

else{
$register_name ="$register_fname $register_lname";
$register_birthday ="$register_year - $register_month - $register_day";
$register_date=date('Y-m-d H:i:s');

SafePDOCOE(db_name);

		$quoted_account_type = $DB->quote($register_account_type);
		$quoted_email = $DB->quote($register_email);
		$quoted_fname = $DB->quote($register_fname);
		$quoted_lname = $DB->quote($register_lname);
		$quoted_name = $DB->quote($register_name);
		$encoded_password = kam3($register_password);
		$quoted_gender = $DB->quote($register_gender);
		$quoted_birthday = $DB->quote($register_birthday);
		$quoted_membership_type = $DB->quote($register_membership_type);

	try{
			$DB->beginTransaction();
			$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)
			VALUES ($quoted_email, $encoded_password, '1', $quoted_name, $quoted_membership_type, $register_date)");
			$userid = $DB->lastInsertId();
			$DB->query("INSERT INTO user_profile (user_id, birthday, gender, first_name, last_name) 
			VALUES ($userid, $quoted_birthday, $quoted_gender, $quoted_fname, $quoted_lname)");
			$DB->commit();
	echo "Data Entered.";
	}
	catch(PDOException $e){
	$DB->rollBack();
	echo "Query Error: ". $e->getMessage();
	}
}

 

All the variables I'm quoting are coming from a form.

 

 

Here's the function:

 

function SafePDOCOE($dbname){
$DBconnect = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass");
return $DBconnect;
}

 

Should I be using $DBconnect instead of $DB? $DB is used in the SafePDO class. (EDIT: Tried changing the variable in the function to $DB, not the issue. Still have the same problem.)

[silkfire]

Remind me again why you're using the quote function with PDO?

[HDFilmMaker2112]

Remind me again why you're using the quote function with PDO?

 

Because you need to escape incoming user submitted data when not using prepared statements. I have no reason to use prepared statements; as I'm not iterating through anything that would cause the need for duplicate queries (the point of prepared statements). Not to mention prepared statements are approximately 2 to 3 times slower than quoted/regular queries via PDO (when running single queries, multiple queries are faster). Honestly, in this specific situation, if it weren't for the transaction features of PDO, I'd actually use MySQLi.

[scootstah]

MySQLi supports transactions as well.

 

However, the error you are getting implies that $DB is not a PDO object.

[HDFilmMaker2112]

MySQLi supports transactions as well.

I know, but it actually requires dealing directly with MySQL to control the transactions (as far as I know), PDO has them on the PHP side of things. Easier to use in my opinion. I know there's commit and rollback controls, but how do you start a transaction? Is it simply just running the first query?

 

However, the error you are getting implies that $DB is not a PDO object.

 

Alright; well here's the class/functions I'm using.

 

class SafePDO extends PDO {

        public static function exception_handler($exception) {
            // Output the exception details
            die('Uncaught exception: '. $exception->getMessage());
        }

        public function __construct($dsn, $username='', $password='', $driver_options=array()) {

            // Temporarily change the PHP exception handler while we . . .
            set_exception_handler(array(__CLASS__, 'exception_handler'));

            // . . . create a PDO object
            parent::__construct($dsn, $username, $password, $driver_options);

            // Change the exception handler back to whatever it was before
            restore_exception_handler();
        }

}

class SafePDO_errordisplay extends SafePDO {

public function connect_db($dsn, $username='', $password='', $driver_options=array()){

	parent::__construct($dsn, $username, $password, $driver_options);
		try {
		$DB = new SafePDO($dsn, $user, $password, $driver_options);
		}
		catch (PDOException $e) {
		echo 'Connection failed: ' . $e->getMessage();
		}
}
}
// Connect to the database
function SafePDOPersist($dbname){
$DB = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass", array(PDO::ATTR_PERSISTENT => true));
return $DB;
}

function SafePDOCOE($dbname){
$DB = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass");
return $DB;
}

 

Then on my page, it's called simply as:

 

SafePDOCOE(db_name);

 

[silkfire]

Where do you ever define $DB?

