How to solve a problem with bind_param on a non-object?

Question

I use bind_param() member function in my query, but I got error with my code. This is the piece of my code:

<?php

session_start();
include_once 'functions.php';
loging(basename(__FILE__));
if (!isset($_SESSION['user'])) {
    redirect('login.php');
}

$day_id = date('w');

$database = new mysqli('127.0.0.1', 'user', 'user', 'kantin');
$sesi = $_POST['sesi'];
$lauk = $_POST['lauk'];
$sayur = $_POST['sayur'];
$minuman = $_POST['minuman'];
$user = $_SESSION['username'];

$query_user = "SELECT * FROM user WHERE username LIKE '" . $user . "'";
$statement_user = $database->query($query_user);
$row_user = $statement_user->fetch_assoc();
$id_user = $row_user['user_id'];

$query_sesi = "SELECT * FROM sesi WHERE sesi LIKE '" . $sesi . "'";
$statement_sesi = $database->query($query_sesi);
$row_sesi = $statement_sesi->fetch_assoc();
$id_sesi = $row_sesi['sesi_id'];

$query_alt_id = "SELECT * FROM alternatif WHERE id_hari='" . $day_id . "' AND id_sesi= '" . $id_sesi . "' AND lauk_alt LIKE '" . $lauk . "'";
$statement_alt_id = $database->query($query_alt_id);
while ($row_alt_id = $statement_alt_id->fetch_assoc()) {
    $id_alt = $row_alt_id['alternatif_id'];
    $id_menu = $row_alt_id['lauk_alt'];
    $id_hari = $row_alt_id['id_hari'];
    $id_sesi = $row_alt_id['id_sesi'];
}

$query_insert = "INSERT INTO update (`id_menu_alt`, `id_user`, `id_hari`, `id_sesi`) VALUES (?,?,?,?)";
$statement_insert = $database->prepare($query_insert);
$statement_insert->bind_param('iiii', $id_alt, $id_user, $id_hari, $id_sesi);
$statement_insert->execute();


redirect('today_menu.php');
?>

When I execute the code, I get the error:

Fatal error: Call to a member function bind_param() on a non-object in C:\xampp\htdocs\IBAD\Kantin_Pakoper\change_alternatif_process.php on line 40

score 2 · Answer 1 · answered Oct 25 '14 at 07:28

You're getting an error from the call to prepare(), so it's returning false instead of a mysqli_stmt. To see the MySQL error message, do:

$statement_insert = $database->prepare($query_insert) or die($database->error);

In this case, the problem is that update is a MySQL reserved word. To use it as a table name, you need to put it in backticks:

$query_insert = "INSERT INTO `update` (`id_menu_alt`, `id_user`, `id_hari`, `id_sesi`) VALUES (?,?,?,?)";

I find it strange that you put all the column names in backticks, even though they don't need it, but you didn't put the table name in backticks.

Also, why aren't you using prepared statements for all the other queries? If you don't use bind_param(), you need to escape the strings before concatenating them into the queries.

score 0 · Answer 2 · answered Oct 25 '14 at 07:30

0

Your query has not been prepared properly, probably because the syntax is incorrect. In future use an if statement in your prepare in order that you can avoid other operations if the syntax is wrong, as follows;

if($statement_insert = $database->prepare($query_insert)) {
   $statement_insert->bind_param('iiii', $id_alt, $id_user, $id_hari, $id_sesi);
   $statement_insert->execute();
}
elseif($database->error) {
   echo "Could not prepare SQL: " . $database->error;
}

The problem with your current SQL is that update is a special word in MySQL (and SQL in general), so you need to put the table name in the correct markup

$query_insert = "INSERT INTO `update` (`id_menu_alt`, `id_user`, `id_hari`, `id_sesi`) VALUES (?,?,?,?)";

answered Oct 25 '14 at 07:30

worldofjr

3,868
8
37
49

I have now (after editing btw, Barmar, didn't steal your answer). – worldofjr Oct 25 '14 at 07:35
Not what I said. Read again. – worldofjr Oct 25 '14 at 07:37
@worldofjr Thank you master. It's work. I've stuck in that code for an hours :D – Daniel Boy Marpaung Oct 25 '14 at 07:38
@Arif_suhail_123 Yes, that's what I'm saying. – worldofjr Oct 25 '14 at 07:41

How to solve a problem with bind_param on a non-object?

2 Answers2