Tom10 Posted May 9, 2015 Share Posted May 9, 2015 I am getting the following error Fatal error: Call to a member function bind_param() on string in C:\xampp\htdocs\register.php on line 40 Here is my script: <?php require 'connect.php'; error_reporting(E_ALL | E_NOTICE); if($_SERVER['REQUEST_METHOD'] == "POST") { $username = $_POST['username']; $password = $_POST['password']; $cpassword = $_POST['cpassword']; if($cpassword !== $password) { die("Passwords do not match!"); } $username = htmlspecialchars($username); $username = htmlentities($username); $username = strip_tags($username); if(preg_match("#[^\w]#", $username)) { die("Your username must be numbers or letters only!"); } $hash = hash('ripemd320', $password); if(empty($username) || empty($password)) { die("Please enter both your username and password!"); } $sql = "INSERT INTO users (username, password) VALUES ($username, $password)"; $sql->bind_param("ss", $username, $password); $sql->execute(); if($handler->query($sql) === TRUE) { echo "Your account has been successfully created!"; } } ?> Quote Link to comment Share on other sites More sharing options...
fastsol Posted May 9, 2015 Share Posted May 9, 2015 You need to use the prepare() beforehand and placeholders in the query string. $sql_string = "INSERT INTO users SET username = :a, password = :b"; $sql->prepare($sql_string); $sql->bindParam(":a", $username); $sql->bindParam(":b", $password); $sql->execute(); Personally I like to use SET instead of the VALUES method. This way you can easily see what column is getting what value and you can use the same string for the most part when you do a UPDATE too. You also had the spelling wrong on the bind_param which should be bindParam. Here is the manual documentation http://php.net/manual/en/pdostatement.bindparam.php Plus because you set the sql string to $sql, you probably over writen the $sql of the DB object, unless your DB object is named something else. You didn't show the connect .php code so I can't say for sure. But for the code you showed, $sql is NOT a DB object and certainly wouldn't be after you set $sql to the sql string like you did. 1 Quote Link to comment Share on other sites More sharing options...
jcbones Posted May 9, 2015 Share Posted May 9, 2015 I believe he is using the Mysqli library, or else he would have gotten a non-member function error. If so, the OP still needs to prepare the query before the bind_param. $sql_string = "INSERT INTO users SET username = ?, password = ?"; $stmt = $mysqli->prepare($sql_string); $stmt->bind_param('ss',$username,$password); $stmt->execute(); if($stmt->affected_rows == 1) { echo "Your account has been successfully created!"; } Quote Link to comment Share on other sites More sharing options...
Barand Posted May 9, 2015 Share Posted May 9, 2015 (edited) Here's the mysqli version (assuming your connection variable is "$mysqli" $sql = "INSERT INTO users (username, password) VALUES (?, ?)"; // use placeholders $stmt = $mysqli->prepare($sql); // create prepared statement $stmt->bind_param("ss", $username, $password); // bind STATEMENT parameter $stmt->execute(); // execute the statement edit: Beat to the post by jcbones! Edited May 9, 2015 by Barand Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 9, 2015 Share Posted May 9, 2015 (edited) unfortunately, the OP is using the PDO library, based on the error and his connection code posted in the last thread on this forum, but isn't actually learning how to use it, and is therefore getting stuck on the basic steps over and over. @Tom10, the task in this thread is similar to your previous thread. you are trying to form and run a query, an insert query in this case, but are not using all the statements correctly. the only way to get all the statements to work together and correctly is to learn what each of the statements do, so that you will know how they are supposed to go together. in the last thread you were not using the correct bind statement that is part of the PDO library of functions. in this thread, you have a mix of code that is/was running a non prepared query using the pdo->query() method, then added a couple of lines of code trying to turn that into a prepared query, but not converting the sql statement to a prepared query, not using the correct pdo bind statement, and still leaving in the previous call to the pdo query() method. the reason i didn't post any fixed code or link to any php.net documentation in your previous thread, is because you are missing the basic understanding of what these statements and lines of code do and the only way you can gain that understanding is if you actually go and research, internalize, and learn this information. once you know how to use the pdo statements to prepare a query, bind input parameters, execute the query, and retrieve any results, you can then use that knowledge to form and run any kind of query. Edited May 9, 2015 by mac_gyver 1 Quote Link to comment Share on other sites More sharing options...
