I get the following error:
PHP Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':name, :cate, :content, :thumbnail, :price, :sale_price, :sale_ratio, :cnt, :...' at line 2 in C:\xampp\htdocs\craft sutra\theme\admin\product\product_ok.php:84
Ive been trying to insert some data in a prepared statement after receiving some comments that
my sql is prone to SQL injections.
database connection:
<?php
// Our database config
$host = "localhost";
$dbname = "craft sutra";
$username = "root";
$password = "";
// Connect to our MySQL database
$conn = mysqli_connect($host, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
So here I have edited the codes:
$query = "INSERT INTO 제품 (name, cate, content, thumbnail, price, sale_price, sale_ratio, cnt, sale_cnt, isnew, isbest, isrecom, ismain, locate, userid, sale_end_date, reg_date, delivery_fee) VALUES (:name, :cate, :content, :thumbnail, :price, :sale_price, :sale_ratio, :cnt, :sale_cnt, :isnew, :isbest, :isrecom, :ismain, :locate, '".$_SESSION['AUID']."', :sale_end_date, now(), :delivery_fee);";
$stmt = $conn->prepare($query);
$stmt->bindParam(":name", $name);
$stmt->bindParam(":cate", $cate);
$stmt->bindParam(":content", $content);
$stmt->bindParam(":thumbnail", $thumbnail);
$stmt->bindParam(":price", $price);
$stmt->bindParam(":sale_price", $sale_price);
$stmt->bindParam(":sale_ratio", $sale_ratio);
$stmt->bindParam(":cnt", $cnt);
$stmt->bindParam(":sale_cnt", $sale_cnt);
$stmt->bindParam(":isnew", $isnew);
$stmt->bindParam(":isbest", $isbest);
$stmt->bindParam(":isrecom", $isrecom);
$stmt->bindParam(":ismain", $ismain);
$stmt->bindParam(":locate", $locate);
$stmt->bindParam("'".$_SESSION['AUID']."'", $userid);
$stmt->bindParam(":sale_end_date", $sale_end_date);
$stmt->bindParam("now()", $reg_date);
$stmt->bindParam(":delivery_fee", $delivery_fee);
$stmt->execute();
This is my original query without using prepared statements:
How can I apply prepared statements correctly?
I have mysqli connection
$sale_cnt = 0;//판매량
$query="INSERT INTO products
(name, cate, content, thumbnail, price, sale_price, sale_ratio, cnt, sale_cnt, isnew, isbest, isrecom, ismain, locate, userid, sale_end_date, reg_date, delivery_fee)
VALUES('$name'
, '".$cate."'
, '".$contents."'
, '".$thumbnail."'
, '".$price."'
, '".$sale_price."'
, '".$sale_ratio."'
, ".$cnt."
, ".$sale_cnt."
, '".$isnew."'
, '".$isbest."'
, '".$isrecom."'
, '".$ismain."'
, '".$locate."'
, '".$_SESSION['AUID']."'
, '".$sale_end_date."'
, now()
, '".$delivery_fee."'
)";
$rs=$mysqli->query($query) or die($mysqli->error);
$pid = $mysqli -> insert_id;
if($rs){
My attempt adding prepared stmt:
$query="INSERT INTO 제품
(name, cate, content, thumbnail, price, sale_price, sale_ratio, cnt, sale_cnt, isnew, isbest, isrecom, ismain, locate, userid, sale_end_date, reg_date, delivery_fee)
VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '".$_SESSION['AUID']."', ?, now(), ?);";
$stmt = $conn->prepare($query);
$stmt->bind_param("ssssdddiiiiiiisd", $name, $cate, $content, $thumbnail, $price, $sale_price, $sale_ratio, $cnt,
$sale_cnt, $isnew, $isbest, $isrecom, $ismain, $locate, $sale_end_date, $delivery_fee);
$stmt->execute();
$rs=$conn->query($stmt) or die($conn->error);
$pid = $conn -> insert_id;
Then i get error :
Unknown column 'now' in 'field list' Unknown column 'admin' in 'field list'
admin is the session id for ".$_SESSION[‘AUID’]."
Why is it recognizing as column?
I added apostrophe around ".$_SESSION[‘AUID’]." and its working
but new error now haha
Uncaught TypeError: mysqli::query(): Argument #1 ($query) must be of type string, mysqli_stmt
its referring to the first line below
$rs=$conn->query($stmt) or die($conn->error);
$pid = $conn -> insert_id;
if($rs){
How can I apply prepared statements UPDATING query below?
$sql = "UPDATE 제품사진 SET pid=$pid WHERE imgid in (".$file_table_id.")";
3
Answers
First Change This Query Referance parameter check last session and now.
Then Change The Parameters Binding Lines Which are bind session and now.
Looks like you’re mixing PDO and mysqli paradigms. ‘bindParam’ vs ‘bind_param’.
Read more here: https://www.php.net/manual/en/mysqli-stmt.bind-param.php
Try something like this:
Example update:
A prepared statement in PHP is a way to execute SQL queries safely by separating SQL code from user-provided data. This helps prevent SQL injection attacks and ensures the integrity of your database operations. To create a prepared statement for an INSERT query in PHP, you can use the PDO (PHP Data Objects) extension. Here’s an example of how to use prepared statements for inserting data into a database: