Fetching in prepared statements

Question

Im trying to convert the following to predicted statements. Can you please tell me where Im going wrong.

$userid = mysqli_real_escape_string($con, $_SESSION['usr_id']);
$user = mysqli_query($con, "SELECT * FROM users WHERE id = '" . $userid . "'");
$row = mysqli_fetch_array($user);

I have no luck trying to convert this. What I have so far:

$userid = mysqli_real_escape_string($db, $_SESSION['usr_id']);
$userinfo = $db->prepare("SELECT * FROM users WHERE id = ?");
$userinfo->bind_param("i", $userid);
$userinfo->execute();
$row = $userinfo->fetch_assoc();
$userinfo->close();

Further on in code (As for why I need this):

<input class="form-control" name="charname" value="<?php echo $row["charname"]; ?>" required/>

EDIT 1:

(I haven't tried localhost yet. But when I use the get_result() alternative it still doesnt work)

$userinfo = $db->prepare("SELECT * FROM users WHERE id = ?");
$userinfo->bind_param("i", $_SESSION['usr_id']);
$userinfo->execute();
$result = $userinfo->get_result();
$userinfo->close();

$row = $result->fetch_assoc();

When I change it back to this, it works.

$userid = mysqli_real_escape_string($con, $_SESSION['usr_id']);
$user = mysqli_query($con, "SELECT * FROM users WHERE id = '" . $userid . "'");
$row = mysqli_fetch_array($user);

EDIT 2:

Removed get_result(); in EDIT 1

$db is used to connect.

$db = new mysqli($servername, $username, $password, $dbname);

if (mysqli_connect_errno()) {
    printf("Error: %s\n", mysqli_connect_error());
    exit();
}

-

var_dump($userinfo->execute());

Returns:

bool(true)

-

var_dump($result);

Returns:

object(mysqli_result)#4 (5) { ["current_field"]=> int(0) ["field_count"]=> int(11) ["lengths"]=> NULL ["num_rows"]=> int(1) ["type"]=> int(0) }

You don't need to do real_escape_string when you use bind_param. What happens when you try? — aynber, Dec 28 '16 at 18:38
What about it isn't working? Do you get an error message? Try using `mysqli_error()` to see if it gives you any information. — aynber, Dec 28 '16 at 18:42
https://twitter.com/ShrapnelCol/status/811554258927702016 Instead of guessing the proper syntax you have to learn it from the manual page. And then move to PDO — Your Common Sense, Dec 28 '16 at 19:03
I see `mysqli_real_escape_string($con` then I see `mysqli_real_escape_string($db`, so which one of those is the right variable used to connect with? You're not checking for errors in any way, either via php or the query. Nor do we know if the session was started and if it holds value. — Funk Forty Niner, Dec 28 '16 at 20:01
*"no error message from `mysqli_error()`"* - that's because and if you didn't include the argument for it `mysqli_error($con)`, nor are you using error reporting. You're just assuming your code works. — Funk Forty Niner, Dec 28 '16 at 20:06
`return $RESULT;` but using `$result` in `$result = get_result($userinfo);` - If you're intending on using that variable, well those are 2 different animals altogether and is considered as being an undefined variable. And error reporting would have told you about it, but you didn't use that, as I told you twice already? — Funk Forty Niner, Dec 28 '16 at 20:08
@Fred-ii- `mysqli_real_escape_string($db` I've just changed the name of the variable. `$db` is used. mysqli_error(); is later on in the code. Session has also started as it all does work if I don't use prepared statements — MMQVBN, Dec 28 '16 at 20:11
*"I haven't tried localhost yet" - what exactly do you mean by that? You're not running this as `file:///` directly into your browser, are you? — Funk Forty Niner, Dec 28 '16 at 20:11
*"$db is used."* - and you're using `$con`?? I honestly don't know where to throw myself here anymore. Why even use `mysqli_real_escape_string()`, you're using a prepared statement. Using those together will have adverse effects. — Funk Forty Niner, Dec 28 '16 at 20:12
@Fred-ii- Im running the file on virtual hosting. `mysqli_real_escape_string()`, I have changed that in prepared statement (dont use it anymore) — MMQVBN, Dec 28 '16 at 20:21
@Fred-ii- No, I know it exists as the user is logged in, this is basicaly settings page that if the fields are filled in, shows them. `" required/>` — MMQVBN, Dec 28 '16 at 20:41
*"this is basicaly settings page that if the fields are filled in, shows them"* - Your posted code doesn't support what you're really wanting to do. To check for required fields (if this is what you're really asking about), is to add `require` to inputs and also check if any of those are not empty in a conditional statement. — Funk Forty Niner, Dec 28 '16 at 20:43
@Fred-ii- I mean to show the value if it is already in the DataBase. Like save info and see it in the field where you entered it after page refresh. `value=""` — MMQVBN, Dec 28 '16 at 20:45
@Fred-ii- It works the way it supposed to with: `$userid = mysqli_real_escape_string($con, $_SESSION['usr_id']); $user = mysqli_query($con, "SELECT * FROM users WHERE id = '" . $userid . "'"); $row = mysqli_fetch_array($user);` I just want to try and change that to prepared statements. — MMQVBN, Dec 28 '16 at 20:47
Look at one of my answers http://stackoverflow.com/a/22253579/1415724 under the mysqli_ prepared statement `$query = "SELECT email FROM tblUser WHERE email=?";` example. Based yourself on that block of code and then assign a session array to the binded result variable `$email_check` as an example. — Funk Forty Niner, Dec 28 '16 at 20:49

