Jump to content

parameterised queries


Go to solution Solved by Barand,

Recommended Posts

Hello all,

 

I am trying to setup parameterised queries to prevent sql injection from a html from when adding data to my database.  I have been doing some reading on W3schools website about it.

 

the code i have been looking at i tried to combine with my request to insert but with no joy.  here is the code i was looking at

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) 
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

and here is the code i have created from the code i was looking above

<?php

$name = $_POST['name'];
$desc = $_POST['description'];
$price = $_POST['price'];
$image = $_POST['image'];
$prod_type = $_POST['prod_type'];
$made = $_POST['made'];
$dist = $_POST['distribute'];

$servername = "mysql5.000webhost.com";
$db = "a6382499_product";
$user_name = "a6382499_sonic";
$password = "phpfreaks1";

global $conn;

// create connection to db
try {
	$conn = new PDO("mysql:host=$servername;$db", $user_name, $password);
// PDO error mode set to exception
	$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
	echo "Connected to database";
}
// Set veriable to catch error created
catch(PDOException $error)
	{
	echo "Connection failed: " . $error->getMessage();
}

try{
	$stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE)  
	VALUES (:name, :desc, :price, :image, :prod_type, :made, :dist)");
	$stmt->bindParam(':name', $name);
	$stmt->bindParam(':desc', $desc);
	$stmt->bindParam(':price', $price);
	$stmt->bindParam(':image', $image);
	$stmt->bindParam(':prod_type', $prod_type);
	$stmt->bindParam(':made', $made);
	$stmt->bindParam(':dist', $dist);
	$stmt->exec();
	
	$conn->exec($sql);
	echo "New record added";
}
catch(PDOException $error)
{
	echo $sql . "<br />" . $error->getMessage();
}

?>

the error message i am getting is 

 

 

 

Fatal error: Call to a member function prepare() on a non-object in /home/a6382499/public_html/insert.php on line 32

 

 

and line 32 in the code is

$stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE)

any help would be much appreciated.

Link to comment
https://forums.phpfreaks.com/topic/294725-parameterised-queries/
Share on other sites

  • Solution

$conn = new PDO("mysql:host=$servername;$db", $user_name, $password);

 

$stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE)

 

Your PDO object is $conn.

Edited by Barand
  • Like 1

Edit: Barand beat me to it, but I'm going to post anyway :)

 

The error is pretty self explanatory. You are trying to execute a function called prepare on an object - but the object doesn't exist

 

$stmt = $db->prepare();

 

$db is not an object - it is only a string

 

$db = "a6382499_product";

 

Looks like $conn is your db object

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.