Jump to content

Recommended Posts

I am getting the following error

Fatal error: Call to a member function bind_param() on string in C:\xampp\htdocs\register.php on line 40

 

Here is my script:

<?php

require 'connect.php';

error_reporting(E_ALL | E_NOTICE);

if($_SERVER['REQUEST_METHOD'] == "POST")
{
    
    $username = $_POST['username'];
    $password = $_POST['password'];
    $cpassword = $_POST['cpassword'];
    
    if($cpassword !== $password)
    {
     
        die("Passwords do not match!");
        
    }
    
    $username = htmlspecialchars($username);
    $username = htmlentities($username);
    $username = strip_tags($username);
    
    if(preg_match("#[^\w]#", $username))
    {
     
        die("Your username must be numbers or letters only!");
        
    }
    
    $hash = hash('ripemd320', $password);
    
    if(empty($username) || empty($password))
    {
     
        die("Please enter both your username and password!");
        
    }
    
    $sql = "INSERT INTO users (username, password) VALUES ($username, $password)";
    $sql->bind_param("ss", $username, $password);
    $sql->execute();
    
    if($handler->query($sql) === TRUE)
    {   
     
        echo "Your account has been successfully created!";
        
    }
}

?>
Link to comment
https://forums.phpfreaks.com/topic/296171-register-script-problem/
Share on other sites

You need to use the prepare() beforehand and placeholders in the query string.

 $sql_string = "INSERT INTO users SET username = :a, password = :b";
    $sql->prepare($sql_string);
    $sql->bindParam(":a", $username);
    $sql->bindParam(":b", $password);
    $sql->execute();

Personally I like to use SET instead of the VALUES method.  This way you can easily see what column is getting what value and you can use the same string for the most part when you do a UPDATE too.  You also had the spelling wrong on the bind_param which should be bindParam.  Here is the manual documentation http://php.net/manual/en/pdostatement.bindparam.php

 

Plus because you set the sql string to $sql, you probably over writen the $sql of the DB object, unless your DB object is named something else.  You didn't show the connect .php code so I can't say for sure.  But for the code you showed, $sql is NOT a DB object and certainly wouldn't be after you set $sql to the sql string like you did.

  • Like 1

I believe he is using the Mysqli library, or else he would have gotten a non-member function error.  If so, the OP still needs to prepare the query before the bind_param.

 

$sql_string = "INSERT INTO users SET username = ?, password = ?";
$stmt = $mysqli->prepare($sql_string);
$stmt->bind_param('ss',$username,$password);
$stmt->execute();
if($stmt->affected_rows == 1) {
 echo "Your account has been successfully created!";
}

Here's the mysqli version (assuming your connection variable is "$mysqli"

$sql = "INSERT INTO users (username, password) VALUES (?, ?)"; // use placeholders
$stmt = $mysqli->prepare($sql);                 // create prepared statement
$stmt->bind_param("ss", $username, $password);  // bind STATEMENT parameter
$stmt->execute();                               // execute the statement

edit: Beat to the post by jcbones!

Edited by Barand

unfortunately, the OP is using the PDO library, based on the error and his connection code posted in the last thread on this forum, but isn't actually learning how to use it, and is therefore getting stuck on the basic steps over and over.

 

@Tom10, the task in this thread is similar to your previous thread. you are trying to form and run a query, an insert query in this case, but are not using all the statements correctly. the only way to get all the statements to work together and correctly is to learn what each of the statements do, so that you will know how they are supposed to go together.

 

in the last thread you were not using the correct bind statement that is part of the PDO library of functions. in this thread, you have a mix of code that is/was running a non prepared query using the pdo->query() method, then added a couple of lines of code trying to turn that into a prepared query, but not converting the sql statement to a prepared query, not using the correct pdo bind statement, and still leaving in the previous call to the pdo query() method.

 

the reason i didn't post any fixed code or link to any php.net documentation in your previous thread, is because you are missing the basic understanding of what these statements and lines of code do and the only way you can gain that understanding is if you actually go and research, internalize, and learn this information.

 

once you know how to use the pdo statements to prepare a query, bind input parameters, execute the query, and retrieve any results, you can then use that knowledge to form and run any kind of query.