 

And SafePDOCOE(db_name);

 

Shouldn't that be written as $DB = SafePDOCOE(db_name);, I mean it returns something, right?

[HDFilmMaker2112]

Where do you ever define $DB?

 

And SafePDOCOE(db_name);

 

Shouldn't that be written as $DB = SafePDOCOE(db_name);, I mean it returns something, right?

 

100% right. Literally just caught that 5 seconds before you posted.

 

 

Now it did submited some of the data to the database, but it only did so with the second query. It didn't insert the birthday, and also missed the user_id (but that of course because the first query wasn't run). Shouldn't the rollback control have fired seeing as how nothing was submitted to the first query?

 

$register_name ="$register_fname $register_lname";
$register_birthday ="$register_year - $register_month - $register_day";
$register_date=date('Y-m-d H:i:s');

$DB = SafePDOCOE('zyquo_emotico');

		$quoted_account_type = $DB->quote($register_account_type);
		$quoted_email = $DB->quote($register_email);
		$quoted_fname = $DB->quote($register_fname);
		$quoted_lname = $DB->quote($register_lname);
		$quoted_name = $DB->quote($register_name);
		$encoded_password = kam3($register_password);
		$quoted_gender = $DB->quote($register_gender);
		$quoted_birthday = $DB->quote($register_birthday);
		$quoted_membership_type = $DB->quote($register_membership_type);

	try{
			$DB->beginTransaction();
			$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)
			VALUES ($quoted_email, $encoded_password, '1', $quoted_name, $quoted_membership_type, $register_date)");
			$userid = $DB->lastInsertId();
			$DB->query("INSERT INTO user_profile (user_id, birthday, gender, first_name, last_name) 
			VALUES ($userid, $quoted_birthday, $quoted_gender, $quoted_fname, $quoted_lname)");
			$DB->commit();
	echo "Data Entered.";
	}
	catch(PDOException $e){
	$DB->rollBack();
	echo "Query Error: ". $e->getMessage();
	}

[HDFilmMaker2112]

Got the birthday working. It had the months as words, not to be converted to Unix time stamp with strtotime() and then into the proper format with date().

 

Still not understanding the first query though.

[silkfire]

Yeah that was pretty obvious mate

 

You need quotes around your variables. Non-qoutes only work with numbers:

 

$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)

VALUES ('$quoted_email', '$encoded_password', '1', '$quoted_name', '$quoted_membership_type', '$register_date')");

[scootstah]

Yeah that was pretty obvious mate

 

You need quotes around your variables. Non-qoutes only work with numbers:

 

$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)

VALUES ('$quoted_email', '$encoded_password', '1', '$quoted_name', '$quoted_membership_type', '$register_date')");

 

Shouldn't PDO::quote be adding the quotes?

[HDFilmMaker2112]

Tried adding the quotes, no luck. And just to note, I have echoed out those variables, and they do have values in them.

[silkfire]

Yeah that was pretty obvious mate

 

You need quotes around your variables. Non-qoutes only work with numbers:

 

$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)

VALUES ('$quoted_email', '$encoded_password', '1', '$quoted_name', '$quoted_membership_type', '$register_date')");

 

Shouldn't PDO::quote be adding the quotes?

It only escapes any existing quotes, doesn't add them =)

[silkfire]

Do you have errors enabled?

[HDFilmMaker2112]

Query Error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10:22:47)' at line 2

 

 

Looks like it's the join_date time. It's wrapped in parenthesis, and I'm not quoting that. So that could be the entire issue.

 

EDIT: That would indeed have been it. Now working. Thanks for the help.

[scootstah]

Yeah that was pretty obvious mate

 

You need quotes around your variables. Non-qoutes only work with numbers:

 

$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)

VALUES ('$quoted_email', '$encoded_password', '1', '$quoted_name', '$quoted_membership_type', '$register_date')");

 

Shouldn't PDO::quote be adding the quotes?

It only escapes any existing quotes, doesn't add them =)

 

From the manual:

PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver.

 

Also I just tested it and it does in fact add the quotes, at least for MySQL.

[HDFilmMaker2112]

.........