Tom10 Posted May 10, 2015 Author Share Posted May 10, 2015 I'm now getting this error Fatal error: Call to undefined method PDO::bindParam() in C:\xampp\htdocs\register.php on line 41 this is the code i have updated: $sql_string = "INSERT INTO users SET username = :a, password = :b"; $sql->prepare($sql_string); $sql->bindParam(':a', $username); $sql->bindParam(':b', $hash); $sql->execute(); if($sql->query($sql_string) === TRUE) { echo "Your account has been successfully created!"; } Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 10, 2015 Share Posted May 10, 2015 (edited) we are really trying to help you, but when you don't bother to read the php.net documentation and its examples for the statements you are trying to use and really learn what each statement does, and in this case learn what each statement returns as a value, it's not possible for you to write code that does anything. you are operating in an uncontrolled random trial (and mostly error) mode, where you are not using the documentation as an input to determine the correct way of using any statement. i'll give you a hint: bindParam() is a method of the PDOStatement class. it is not a method of the PDO class. the following is the php.net documentation of the return value from the ->prepare() method - Return ValuesIf the database server successfully prepares the statement, PDO::prepare() returns a PDOStatement object. If the database server cannot successfully prepare the statement, PDO::prepare() returns FALSE or emits PDOException (depending on error handling). all of this information, including examples, can be found at in the php.net documentation. in your last thread, you were correctly doing everything to prepare and execute the query, except you were not using the proper bind statement. the code you posted above in this thread is nothing like what you used in the last thread, which says you didn't learn anything from what you were doing in the last thread. just going through the motion of copy/pasting lines of code, isn't programming and isn't learning. you must be able to generalize and make use of what you 'learned' to prepare and execute one type of query to do the same steps for any other type of query. Edited May 10, 2015 by mac_gyver Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 10, 2015 Share Posted May 10, 2015 here's another hint. the following is your SELECT ... query from the previous thread, with the correct bind usage - $sql = "SELECT ...."; $stmt = $handler->prepare($sql); $stmt->bindParam(':username', $username); $stmt->bindParam(':password', $hash); $stmt->execute();these are the corresponding lines of code from this thread - $sql_string = "INSERT INTO users SET username = :a, password = :b"; $sql->prepare($sql_string); $sql->bindParam(':a', $username); $sql->bindParam(':b', $hash); $sql->execute();lines 2-5 of both of these pieces of code should be logically the same and in fact should be identical for consistency reasons (why keep writing/changing code that's performing the same actions.) Quote Link to comment Share on other sites More sharing options...
Tom10 Posted May 11, 2015 Author Share Posted May 11, 2015 (edited) we are really trying to help you, but when you don't bother to read the php.net documentation and its examples for the statements you are trying to use and really learn what each statement does, and in this case learn what each statement returns as a value, it's not possible for you to write code that does anything. you are operating in an uncontrolled random trial (and mostly error) mode, where you are not using the documentation as an input to determine the correct way of using any statement. I do read the documentation i just don't understand their bindParam tutorial Edited May 11, 2015 by Tom10 Quote Link to comment Share on other sites More sharing options...
Jacques3 Posted May 11, 2015 Share Posted May 11, 2015 I do read the documentation i just don't understand their bindParam tutorial Then you aren't reading it. Sounds like you're mix matching random bits of codes you find on the internet and hope it works together. If you don't understand MySQLi, you won't understand PDO. As of right now, you don't even understand MySQLi as far as I see it. You're adding > 0 to num_rows. num_rows already returns true or false if the record does not exist or if it exists. Adding > 0 to num_rows is redundant because it already returns true or false. Where does the variable $handler come from? If you use $handler for 1 query, then you should be using $handler for your whole query. mac_gyver has provided an excellent example of how it should be done right. Understanding it and copy & paste trial error are 2 different things. It's harsh, but you have to deal with it because you've asked basically the same questions in all of your topics. I'd be pretty shocked if you have this up on a live server. Your users would be able to find all of the horrible codes and break into your website like nothing. Quote Link to comment Share on other sites More sharing options...
Tom10 Posted May 11, 2015 Author Share Posted May 11, 2015 $sql_string = "INSERT INTO users SET username = :a, password = :b"; $sql->prepare($sql_string); $sql->bindParam(':a', $username, PDO::PARAM_STR, 50); $sql->bindParam(':b', $hash, PDO::PARAM_STR, 30); $sql->execute(); I've done exactly what the documentation says. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 11, 2015 Share Posted May 11, 2015 I've done exactly what the documentation says. sorry, but no you haven't. look at and compare the second line of code in both of the pieces of code in my reply #8 and in your reply #11. you should be able to notice what's logically different about those lines. in the line that's from your previous thread, you are assigning the result form the ->prepare() method call to a variable, $stmt, that then gets used in the bindParam() and the execute() method calls. programming is an exact science. the computer only does exactly what your code tells it to do. if a statement returns a value that you must then use in the following dependent statements, you must be able to 'get' that kind of information when you read the documentation and examples. Quote Link to comment Share on other sites More sharing options...
Tom10 Posted May 11, 2015 Author Share Posted May 11, 2015 yeah i figured that out before i don't know how i didn't spot that prepare error Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.