Why isn't my insert working using prepared statements?

Question

I just recently learned that prepared statements are more suitable method to use than previous deprecated methods.

I tried to the best of my ability and online tutorials to make this work and find out the problem, but I've had no luck, so here I am, asking for help.

 <?php 
 $db = mysql_connect("localhost","root","Mylife2015") or die ("Couldn't   
 connect to SQL server");
 mysql_select_db("i-neo") or die("Couldn't select DB");

 session_start();
 if (isset($_SESSION['user_login'])) {
 $user = $_SESSION["user_login"];
 }
 else {
 $user = "";
 }


 $d  = date('Y-m-d h:i:s a', time());

 if(isset($_POST['log'])){
 $man = $_POST['artist_name'];
 $an = $_POST['album_name'];
 $sn = $_POST['song_name'];
 foreach($_FILES['files']['tmp_name'] as $key => $name_tmp){
     $name = $_FILES['files']['name'][$key];
     $tmpnm = $_FILES['files']['tmp_name'][$key];
     $type = $_FILES['files']['type'][$key];
     $size = $_FILES['files']['size'][$key];
     $dir = "uploads/".$name;
     $move = move_uploaded_file($tmpnm,$dir);
     if($move){
        $msi = $query = "INSERT INTO music ($user, $man, $an, $sn, $name, 
 $type, $size, $dir, $d) VALUES (?,?,?,?,?,?,?,?,?)";
             $stmt = $db->prepare($msi);
             $stmt->bind_param("sssssssss", $user, $man, $an, $sn, $name, 
 $type, $size, $dir, $d);
             $stmt->execute();
        if($msi){
            echo "<script>alert('Insert Successful')</script>";
        } else {
            echo "<script>alert('Upload Fail')</script>";
        }
    } else {
        echo "<script>alert('Uploaded Successfully')</script>";
    }
 }

 }
 ?>

This is my form:

 <form action="" method="post" enctype="multipart/form-data">
 <p>
    <label> Song</label>
    <input type="file" name="files[]" />
 </p>

 <p>
    <label> Artist Name</label>
    <input type="text" name="artist_name" />
 </p>

 <p>
    <label> Album Name</label>
    <input type="text" name="album_name" />
 </p>

 <p>
    <label> Song Name</label>
    <input type="text" name="song_name" />
 </p>

 <p>
    <input type="submit" name="log" value="Upload" />
 </p>

This is my database table:

 CREATE TABLE IF NOT EXISTS `music` (
   `id` int(11) NOT NULL,
   `user` varchar(255) NOT NULL,
   `artist_name` varchar(255) NOT NULL,
   `audio_name` varchar(255) NOT NULL,
   `album_name` varchar(255) NOT NULL,
   `name` varchar(225) NOT NULL,
   `type` varchar(71) NOT NULL,
   `size` double NOT NULL,
   `directory` varchar(71) NOT NULL,
   `date_uplaoded` datetime NOT NULL
 ) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;

`mysql_` doesn't have prepared statements so that connection method is invalid. — Funk Forty Niner, Aug 21 '15 at 16:44
@Fred-ii- what do you mean? so if I can't use mysql_ which is deprecated, what am I suppose to use? — Hedi, Aug 21 '15 at 16:47
the same MySQL API as the rest of your code. ;-) unlike different funky pieces of clothing, those don't mix and match. — Funk Forty Niner, Aug 21 '15 at 16:47
@RiggsFolly don't need to be rude about it...not everyone has knowledge, that's why you pass down information, so please say only relevant things...gosh some people... — Hedi, Aug 21 '15 at 16:48
oh and a possible typo for your column creation `date_uplaoded` double check that if what's being passed in your query as `date_uploaded` ;-) — Funk Forty Niner, Aug 21 '15 at 16:50
@RiggsFolly you're talking to Fred about me - clearly, so please remove yourself from my posts if you're not going to put in some effort to help[, just flagged you as rude. This isn't a chatting service to chat to your friends, you have other social networking sites for that. — Hedi, Aug 21 '15 at 16:53
and `, $dir, $d);` that `$d` could be replaced with `NOW()` saving you a declaration and a few keystrokes ;-) — Funk Forty Niner, Aug 21 '15 at 16:55
@Fred-ii- Could I ask a huge favour please Freed? Would you be kind enough to give me a link to a guide I can use or have a look at to do inserts? Of course without using deprecated methods and without prepared statements which as you said don't work with what I'm using. That'd be absolutely brilliant. — Hedi, Aug 21 '15 at 17:20

