Why am I getting an error?

[SalientAnimal]

Hi All,

 

I need some help with my forms submit page. I can not understand why I am getting the error message saying: 

Notice: Undefined variable: stmt in C:\mydirectory\process\submit_sales_retentions.php on line 84
Fatal error: Call to a member function close() on a non-object in C:\mydirectory\process\submit_sales_retentions.php on line 84

<?php
include_once '../includes/db_connect.php';
include_once '../includes/functions.php';
include_once '../includes/formatting.php';


ini_set('display_errors',1); 
error_reporting(E_ALL);


if (isset(				
				$_POST['username']
			, 	$_POST['sales_reference']
			,	$_POST['msisdn']
			, 	$_POST['sale_type']
			))
{





    // SANITIZE AND VALIDATE THE DATA BEING PROCESSED BY THE FORM
		$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
		$sales_reference = filter_input(INPUT_POST, 'sales_reference', FILTER_SANITIZE_STRING);
		$msisdn = filter_input(INPUT_POST, 'msisdn', FILTER_SANITIZE_STRING);
		$sale_type = filter_input(INPUT_POST, 'sale_type', FILTER_SANITIZE_STRING);								

if (mysqli_connect_errno()) 
	{
		printf("Connect failed: %s\n", mysqli_connect_error());
		exit();
	}

    if (empty($error_msg)) 
	{
        // INSERT THE NEW FOR INFORMATION INTO THE DATABASE TABLE

        if ($insert_stmt = $mysqli->prepare("
											INSERT INTO 
												usr_retentions_sales
											(
													username
											,		sales_reference
											,		msisdn
											,		sale_type										
											) 
												VALUES (?, ?, ?, ?)"))
		{
			$insert_stmt->bind_param(
													'ssss'
											,		$username 
											,		$sales_reference
											,		$msisdn
											,		$sale_type

										);
            // EXECUTE THE PREPARED QUERY
            if (! $insert_stmt->execute())
			//PRINT THE NUMBERS OF ROWS THAT HAVE BEEN AFFECTED 

 			{

				header('Location: ../errors/errorduplicate.php?err=errormessage Error: Please note that you may only complete the form once.');
				exit;

            }
			include "../success/sales_retentions_success.php";
			exit;
        }

		
		/* CLOSE THE STATEMENT */
		$stmt->close();

		/* CLOSE THE CONNECTION */
		$mysqli->close();
    }

}

?>

Please can someone help with the cause of this error, and how to fix it, thanks.

[SalientAnimal]

Please ignore my post... I have found my error. I had named my one column incorrectly in my table. 

 

I feel like a complete idiot.

[Jacques1]

... and the $stmt variable obviously had the wrong name.

 

However, the real problem is that your error handling is broken. That's why you get those cryptic “non-objects” messages instead of a proper error description.

 

First of all, do not print internal MySQL errors on the screen (like in line 31). They are meant for you, the developer, not the general public. In fact, disclosing your technical issues will massively irritate legitimate users while helping attackers. Your users will wonder WTF is wrong with the site, and your attackers will know exactly what's wrong. So never just echo an internal message, not even for testing.

 

Secondly, you need to actually check for errors. It's definitely not a good idea to just keep going, because this causes weird consequential errors (as you can see) and may leave the application in a problematic state.

 

The old school way of error handling is to literally check the return value of every single function call. This is valid and was in fact the only option back in the days of the old MySQL extension. Nowadays, we can just turn on error reporting in the MySQLi driver:

<?php

// turn on error reporting
$database_driver = new mysqli_driver();
$database_driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT;

$database = new mysqli(...);

This will automatically throw an exception with all relevant information whenever a query fails. The exception will then be passed to the standard error handler which writes it to the log (in production) or prints it on the screen (during development).

 

Try it yourself:

$database->query('SELECT idonotexist');

This will actually tell you that the column doesn't exist.

[SalientAnimal]

Thanks for your answer here Jacques. I'm a really small time developer and sometimes wonder if I will ever really get my head wrapped around things. But I keep trying and information like what you gave just takes me one step closer to getting a better understanding. I know my code is not the prettiest and there is a lot that can be improved on.

 

I just have to keep learning. Thanks again.