0

I've searched a lot of basically the same questions on SO which haven't seemed to help. Been a while since i've touched php so i'm guessing there's a simple solution but really can't figure it out.

config.php: (included into admin.php)

$mysqli = new mysqli($mHost, $mUser, $mPass, $db);

admin.php:

$sqlQuery = "INSERT INTO `category` (`id`, `name`) VALUES ('', '$_POST[name]')";
$result = $mysqli->query($sqlQuery);

var_dump($result) returns:

NULL

and gives error:

Fatal error: Call to a member function query() on a non-object in

TomFirth
  • 2,334
  • 4
  • 20
  • 31
  • Have you made any attempt at debugging? – Daedalus Jan 20 '14 at 22:01
  • 1
    Check your database connection. Are you sure you have the right values for $mHost, $mUser, etc.? – Kevin Schmid Jan 20 '14 at 22:01
  • You have a lot of code having an error on line 219. It seems $mysqli is not a mysqli object anymore. Maybe there is code before that where $mysqli is changed somehow. – SenseException Jan 20 '14 at 22:04
  • Sidenote: You may want to change `$_POST[name]` to `$_POST['name']` however using such a method leaves you open to SQL injection. – Funk Forty Niner Jan 20 '14 at 22:09
  • 2
    @Fred-ii- You're wrong... OK: `"{$_POST['name']}"` `"$_POST[name]"` ; NG: `"$_POST['name']"` – mpyw Jan 20 '14 at 22:24
  • Typical, spent about 2hrs trying to solve this before posting and it's a basic error. The included file for the config..wasn't being included. Every comment was valuable though, just wanted to get it working before adding security although the page is only accessible to admins. Thank you. – TomFirth Jan 20 '14 at 22:28

2 Answers2

4

You are not checking the result of the call to new mysqli. If that fails, then $mysqli will be null and not a valid object you can query against.

Also, by building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks. Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. My site http://bobby-tables.com/php has examples to get you started, and this question has many examples in detail.

Community
  • 1
  • 1
Andy Lester
  • 91,102
  • 13
  • 100
  • 152
0

At the setout, you should call

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

This enables you don't have to check any return values, just put try { ... } catch { ... } blocks.

try {

    if (
        !isset($_POST['name'])     ||
        !is_string($_POST['name']) ||
        $_POST['name'] === ''
    ) {
        throw new UnexpectedValueException('$_POST[\'name\'] is empty');
    }

    $mysqli = new mysqli($mHost, $mUser, $mPass, $db);
    $stmt = $mysqli->prepare("INSERT INTO `category` (`name`) VALUES (?)");
    $stmt->bind_param('s', $_POST['name']);
    $stmt->execute();

    echo 'Success';

} catch (Exception $e) {

    echo $e->getMessage();

}
mpyw
  • 5,526
  • 4
  • 30
  • 36