0

I have written a small web app using php. I am now trying to replace my SQL written directly in the php scripts with calls to stored procedures.

Example

I have replaced: 

$GetIDforInsertSQL=("SELECT idUser FROM user WHERE userName='$username'");

With:

$GetIDforInsertSQL="CALL Get_User_ID('$username')";

Here is the code for Get_User_ID

CREATE DEFINER=`root`@`localhost` PROCEDURE `Get_User_ID`(IN UserNametoCheck varchar(45) )
BEGIN

SELECT idUser FROM user
 WHERE userName=UserNametoCheck;

END

When I run this query and extract the result set i.e.

$result=($conn->query($GetIDforInsertSQL));


while($row=mysqli_fetch_array($result))// Get the Userid from the users table to insert into watchlist
{
    $Userid=$row['idUser'];

    echo $Userid;

}

It echos out the expected value of $Userid which is 8.

However, further down in my script I have another query

$AddToWatchlistSQL=("INSERT INTO watchlist(UserID,AdvertID)VALUES('$Userid','$Advertid')");

followed by: 

$results=($conn->query($AddToWatchlistSQL));



 if($results)
     {

        echo" Advert Added to watchlist, Redirecting";

        header('Refresh: 3; "Indexlogged.php');

     }

     else
     {
         echo "Thats an error";

     }

Since I have replaced the Select state to get the userId with the stored procedure Get_User_ID I keep getting the error message for the insert query.

When I comment out the stored procedure call and just use the original query: 

$GetIDforInsertSQL=("SELECT idUser FROM user WHERE userName='$username'");

It works, I don't understand why as when I echo the value of $Userid after the stored procedure call it outputs the expected result. Any Ideas as to why this is happening?

Edit: Output of log file after attempting insert using stored procedure:

160421 18:35:30     9 Connect   root@localhost as anonymous on carhubdb
            9 Query SELECT * FROM caradvert WHERE Advert_ID='13'
            9 Query SELECT * FROM user WHERE userName='John123'
            9 Query SELECT AdvertImagePath FROM advertimage WHERE Advert_IDENTIFIER='13'
            9 Query SELECT userName FROM user WHERE idUser='9'
            9 Query SELECT * FROM watchlist WHERE UserID='8' AND AdvertID='13'
            9 Quit  
160421 18:35:32    10 Connect   root@localhost as anonymous on carhubdb
           10 Query CALL `carhubdb`.`Get_UserID`('John123')
user3429270
  • 31
  • 1
  • 9
  • Your INSERT is not in a stored procedure that I can see. – Jay Blanchard Apr 21 '16 at 16:46
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 21 '16 at 16:46
  • Return the *actual* error from the query or check your error logs. – Jay Blanchard Apr 21 '16 at 16:47
  • I know, I have tried putting it in one but its not working either. – user3429270 Apr 21 '16 at 16:47
  • I haven't learned about avoiding SQL injection yet so I'm not too worried... Just want to get it working as is – user3429270 Apr 21 '16 at 16:49
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."*. If you don't have time to do it right the first time, when will you find the time to add it later? ¯\\_(ツ)_/¯ – Jay Blanchard Apr 21 '16 at 16:50
  • How do I get the actual error? debugging is enabled and all that displays without the error message I added is a blank page – user3429270 Apr 21 '16 at 16:52
  • You'll have to check your MySQL error logs. Have you run the SP from the command line or through a MySQL IDE? – Jay Blanchard Apr 21 '16 at 16:53
  • I've run it using mySQL workbench. Works fine through that – user3429270 Apr 21 '16 at 16:56
  • The error log is going to be the key to unlocking the problem here. Without that we have no visibility into what is happening when the SP is run. – Jay Blanchard Apr 21 '16 at 17:06
  • I'll see if I can figure out how to enable it. Thanks – user3429270 Apr 21 '16 at 17:12
  • I enabled it. Please take a look at the edit if you can – user3429270 Apr 21 '16 at 19:49
  • It's not showing any errors. Can you make sure you've enabled error reporting in your mysql config file? – Jay Blanchard Apr 21 '16 at 19:51
  • Think I figured it out from another post http://stackoverflow.com/questions/15617348/php-error-when-using-stored-procedure – user3429270 Apr 21 '16 at 20:39

0 Answers0