homepage Welcome to WebmasterWorld Guest from 54.167.182.201
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderator: open

Databases Forum

    
prepared statement isn't working
Skier88

5+ Year Member



 
Msg#: 4203272 posted 3:26 pm on Sep 17, 2010 (gmt 0)

I'm converting my scripts to prepared statements for the added security, but I've run into a problem so simple I don't even know how to troubleshoot it.

This code runs (the if statement returns true), but does not add an entry:

if($stmt->prepare("INSERT INTO ratings VALUES ('',?,?,?,?,?,?)"))
{
$stmt->bind_param('ssssis',$ip,$article,$date,$author,$rating,$comments);
$stmt->execute();
}


This code also runs, and successfully adds a row:

mysql_query("INSERT INTO ratings VALUES ('','$ip','$article','$date','$author','$rating','$comments')");


Both methods are able to initialize, and the same script contains other identically formatted prepared statements that function perfectly.

Any suggestions? Thanks for reading.

 

Skier88

5+ Year Member



 
Msg#: 4203272 posted 6:17 pm on Sep 17, 2010 (gmt 0)

Just re-reading, and my first post is a little unclear. I should have said similarly (not identically) formatted statements. What I meant was that statements of this format work:

if($stmt->prepare("[query]"))
{
$stmt->bind_param('[types]',[variables]);
$stmt->execute();
}


Also, I don't think this is the problem, but none of the working statements insert a row - they are either SELECT or UPDATE queries.

enigma1

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4203272 posted 11:45 am on Sep 30, 2010 (gmt 0)

It's not possible to know what these member functions are doing without looking at the db class code. And it's not too efficient to have several lines to perform a query and somehow you need to validate the input fields by type and perhaps by value.

Skier88

5+ Year Member



 
Msg#: 4203272 posted 7:47 pm on Oct 5, 2010 (gmt 0)

Thanks for the reply enigma. Yes, I've been working on security, I was just giving preliminary code.

Anyway, I solved my problem. It turns out prepared statements don't work if you bind a value to a variable which is null. It works if you set it equal to ''. So my fix was replacing

$author=$_REQUEST['author'];

with

$author=$_REQUEST['author']?$_REQUEST['author']:'';

(security etc removed for clarity's sake)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved