kevwood Posted February 19, 2015 Share Posted February 19, 2015 Hello all, I am trying to setup parameterised queries to prevent sql injection from a html from when adding data to my database. I have been doing some reading on W3schools website about it. the code i have been looking at i tried to combine with my request to insert but with no joy. here is the code i was looking at $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)"); $stmt->bindParam(':nam', $txtNam); $stmt->bindParam(':add', $txtAdd); $stmt->bindParam(':cit', $txtCit); $stmt->execute(); and here is the code i have created from the code i was looking above <?php $name = $_POST['name']; $desc = $_POST['description']; $price = $_POST['price']; $image = $_POST['image']; $prod_type = $_POST['prod_type']; $made = $_POST['made']; $dist = $_POST['distribute']; $servername = "mysql5.000webhost.com"; $db = "a6382499_product"; $user_name = "a6382499_sonic"; $password = "phpfreaks1"; global $conn; // create connection to db try { $conn = new PDO("mysql:host=$servername;$db", $user_name, $password); // PDO error mode set to exception $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); echo "Connected to database"; } // Set veriable to catch error created catch(PDOException $error) { echo "Connection failed: " . $error->getMessage(); } try{ $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) VALUES (:name, :desc, :price, :image, :prod_type, :made, :dist)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':desc', $desc); $stmt->bindParam(':price', $price); $stmt->bindParam(':image', $image); $stmt->bindParam(':prod_type', $prod_type); $stmt->bindParam(':made', $made); $stmt->bindParam(':dist', $dist); $stmt->exec(); $conn->exec($sql); echo "New record added"; } catch(PDOException $error) { echo $sql . "<br />" . $error->getMessage(); } ?> the error message i am getting is Fatal error: Call to a member function prepare() on a non-object in /home/a6382499/public_html/insert.php on line 32 and line 32 in the code is $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) any help would be much appreciated. Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/ Share on other sites More sharing options...
Barand Posted February 19, 2015 Share Posted February 19, 2015 $conn = new PDO("mysql:host=$servername;$db", $user_name, $password); $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) Your PDO object is $conn. Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/#findComment-1506152 Share on other sites More sharing options...
Psycho Posted February 19, 2015 Share Posted February 19, 2015 Edit: Barand beat me to it, but I'm going to post anyway The error is pretty self explanatory. You are trying to execute a function called prepare on an object - but the object doesn't exist $stmt = $db->prepare(); $db is not an object - it is only a string $db = "a6382499_product"; Looks like $conn is your db object Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/#findComment-1506153 Share on other sites More sharing options...
kevwood Posted February 20, 2015 Author Share Posted February 20, 2015 thanks for the replies, i thought the prepare was a function or predefined statement within mysql lol. it has been a long time since i messed about with any of this. who do i give the best answer to haha. Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/#findComment-1506246 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.