Edited by mac_gyver
  • Like 1

I'm now getting this error

 Fatal error: Call to undefined method PDO::bindParam() in C:\xampp\htdocs\register.php on line 41

 

this is the code i have updated:

$sql_string = "INSERT INTO users SET username = :a, password = :b";    $sql->prepare($sql_string);
    $sql->bindParam(':a', $username);
    $sql->bindParam(':b', $hash);
    $sql->execute();
    
    if($sql->query($sql_string) === TRUE)
    {   
     
        echo "Your account has been successfully created!";
        
    }

we are really trying to help you, but when you don't bother to read the php.net documentation and its examples for the statements you are trying to use and really learn what each statement does, and in this case learn what each statement returns as a value, it's not possible for you to write code that does anything. you are operating in an uncontrolled random trial (and mostly error) mode, where you are not using the documentation as an input to determine the correct way of using any statement.

 

i'll give you a hint: bindParam() is a method of the PDOStatement class. it is not a method of the PDO class. the following is the php.net documentation of the return value from the ->prepare() method - 

 

Return Values

If the database server successfully prepares the statement, PDO::prepare() returns a PDOStatement object. If the database server cannot successfully prepare the statement, PDO::prepare() returns FALSE or emits PDOException (depending on error handling). 

 

 

all of this information, including examples, can be found at in the php.net documentation.

 

in your last thread, you were correctly doing everything to prepare and execute the query, except you were not using the proper bind statement. the code you posted above in this thread is nothing like what you used in the last thread, which says you didn't learn anything from what you were doing in the last thread. just going through the motion of copy/pasting lines of code, isn't programming and isn't learning. you must be able to generalize and make use of what you 'learned' to prepare and execute one type of query to do the same steps for any other type of query.

Edited by mac_gyver

here's another hint. the following is your SELECT ... query from the previous thread, with the correct bind usage -

 

$sql = "SELECT ....";
$stmt = $handler->prepare($sql);
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $hash);
$stmt->execute();
these are the corresponding lines of code from this thread -

$sql_string = "INSERT INTO users SET username = :a, password = :b";
$sql->prepare($sql_string);
$sql->bindParam(':a', $username);
$sql->bindParam(':b', $hash);
$sql->execute();
lines 2-5 of both of these pieces of code should be logically the same and in fact should be identical for consistency reasons (why keep writing/changing code that's performing the same actions.)

we are really trying to help you, but when you don't bother to read the php.net documentation and its examples for the statements you are trying to use and really learn what each statement does, and in this case learn what each statement returns as a value, it's not possible for you to write code that does anything. you are operating in an uncontrolled random trial (and mostly error) mode, where you are not using the documentation as an input to determine the correct way of using any statement.

 

 

 

I do read the documentation i just don't understand their bindParam tutorial

Edited by Tom10

I do read the documentation i just don't understand their bindParam tutorial

Then you aren't reading it. Sounds like you're mix matching random bits of codes you find on the internet and hope it works together.

 

If you don't understand MySQLi, you won't understand PDO. As of right now, you don't even understand MySQLi as far as I see it. You're adding > 0 to num_rows. num_rows already returns true or false if the record does not exist or if it exists. Adding > 0 to num_rows is redundant because it already returns true or false. Where does the variable $handler come from? If you use $handler for 1 query, then you should be using $handler for your whole query. mac_gyver has provided an excellent example of how it should be done right.

 

Understanding it and copy & paste trial error are 2 different things. It's harsh, but you have to deal with it because you've asked basically the same questions in all of your topics. I'd be pretty shocked if you have this up on a live server. Your users would be able to find all of the horrible codes and break into your website like nothing.

I've done exactly what the documentation says.

 

 

sorry, but no you haven't. look at and compare the second line of code in both of the pieces of code in my reply #8 and in your reply #11. you should be able to notice what's logically different about those lines. in the line that's from your previous thread, you are assigning the result form the ->prepare() method call to a variable, $stmt, that then gets used in the bindParam() and the execute() method calls.

 

programming is an exact science. the computer only does exactly what your code tells it to do. if a statement returns a value that you must then use in the following dependent statements, you must be able to 'get' that kind of information when you read the documentation and examples.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.