Writing to Database with MySQLI

Question

I'm working on a project for a buddy of mine and we want to write our database calls in mysqli. I'm new to this and I've only used mysql commands which I know are out of date at this point. I keep getting Call to a member function query() on a non-object on line 30 which is my if ($mysqli->query($sql)) { command. Could anyone please point me in the right direction for this? I've tried looking it up in W3 schools. Here is my entire code:

// If the form is submitted, INSERT into table.
if (isset($_POST["submit"])) {

    // Define $username and $password.
    $username = $_POST['user_username'];
    $password = $_POST['user_password'];

    // Protect them from MySQL injection.
    $username = stripslashes($username);
    $password = stripslashes($password);
    $username = mysqli_real_escape_string($db, $username);
    $password = mysqli_real_escape_string($db, $password);
    $password = md5($password);

    // Run some queries.
        if ($_FILES["user_image"]["error"] > 0) {

            //Bad Output for form results red text
            echo "<font size = '5'><font color=\"#e31919\">Error: NO CHOSEN FILE <br />";
            echo"<p><font size = '5'><font color=\"#e31919\">INSERT TO DATABASE FAILED";

        } else {

            move_uploaded_file($_FILES["user_image"]["tmp_name"],"uploads/" . $_FILES["user_image"]);
            $file="uploads/".$_FILES["user_image"];
            $image_title = addslashes($_REQUEST['user_image']);
            $sql="INSERT INTO users (user_fname, user_lname, user_image, user_phone, user_cell, user_email, user_username, user_password) VALUES ('$_POST[user_fname]', '$_POST[user_lname]', '$_POST[user_image]', '$_POST[user_phone]', '$_POST[user_cell]', '$_POST[user_email]', '$username', '$password')";
            if ($mysqli->query($sql)) {
                die('Error: ' . $mysqli->error);
            }

            //Good Output for form results green text   
            echo '
             <form enctype="multipart/form-data" action="insert_image.php" method="post" name="changer">
                <div style="padding:10px;">
                    <h2 style="font-size: 28px;">Success!</h2>
                    <p style="font-size: 18px;">Your file has been successfully uploaded!</p>
                </div>     
            </form>';
        }
}

Thanks!

Answer 1

Here's your non-object $_POST[user_image] in your VALUES, where you used $_FILES["user_image"] everywhere else but there's no input for it anywhere in what you posted for code. We're dealing with a file here and not an text input.

I.e.: <input type="file" name="user_image">

• Only YOU know that.

Plus, you need to use the connection variable you're really using, if it's $db, or $mysqli and if you successfully connected to your database, or chose the right database and table.

• Again, only YOU know that.

Then this:

$image_title = addslashes($_REQUEST['user_image']);

You should use $_FILES and not $_REQUEST, since this implies that you may be using a GET method in your unshown "other" form.

Reference:

• http://php.net/manual/en/features.file-upload.php

References:

• http://php.net/manual/en/mysqli.query.php

• http://php.net/manual/en/function.mysqli-connect.php

• If using PDO to connect with http://php.net/manual/en/pdo.error-handling.php

And use the error handling that fits your connection. Consult my Edit below.

Also make sure that folder you're wanting to upload to, has the right permissions to write to it.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Then the rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Also use var_dump();, echo and viewing your HTML source are additional tools that will help you during the debugging process.

• http://php.net/manual/en/function.var-dump.php
• http://php.net/manual/en/function.echo.php

---

Additional notes:

If you're wanting to upload that data as binary data in your table, then make sure that you're using the correct type.

Such as TINYBLOB, BLOB, MEDIUMBLOB, and LONGBLOB.

Another "only YOU know that".

Reference:

• http://dev.mysql.com/doc/refman/5.7/en/blob.html

---

As stated by Matt in comments:

And $file="uploads/".$_FILES["user_image"]; should be changed to $file="uploads/".$_FILES["user_image"]['name'];

Changing both instances of "uploads/" . $_FILES["user_image"] to "uploads/".$_FILES["user_image"]['name']

Consult the manual on move_uploaded_file():

• http://php.net/manual/en/function.move-uploaded-file.php

---

Passwords.

I noticed you are using MD5 as a password hashing function. This function is no longer considered safe to use.

Use one of the following:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PHP 5.5's password_hash() function.
• Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

• PBKDF2 For PHP

Important sidenote about column length:

If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

---

Edit:

Seeing another one of your questions:

• Display Blob Image and Title from MySQL Database in PHP

I noticed PDO syntax $row = $stmt->fetch(PDO::FETCH_ASSOC); and where you are mixing with mysql_ functions $image = mysql_query....

This tells me that you may still be mixing MySQL APIs. If your connection is PDO, then you cannot intermix those different APIs. You must use the same one from connecting to query.

Consult the following on Stack:

• Can I mix MySQL APIs in PHP?

PDO with mysql_ - invalid
PDO with mysqli_ - invalid
mysql_ with mysqli_ - invalid

Answer 2

Your code should either be all object-oriented or all functional. You can either do it the object-oriented way:

$mysqli = new mysqli('dbhost', 'username', 'password', 'dbname');
// ...
$username = $mysqli->escape_string($username);
$password = $mysqli->escape_string($password);
// ...
$mysqli->query($sql);

Or the functional way:

$mysqli = mysqli_connect('dbhost', 'username', 'password', 'dbname');
// ...
$username = mysqli_escape_string($mysqli, $username);
$password = mysqli_escape_string($mysqli, $password);
// ...
mysqli_query($mysqli, $sql);

Please note that the functional syntax has now been deprecated as of PHP 7 (I think, can't find the exact version). See the documentation for mysqli::_construct for proper usage.

As well, mysqli_escape_string()/$mysqli->escape_string() are now aliases for
$mysqli->real_escape_string(), so it's no longer necessary to use the longer form as it was with the old mysql module.

Finally, ensure that you've actually instantiated the $mysqli variable in your code. There's no reason you should get that particular error, even if the connection failed.