|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
PHP Ghetto...
#27045304 - 11/18/20 10:40 AM (3 years, 2 months ago) |
|
|
Ythan and anyonbe else, please help. I am trying to re code my SQL PHP code into a "prepared statement".
This is my original code
Quote:
DEFINE ('DB_USER', 'root'); DEFINE ('DB_PASSWORD', ''); DEFINE ('DB_HOST', 'localhost'); DEFINE ('DB_NAME', 'bbs');
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Couldnt connect' . mysqli_connect_error() ); mysqli_set_charset($dbc, 'utf8');
$sql= (" SELECT * FROM ftg ORDER BY post_id ASC LIMIT 500 "); $result = mysqli_query($dbc, $sql);
while ($resultarr = mysqli_fetch_assoc($result)){ $r1 = $resultarr["message"]; echo $r1; }
And this is my attempt at making a prepared statment:
Quote:
$servername = "localhost"; $username = "root"; $password = ""; $dbname = "bbs";
$conn = new mysqli($servername, $username, $password, $dbname);
$sql = " SELECT * FROM ftg WHERE post_id=?"; $stmt = $conn->prepare($sql);
$stmt->bind_param("i", $post_id); $stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
echo "<textarea name=\"message\" cols=\"70\" rows=\"12\" maxlength=\"7500\" wrap=\"soft\" class=\"message\" style=\"background-color: '#A7A7A7' \">"; echo $row['message']; echo "</textarea>"; }
Does not work.
My table name is "ftg" with 3 columns: post_id, messsage and date.
Now i had no problems at creating prepared statments with INSERT queieries:
Quote:
$stmt = $conn->prepare("INSERT INTO ftg (message) VALUES (?)"); $stmt->bind_param("s", $message);
$message = $_REQUEST['message']; $stmt->execute();
That works , but SELECT and echo is more difficult
--------------------
Edited by Gypsy Boy (11/18/20 11:02 AM)
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 1 hour, 15 minutes
|
|
That code looks to me like it should work. Is there anything in your error logs?
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
Re: PHP Ghetto... [Re: Ythan]
#27045504 - 11/18/20 12:51 PM (3 years, 2 months ago) |
|
|
Empty screen bro Perhaps we need to rephrase
$sql = "SELECT * FROM ftg WHERE post_id=?"; into $sql = "SELECT * FROM ftg"; or just this $sql = "SELECT message FROM ftg";
Theres only 3 collumns: post_id, message, time.
The code supposed tt show one box with message after another like i explained in the first post , but for some reaosn it proves rather difficult
--------------------
Edited by Gypsy Boy (11/18/20 12:58 PM)
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
Quote:
$sql = "SELECT * FROM ftg"; $stmt = $conn->prepare($sql); $stmt->bind_param("", ''); $stmt->execute();
This bih what im not sure off
Do yoou even need parameters (?) in a SLECT MySQL queiry?
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
Quote:
$sql = "SELECT message FROM ftg"; $stmt = $conn->prepare($sql); $stmt->bind_param("", ''); $stmt->execute();
See there are no ? parameters, so how do i fill $stmt->bind_param("", ''); line?
Like i asked do i evn need to prep statments for a SELECT quiery? Is it ijsetion prone
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
Re: PHP Ghetto... [Re: Ythan]
#27045513 - 11/18/20 01:01 PM (3 years, 2 months ago) |
|
|
Quote:
Ythan said: Is there anything in your error logs?
Fatal error: Uncaught Error: Cannot pass parameter 2 by reference in C:\wamp64\www\FF\list.php on line 31
Line 31
$stmt->bind_param("", '');
But there other errors
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
It fucking SUCKS studying from home without a tutor/mentor/teacher
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
Wait a second. I am wokring on a page that LIST database message entries, how would i be vulnerable to injection attack if theres no form to submit???
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
Here:
Quote:
$sql = "SELECT message FROM ftg WHERE post_id=?"; $stmt = $conn->prepare($sql); $stmt->bind_param("i", $post_id); $stmt->execute(); $result = $stmt->get_result(); $message = $result->fetch_assoc();
echo "$message";
Perfectly legit code, yet screem is blank, no print out or anything
--------------------
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 1 hour, 15 minutes
|
|
The new code should work, I think you probably aren't setting a value for $post_id before you try to bind it as a parameter. Do you have PHP configured to echo errors on screen? What if you add this at the top of your script:
Code:
ini_set('display_errors', 1);
But If your intention is to retrieve all records and not just a single record matching $post_id, then your original code was fine. You don't need to use a prepared statement because you don't have any parameters. If you want to use that syntax to be consistent, you'd just remove the WHERE clause in the query, and the line where you bind the param.
[...] Code:
$sql = "SELECT * FROM ftg"; $stmt = $conn->prepare($sql); $stmt->execute(); [...]
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 1 hour, 15 minutes
|
|
Quote:
Gypsy Boy said: Wait a second. I am wokring on a page that LIST database message entries, how would i be vulnerable to injection attack if theres no form to submit???
You responded while I had my reply window open but it looks like you were already on your way to figuring it out.
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
...Well i been told it is not neccesary to use prep statemnet when there is no user input

posted this as u were submitting your reply!
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
Quote:
If your intention is to retrieve all records and not just a single record matching $post_id, then your original code was fine. You don't need to use a prepared statement because you don't have any parameters

Gonna feed my cat now, shes been starving while i was coding
--------------------
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 25 days
|
|
Ohh and thanx Ythan dude, much appreciate your help!
--------------------
|
|