bind_param() in php and mysqli
» >
»
» View previous topic :: View next topic  
I'm extremely new to php so I don't doubt I'm just doing something stupid here.


Code:
$mysqli = new mysqli($dbserver,$dbusername,$dbpassword);
 
 if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

 $stmt = $mysqli->prepare("SELECT * FROM ? WHERE user = ? AND pass = ?");
 $stmt->bind_param('sss', $dbtable, $inputuser, $inputpass);


The last statement in that is line 35.

Quote:
Fatal error: Call to a member function bind_param() on a non-object in /home/students/rcgrube/public_html/oo.php on line 35


Doesn't this:

Code:
$stmt = $mysqli->prepare("SELECT * FROM ? WHERE user = ? AND pass = ?");

make $stmt the correct type of object?


I've never even used the mysqli functions (old school mysql all the way), but according to the php docs, there are 2 ways to go about it.

OOP-style:

Code:

//... blah blah blah

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
$stmt->execute();

printf("%d Row inserted.\n", $stmt->affected_rows);

/* close statement and connection */
$stmt->close();

// blah blah blah ...



Procedural:

Code:

// ... blah blah blah

$stmt = mysqli_prepare($link, "INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
mysqli_stmt_execute($stmt);

printf("%d Row inserted.\n", mysqli_stmt_affected_rows($stmt));

/* close statement and connection */
mysqli_stmt_close($stmt);

// blah blah blah...


And what you wrote seems to match the first version.
<- Please Support on Lego Ideas
elfprince13 wrote:
I've never even used the mysqli functions (old school mysql all the way), but according to the php docs, there are 2 ways to go about it.

[code code code]

And what you wrote seems to match the first version.


Indeed, which implies to me that $mysqli->prepare is returning a null value. Can you echo $stmt and verify that it's 0, false, NULL, or something like that as I suspect?
KermMartian wrote:
elfprince13 wrote:
I've never even used the mysqli functions (old school mysql all the way), but according to the php docs, there are 2 ways to go about it.

[code code code]

And what you wrote seems to match the first version.


Indeed, which implies to me that $mysqli->prepare is returning a null value. Can you echo $stmt and verify that it's 0, false, NULL, or something like that as I suspect?


Yeah, echo doesn't print out anything. I don't see why, though. My syntax looks right to me.


Among other things, I doubt that ? is a valid table in this SQL statement (or did you just censor out the actual values?).


Code:
SELECT * FROM ? WHERE user = ? AND pass = ?
KermMartian wrote:
Among other things, I doubt that ? is a valid table in this SQL statement (or did you just censor out the actual values?).


Code:
SELECT * FROM ? WHERE user = ? AND pass = ?


No, I believe that's how the bind_param function works. It replaces the '?'s with the variables.

On another note, I got quoting to work instead in under 5 minutes, so it's not an issue anymore. I heard it's not as secure as binding, but it should be fine. The SQL injection I used in the unsecured one doesn't work now, so I'm guessing it'll be okay. That just really confuses me as to why that statement was null...


foamy3 wrote:
No, I believe that's how the bind_param function works. It replaces the '?'s with the variables.

On another note, I got quoting to work instead in under 5 minutes, so it's not an issue anymore. I heard it's not as secure as binding, but it should be fine. The SQL injection I used in the unsecured one doesn't work now, so I'm guessing it'll be okay. That just really confuses me as to why that statement was null...


From the docs on mysqli_prepare:

Quote:
Note: The markers are legal only in certain places in SQL statements. For example, they are allowed in the VALUES() list of an INSERT statement (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value.
However, they are not allowed for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign. The latter restriction is necessary because it would be impossible to determine the parameter type. It's not allowed to compare marker with NULL by ? IS NULL too. In general, parameters are legal only in Data Manipulation Language (DML) statements, and not in Data Definition Language (DDL) statements.


I don't know why you wanted to use ? for a table name anyway, that doesn't get you anything but confusion and a source of bugs since the rest of the statement (column names, etc...) all depend on the table in question.

You (and Kerm) should use mysqli_prepare, it is much better and safer since it also knows the context and types as well as how to escape.
There are only two kinds of programming languages: those people always bitch about and those nobody uses. (Bjarne Stroustrup)
Kllrnohj wrote:
I don't know why you wanted to use ? for a table name anyway, that doesn't get you anything but confusion and a source of bugs since the rest of the statement (column names, etc...) all depend on the table in question.


All of the tables have the same columns, so that wouldn't be an issue. The user needs to have the ability to choose which table they try to log into, though. Does that mean binding isn't option in this context since my from clause needs to be a variable?


foamy3 wrote:
Kllrnohj wrote:
I don't know why you wanted to use ? for a table name anyway, that doesn't get you anything but confusion and a source of bugs since the rest of the statement (column names, etc...) all depend on the table in question.


All of the tables have the same columns, so that wouldn't be an issue. The user needs to have the ability to choose which table they try to log into, though. Does that mean binding isn't option in this context since my from clause needs to be a variable?

If you tack the table name in from an array of string constants, you should be safe doing the rest of the query with ? wildcards, and binding to it.
<- Please Support on Lego Ideas
foamy3 wrote:
All of the tables have the same columns, so that wouldn't be an issue. The user needs to have the ability to choose which table they try to log into, though. Does that mean binding isn't option in this context since my from clause needs to be a variable?


Then it sounds to me like your database is poorly designed. But if you want to stick with that then either use Elf's idea or just use the regular escape for the table name and bind the rest of the parameters.
There are only two kinds of programming languages: those people always bitch about and those nobody uses. (Bjarne Stroustrup)
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
bind_param() in php and mysqli
»
» View previous topic :: View next topic  
Page 1 of 1
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement