mysqli_select_db() expects parameter 1 to be mysqli, string given

Question 1

I am new to Mysqli_* and I am getting these errors:

Warning: mysqli_select_db() expects parameter 1 to be mysqli, string given in D:Hosting9864230htmlincludesconnection.php on line 11

Warning: mysqli_error() expects exactly 1 parameter, 0 given in D:Hosting9864230htmlincludesconnection.php on line 13

Database selection failed:

<?php
require("constants.php");

// 1. Create a database connection
$connection = mysqli_connect(DB_SERVER,DB_USER,DB_PASS);
if (!$connection) {
    die("Database connection failed: " . mysqli_error());
}

// 2. Select a database to use 
$db_select = mysqli_select_db(DB_NAME,$connection);
if (!$db_select) {
    die("Database selection failed: " . mysqli_error());
}
?>

Question 2

Your arguments are in the wrong order. The connection comes first according to the docs

<?php
require("constants.php");

// 1. Create a database connection
$connection = mysqli_connect(DB_SERVER,DB_USER,DB_PASS);

if (!$connection) {
    error_log("Failed to connect to MySQL: " . mysqli_error($connection));
    die('Internal server error');
}

// 2. Select a database to use 
$db_select = mysqli_select_db($connection, DB_NAME);
if (!$db_select) {
    error_log("Database selection failed: " . mysqli_error($connection));
    die('Internal server error');
}

?>

Question 3

I went ahead and ran a test where one query uses a prepared statement, and the other builds the entire query then executes that. I'm probably not making what I'm wanting to know easy to understand.

Here's my test code. I was thinking prepared statements sort of held back execution until a $stmt->close() was called to optimize it or something. That doesn't appear to be the case though as the test that builds the query using real_escape_string is at least 10 times faster.

<?php

$db = new mysqli('localhost', 'user', 'pass', 'test');

$start = microtime(true);
$a = 'a';
$b = 'b';

$sql = $db->prepare('INSERT INTO multi (a,b) VALUES(?, ?)');
$sql->bind_param('ss', $a, $b);
for($i = 0; $i < 10000; $i++)
{
    $a = chr($i % 1);
    $b = chr($i % 2);
    $sql->execute();
}
$sql->close();

echo microtime(true) - $start;

$db->close();

?>

Question 4

This actually depends on the Mysql server. The default max size for all data combined in the entire query is 1mb. See: http://dev.mysql.com/doc/refman/5.1/en/packet-too-large.html

If your data combined is under that "max_allowed_packet" threshold, just use "s" for the binding type for any text field. Infact, you can usually get away with using "s" for any field type at all (date, float, etc).

If your entire entry combined that you want to insert is over 1mb (or whatever you reset it to) in length, you'll want to use mysqli_stmt::send_long_data method and the "b" binding type to send this particular field in chunks.

Question 5

You're using it the opposite way:

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

So it should be:

$name = mysqli_real_escape_string($con, trim($_POST["name"]));

Source: http://php.net/mysqli_real_escape_string

Since you're using MySQLi I would suggest you to just jump into prepared statements rather than real_escape, like this:

<?php 
// Your database info 
$db_host = 'host'; 
$db_user = 'user'; 
$db_pass = 'pass'; 
$db_name = 'database';

// POST data
$id = $_POST['id'];
$name = trim($_POST["name"]);

$con = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
if ($con->connect_error)
{
    die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
}

$sql = "UPDATE characters SET name = ? WHERE id = ?"; 
if (!$result = $con->prepare($sql))
{
    die('Query failed: (' . $con->errno . ') ' . $con->error);
}

if (!$result->bind_param('si', $name, $id))
{
    die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);
}

if (!$result->execute())
{
    die('Execute failed: (' . $result->errno . ') ' . $result->error);
}

$result->close();
$con->close();
echo "Successfully updated";
?>
<a href="index.php">Back to index</a>

To select the character name:

<?php 
// Your database info 
$db_host = 'host'; 
$db_user = 'user'; 
$db_pass = 'pass'; 
$db_name = 'database';

// POST data
$id = $_POST['id'];

$con = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
if ($con->connect_error)
{
    die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
}

$sql = "SELECT name FROM characters WHERE id = ?";
if (!$result = $con->prepare($sql))
{
    die('Query failed: (' . $con->errno . ') ' . $con->error);
}

if (!$result->bind_param('i', $id))
{
    die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);
}

if (!$result->execute())
{
    die('Execute failed: (' . $result->errno . ') ' . $result->error);
}

$result->store_result();
if ($result->num_rows == 0)
{
    die('No character found...');
}

$result->bind_result($name);
$result->fetch();
$result->close();
$con->close();
echo $name;

Question 6

Problem

You are missing how to pass the argument to mysqli_fetch_array().

Solution

Therefore, this line:

if(mysqli_query($cons, $result)) {

should be

if($res = mysqli_query($cons, $result)) { // assign the return value of mysqli_query to $res

^{(FWIW, I'd go with $res = mysqli_query($cons, $result); then do if($res) {.)}

And then do

while($row = mysqli_fetch_array($res)) // pass $res to mysqli_fetch_array instead of the query itself

Why?

You were giving to mysqli_fetch_array() - as an argument - the string that contains your query. That's not how it works. You should pass the return value of mysqli_query() instead. Therefore, you could also write: while($row = mysqli_fetch_array(mysqli_query($cons, $result))) {} (but it's not adviced, it is just to show you how it works).

mysqli_select_db() expects parameter 1 to be mysqli, string given

Answers

php,mysqli