DirtyBit · Accepted Answer · 2015-08-21T17:03:49.527

2

You are trying to use prepared statements with msql_ which doesn't support them, you need to establish your connection the following way:

    <?php
            $servername = "localhost";
            $username = "username";
            $password = "password";
            $dbname = "yourdbname";

            // Create connection
            $db = new mysqli($servername, $username, $password, $dbname);

            // Check connection
            if ($db->connect_error) {
                die("Connection failed: " . $db->connect_error);
            }

           // prepare and bind
      $stmt = $db->prepare("INSERT INTO tablename (name, fatherame, add)   VALUES (?, ?, ?)");
    $stmt->bind_param("sss", $name, $fathername, $add);

    // set parameters and execute
    $name = "Muneer Khan";
    $fathername = "Shabbir Khan";
    $add = "KingsStreet";
    $stmt->execute();
    $stmt->close();
    ?>

OR you could also use PDO this way:

<?php
$server = "localhost";
$user = "username";
$pass = "password";
$db = "yourdbname";

try {
    $conn = new PDO("mysql:host=$server;dbname=$db", $user, $password);

    // set the PDO error mode to exception
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // prepare sql and bind parameters
    $stmt = $db->prepare("INSERT INTO tablename (name, fathername, add)
    VALUES (:name, :fathername, :add)");

    $stmt->bindParam(':name', $name);
    $stmt->bindParam(':fathername', $fathername);
    $stmt->bindParam(':add', $add);

    $name = "Muneer Khan";
    $fathername = "Shabbir Khan";
    $add = "KingsStreet";
    $stmt->execute();
    }
catch(PDOException $e)
    {
    echo "Error: " . $e->getMessage();
    }
$db = null;
?>

edited Aug 21 '15 at 17:03

answered Aug 21 '15 at 16:44

DirtyBit

16,613
4
34
55

2

Answers starting with *try this* really need something to back that up with. – Funk Forty Niner Aug 21 '15 at 16:45
1

@Fred-ii- Give me a second! – DirtyBit Aug 21 '15 at 16:46
2

Now *that* makes a lot more sense ;-) – Funk Forty Niner Aug 21 '15 at 16:49
3

Or you can use PDO if you prefer – RiggsFolly Aug 21 '15 at 16:50
2

That's what I prefer @RiggsFolly – Jay Blanchard Aug 21 '15 at 16:54
1

@Fred-ii- See, If I got that correct? – DirtyBit Aug 21 '15 at 17:00
1

I was in the middle of editing to change all `$conn` to `$db` since that is what the OP is using, but I won't touch it. Edit: Looks ok to me. Edit 2: nope. See comment below... – Funk Forty Niner Aug 21 '15 at 17:01
1

Oops, actually, you're declaring your variables *after* your binds. Those should come first. – Funk Forty Niner Aug 21 '15 at 17:03
1

@Fred-ii- You can always edit, that would surely help me learn better! :) – DirtyBit Aug 21 '15 at 17:04
1

Oh sure I could, but I can't so I won't lol - OP has comments to go on. I'm just being a bystander here ;-) – Funk Forty Niner Aug 21 '15 at 17:05
1

lol well. ship it, if it works right? :P – DirtyBit Aug 21 '15 at 17:07
this is great!!! thank you so much! I have a basic question, what if the first field in my table is ID which obviously is auto increment, does that effect how I should do the inserts? – Hedi Aug 22 '15 at 17:08
1

@Hedi leave it empty or don't even put it in the `query`. It's `AI`, you don't have to do anything as such. :) – DirtyBit Aug 22 '15 at 17:38
@HawasKaPujaari awesome, so if it's "id, name, fathername, add" in the table, i would just have to put (?,?,?) – Hedi Aug 22 '15 at 18:52
1

@Hedi you either leave it empty or dont even `mention` it. Read more here: http://stackoverflow.com/questions/17592545/insert-auto-incremented-id-using-prepared-statements?lq=1 – DirtyBit Aug 22 '15 at 19:07

Why isn't my insert working using prepared statements?

1 Answers1