0

is this code ok? because I don't get my db updated and I get no errors. Thank you.

//connect to db

$email = $mysqli->real_escape_string($_POST['email']);
$bo = $mysqli->real_escape_string($_POST['bo']);
$p1 = $mysqli->real_escape_string($_POST['p1']);
$p2 = $mysqli->real_escape_string($_POST['p2']);
$dt = $mysqli->real_escape_string($_POST['dt']);

$dt = new DateTime("2012-07-01 13:13:13", new DateTimeZone('Europe/Paris'));

//more validation code...

$stmt = $mysqli->prepare('UPDATE table SET Password=?, R_P=?, R_T=? WHERE E_mail=?')
$stmt->bind_param("ssss", $p2, $p2, $dt, $email); 
$stmt->execute();
$stmt->close();

$mysqli->close();

//send email

I had no errors because I forgot to add on my page a thing that I always add on all my pages:

// check for errors
require_once('check_all_errors.php');
Pavlos1316
  • 474
  • 10
  • 25
  • 1
    If you do not get any errors and you feel unsure you can do some things to improve your situation: 1.) Enable error reporting to the highest level for debugging/development purposes. 2.) Check return values from functions for error conditions and report these errors your own. – hakre Jul 19 '12 at 09:44
  • possible duplicate of [problem with mysqli_real_escape_string](http://stackoverflow.com/q/5385822/), [Is mysql_real_escape_string() necessary when using prepared statements?](http://stackoverflow.com/q/6232084/) – outis Jul 19 '12 at 09:54
  • @Robinv.G. I ask some questions that sometimes are not answered for some reasons... either because they are "stupid" questions or something. So how can I accept an answer for them? I am reviewing my questions in case I forgot to accept any of them. – Pavlos1316 Jul 19 '12 at 09:55
  • @outis Would it be a problem the double bind_param("..." $p2, $p2?) – Pavlos1316 Jul 19 '12 at 09:56
  • RE: `mysqli::real_escape_string`/`mysqli::prepare`. See also [Are PHP MySQLi prepared queries with bound parameters secure?](http://stackoverflow.com/q/1561586/). – outis Jul 19 '12 at 10:03
  • @outis you mean that since I am using "prepare" the "real_escape" is not needed... Correct? – Pavlos1316 Jul 19 '12 at 10:27

1 Answers1

1

You encode the data twice, one manually and once by supplying them to a prepared statement. Just encode it once, like:

$stmt = $mysqli->prepare('UPDATE table SET Password=?');
$stmt->bind_param('s', $_POST['password']);

By the way, unless you truly want to write MySQL-specific code, there's no reason to use mysqli anymore. The PDO module supports multiple databases out of the box, with a similar interface.

phihag
  • 278,196
  • 72
  • 453
  • 469
  • I will clear my code and encode the data just once. Thank you. – Pavlos1316 Jul 19 '12 at 11:06
  • After my validation I am sending an email with user info, and I was using $password. Now what am I going to use to send the info? $_POST[password'] is not accepted. – Pavlos1316 Jul 19 '12 at 11:20
  • If you're sending an email, you'll have to encode the value differently than when you're including it in an SQL query. In a plain-text email, you can just include it. In a HTML email, use [`htmlspecialchars`](http://php.net/htmlspecialchars). – phihag Jul 19 '12 at 11:26
  • I am sending plain text. what do you mean include it? – Pavlos1316 Jul 19 '12 at 11:33