Viewed   143 times
    // if the 'id' variable is not set in the URL, we must be creating a new record
    else
    {
            // if the form's submit button is clicked, we need to process the form
            if (isset($_POST['submit']))
            {
                    // get the form data

                            $mtcn = htmlentities($_POST['mtcn'], ENT_QUOTES);
                            $amount = htmlentities($_POST['amount'], ENT_QUOTES);
                            $currency = htmlentities($_POST['currency'], ENT_QUOTES);
                            $sender_name = htmlentities($_POST['sender_name'], ENT_QUOTES);
                            $sender_country = htmlentities($_POST['sender_country'], ENT_QUOTES);
                            $receiver_name = htmlentities($_POST['receiver_name'], ENT_QUOTES);
                            $comment = htmlentities($_POST['comment'], ENT_QUOTES);
                            $support = htmlentities($_POST['support'], ENT_QUOTES);
                            $email = htmlentities($_POST['email'], ENT_QUOTES);

                    // check that mtcn and amount  are both not empty
                    if ($mtcn == '' || $amount == '')
                    {
                            // if they are empty, show an error message and display the form
                            $error = 'ERROR: Please fill in all required fields!';
                            renderForm($mtcn, $amount, $currency, $sender_name, $sender_country, $receiver_name, $comment, $support, $email, $error);
                    }
                    else
                    {
                            // insert the new record into the database
                            if ($stmt = $mysqli->prepare("INSERT date (mtcn, amount, currency, sender_name, sender_country, receiver_name, comment, support, email) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"))
                            {
                                    $stmt->bind_param("ss", $mtcn, $amount, $currency, $sender_name, $sender_country, $receiver_name, $comment, $support, $email);
                                    $stmt->execute();
                                    $stmt->close();
                            }
                            // show an error if the query has an error
                            else
                            {
                                    echo "ERROR: Could not prepare SQL statement.";
                            }

                            // redirec the user
                         //   header("Location: view.php");
                    }

            }
            // if the form hasn't been submitted yet, show the form
            else
            {
                    renderForm();
            }
    }

    // close the mysqli connection
    $mysqli->close();

When I run the script I'm getting the error:

Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of elements in type definition string doesn't match number of bind variables in C:wampwwwrecords.php on line 205

Warning: mysqli_stmt::execute() [mysqli-stmt.execute]: (HY000/2031): No data supplied for parameters in prepared statement in C:wampwwwrecords.php on line 206

Any idea how I can fix it ? I counted the parameters from bind_param and they seem fine for me ...

 Answers

3

I think you need more 's'-es in this?

 $stmt->bind_param("ss", $mtcn, $amount, $currency, $sender_name, $sender_country, $receiver_name, $comment, $support, $email);

try this (asuming they're all strings)

 $stmt->bind_param("sssssssss", $mtcn, $amount, $currency, $sender_name, $sender_country, $receiver_name, $comment, $support, $email);
Tuesday, October 25, 2022
 
smashed
 
2

The erro says that you have bind N variables but none fields, because it's an insert does not return value. bind_result() should use in selects statements.

To fix, remove this line:

$result=$stmt->bind_result($uuid, $name, $email, $encrypted_password, $salt);
Thursday, December 1, 2022
 
gtd
 
gtd
2

You need to take a look at the manual:

  1. You should not escape your values when you use a prepared statement as you will be adding literal backslashes in your data.
  2. You should not inject your variables in the query but use placeholders (question marks in mysqli) instead. These are bound to your values.

So your query would be:

$query = "INSERT INTO store_customers (
                name,
                email,
                // etc.
            ) VALUES (
                ?,
                ?,
                // etc.
            );
        ";

And you bind your values:

$stmt->bind_value(
    'sssssssissssss',
    $_POST['customer_name'],
    $_POST['customer_email'],
    // etc.
);

Note that I am using bind_value() instead of bind_param() as this seems to be used once only so there is no need to bind parameters, you can bind the values directly. It should not make a difference though.

Friday, September 23, 2022
 
2

Unfortunately, by default, bind_param() doesn't accept an array instead of separate variables. However, since PHP 5.6 there is a magnificent improvement that will do the trick.

To bind an arbitrary number of variables into mysqli query you will need an argument unpacking operator. It will make the operation as simple and smooth as possible.

For example, to use a PHP array with a mysql's IN() operator, you will need the following code

// our array
$array = ['a','b','c']; 

// create an SQL query with placeholders and prepare it
$in    = str_repeat('?,', count($array) - 1) . '?'; //  returns ?,?,?...
$sql   = "SELECT name FROM table WHERE city IN ($in)"; 
$stmt  = $mysqli->prepare($sql);

// create the types string dynamically and bind an array
$types = str_repeat('s', count($array)); // returns sss...
$stmt->bind_param($types, ...$array); 

// execute and fetch the rows
$stmt->execute();
$result = $stmt->get_result(); // get the mysqli result
$data = $result->fetch_all(MYSQLI_ASSOC); // fetch the data   
Saturday, September 10, 2022
 
1

Because:

  1. You are using user-supplied data, you must assume that your query is vulnerable to a malicious injection attack and
  2. the amount of data that is to be built into the query is variable/indefinite and
  3. you are only writing conditional checks on a single table column

You should use a prepared statement and merge all of the WHERE clause logic into a single IN statement.

Building this dynamic prepared statement is more convoluted (in terms of syntax) than using pdo, but it doesn't mean that you need to abandon mysqli simply because of this task.

$mediaArray ='Facebook,Twitter,Twitch,';
$otherMedia = 'House';

$media = array_unique(explode(',', $mediaArray . $otherMedia));
$count = count($media);

$conn = new mysqli("localhost", "root", "", "myDB");
$sql = "SELECT * FROM mediaservices";
if ($count) {
    $stmt = $conn->prepare("$sql WHERE socialmedianame IN (" . implode(',', array_fill(0, $count, '?')) . ")");
    $stmt->bind_param(str_repeat('s', $count), ...$media);
    $stmt->execute();
    $result = $stmt->get_result();
} else {
    $result = $conn->query($sql);
}
foreach ($result as $row) {
    // access values like $row['socialmedianame']
}

For anyone looking for similar dynamic querying techniques:

  • SELECT with dynamic number of LIKE conditions
  • INSERT dynamic number of rows with one execute() call
Sunday, December 18, 2022
 
robault
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share