homepage Welcome to WebmasterWorld Guest from 54.197.74.130
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderators: physics

Databases Forum

    
prepared statement isn't working
Skier88




msg:4203274
 3:26 pm on Sep 17, 2010 (gmt 0)

I'm converting my scripts to prepared statements for the added security, but I've run into a problem so simple I don't even know how to troubleshoot it.

This code runs (the if statement returns true), but does not add an entry:

if($stmt->prepare("INSERT INTO ratings VALUES ('',?,?,?,?,?,?)"))
{
$stmt->bind_param('ssssis',$ip,$article,$date,$author,$rating,$comments);
$stmt->execute();
}


This code also runs, and successfully adds a row:

mysql_query("INSERT INTO ratings VALUES ('','$ip','$article','$date','$author','$rating','$comments')");


Both methods are able to initialize, and the same script contains other identically formatted prepared statements that function perfectly.

Any suggestions? Thanks for reading.

 

Skier88




msg:4203393
 6:17 pm on Sep 17, 2010 (gmt 0)

Just re-reading, and my first post is a little unclear. I should have said similarly (not identically) formatted statements. What I meant was that statements of this format work:

if($stmt->prepare("[query]"))
{
$stmt->bind_param('[types]',[variables]);
$stmt->execute();
}


Also, I don't think this is the problem, but none of the working statements insert a row - they are either SELECT or UPDATE queries.

enigma1




msg:4209290
 11:45 am on Sep 30, 2010 (gmt 0)

It's not possible to know what these member functions are doing without looking at the db class code. And it's not too efficient to have several lines to perform a query and somehow you need to validate the input fields by type and perhaps by value.

Skier88




msg:4211874
 7:47 pm on Oct 5, 2010 (gmt 0)

Thanks for the reply enigma. Yes, I've been working on security, I was just giving preliminary code.

Anyway, I solved my problem. It turns out prepared statements don't work if you bind a value to a variable which is null. It works if you set it equal to ''. So my fix was replacing

$author=$_REQUEST['author'];

with

$author=$_REQUEST['author']?$_REQUEST['author']:'';

(security etc removed for clarity's sake)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved