kevwood Posted February 19, 2015 Share Posted February 19, 2015 Hello all, I am trying to setup parameterised queries to prevent sql injection from a html from when adding data to my database. I have been doing some reading on W3schools website about it. the code i have been looking at i tried to combine with my request to insert but with no joy. here is the code i was looking at $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)"); $stmt->bindParam(':nam', $txtNam); $stmt->bindParam(':add', $txtAdd); $stmt->bindParam(':cit', $txtCit); $stmt->execute(); and here is the code i have created from the code i was looking above <?php $name = $_POST['name']; $desc = $_POST['description']; $price = $_POST['price']; $image = $_POST['image']; $prod_type = $_POST['prod_type']; $made = $_POST['made']; $dist = $_POST['distribute']; $servername = "mysql5.000webhost.com"; $db = "a6382499_product"; $user_name = "a6382499_sonic"; $password = "phpfreaks1"; global $conn; // create connection to db try { $conn = new PDO("mysql:host=$servername;$db", $user_name, $password); // PDO error mode set to exception $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); echo "Connected to database"; } // Set veriable to catch error created catch(PDOException $error) { echo "Connection failed: " . $error->getMessage(); } try{ $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) VALUES (:name, :desc, :price, :image, :prod_type, :made, :dist)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':desc', $desc); $stmt->bindParam(':price', $price); $stmt->bindParam(':image', $image); $stmt->bindParam(':prod_type', $prod_type); $stmt->bindParam(':made', $made); $stmt->bindParam(':dist', $dist); $stmt->exec(); $conn->exec($sql); echo "New record added"; } catch(PDOException $error) { echo $sql . "<br />" . $error->getMessage(); } ?> the error message i am getting is Fatal error: Call to a member function prepare() on a non-object in /home/a6382499/public_html/insert.php on line 32 and line 32 in the code is $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) any help would be much appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/ Share on other sites More sharing options...
Solution Barand Posted February 19, 2015 Solution Share Posted February 19, 2015 (edited) $conn = new PDO("mysql:host=$servername;$db", $user_name, $password); $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) Your PDO object is $conn. Edited February 19, 2015 by Barand 1 Quote Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/#findComment-1506152 Share on other sites More sharing options...
Psycho Posted February 19, 2015 Share Posted February 19, 2015 Edit: Barand beat me to it, but I'm going to post anyway The error is pretty self explanatory. You are trying to execute a function called prepare on an object - but the object doesn't exist $stmt = $db->prepare(); $db is not an object - it is only a string $db = "a6382499_product"; Looks like $conn is your db object Quote Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/#findComment-1506153 Share on other sites More sharing options...
kevwood Posted February 20, 2015 Author Share Posted February 20, 2015 thanks for the replies, i thought the prepare was a function or predefined statement within mysql lol. it has been a long time since i messed about with any of this. who do i give the best answer to haha. Quote Link to comment https://forums.phpfreaks.com/topic/294725-parameterised-queries/#findComment-1506246 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.