Rajdeep Paul · Accepted Answer · 2016-12-28T19:05:30.653

1

Look at this statement below,

$row = $userinfo->fetch_assoc();

$userinfo is a statement object, not a mysqli_result object. So you can't use it in your code like that. Use ->get_result() method to get the result set from the prepared statement and then fetch the row from the result set, like this:

$userinfo = $db->prepare("SELECT * FROM users WHERE id = ?");
$userinfo->bind_param("i", $userid);
$userinfo->execute();
$result = $userinfo->get_result();
$userinfo->close();

$row = $result->fetch_assoc();

Later, you can use this $row variable in your input element,

<input class="form-control" name="charname" value="<?php echo $row["charname"]; ?>" required/>

Sidenote(s):

If you're using prepared statement, then you don't have to escape anything using mysqli_real_escape_string() function. You can directly use $_SESSION['usr_id'] in your ->bind_param() method, like this:
```
$userinfo->bind_param("i", $_SESSION['usr_id']);
```
->get_result() method is available only with MySQL Native driver(mysqlnd), so it won't work if you don't have that particular driver installed.

edited Dec 28 '16 at 19:05

answered Dec 28 '16 at 19:00

Rajdeep Paul

16,887
3
18
37

The virtual hosting that Im using probably doesn't have the MySQL Native driver as it doesnt seem to work. Is there any way to overcome this? Thanks. – MMQVBN Dec 28 '16 at 19:13
@MMQVBN First test it on your *localhost* and check whether all the functionalities are working correctly or not. Then you can be sure that your hosting server doesn't have *that* particular installed. – Rajdeep Paul Dec 28 '16 at 19:15
@MMQVBN If *mysqlnd* driver is not installed in your server, then this is the workaround, [http://stackoverflow.com/a/30551477/5517143](http://stackoverflow.com/a/30551477/5517143) – Rajdeep Paul Dec 28 '16 at 19:18
I haven't tried local host yet but even with the workaround it doesnt seem to work. Is there anything else I could try? (Edited the question with what I have now.) – MMQVBN Dec 28 '16 at 19:36
@MMQVBN `$result = get_result($userinfo);` is wrong, it should be `$result = $userinfo->get_result();`, **as given in the answer**. – Rajdeep Paul Dec 28 '16 at 19:45
I tried `$result = $userinfo->get_result();` first, but it didn't work so I tried the workaround(hopefully I did it correctly): `$result = get_result($userinfo);` – MMQVBN Dec 28 '16 at 19:50
When I do '$result = get_result($userinfo);' the page dissapears after 'echo $row["charname"];' – MMQVBN Dec 28 '16 at 19:53
@MMQVBN In *that* workaround, `get_result()` is a custom function to emulate the functionality of MySQLi's `->get_result()` method. If you're using `$result = get_result($userinfo);` then have you defined that function as well? – Rajdeep Paul Dec 28 '16 at 19:53
@MMQVBN Use `var_dump()` to debug the issue further. Do `var_dump($result);` and see what you're getting. Also, check the status of `->execute();` statement using `var_dump($userinfo->execute());`. – Rajdeep Paul Dec 28 '16 at 20:03
@RajdeepPaul No idea if OP's paying attention to any of my comments up there. I must've left 3-4 comments but they probably feel being bombarded with so many that they don't know which way to throw themselves. Too bad you had to be chased down such a deep rabbit hole and for well over an hour. – Funk Forty Niner Dec 28 '16 at 20:10
@Fred-ii- Yeah, sometimes it happens. We really can't help them if they don't respond to our comments, or follow our debug steps. *sigh* – Rajdeep Paul Dec 28 '16 at 20:14
@RajdeepPaul Have a look at my comments to them up there, I think you'll agree on most or all of them. I think I'll have to literally spell it out to them as to how to use error reporting, *sigh*. – Funk Forty Niner Dec 28 '16 at 20:19
@Fred-ii- Yes, I totally agree. Your comments raised pretty valid points here. – Rajdeep Paul Dec 28 '16 at 20:26
@MMQVBN 1. Switch to localhost and test your application with the given code snippet(s). 2. Turn on error reporting, add these lines `ini_set('display_errors', 1); error_reporting(E_ALL);` at the top of your PHP scripts and see if it yields any error or not. 3. Make use of `mysqli_error()` properly, as pointed out by @Fred-ii also. 4. Go through @Fred-ii's comments and make sure you fix all of them. – Rajdeep Paul Dec 28 '16 at 20:30
@RajdeepPaul I get nothing from `var_dump($result);` but from `var_dump($userinfo->execute());` i get `bool(true)` – MMQVBN Dec 28 '16 at 20:30
@RajdeepPaul When I use `$result = $userinfo->get_result();` with `var_dump($result);` `object(mysqli_result)#4 (5) { ["current_field"]=> int(0) ["field_count"]=> int(11) ["lengths"]=> NULL ["num_rows"]=> int(1) ["type"]=> int(0) }` – MMQVBN Dec 28 '16 at 20:33
@RajdeepPaul So Im geussing that `$result = $userinfo->get_result();` is working. But why is the page cut then – MMQVBN Dec 28 '16 at 20:35
@MMQVBN First you said *I get nothing from var_dump($result);* and suddenly it started working. **Kindly read the answer and comments properly**. These kinds of trial and error won't get you too far. Since you know that `->get_result()` is working, now simply fetch the row from the result set, which also given in my answer. – Rajdeep Paul Dec 28 '16 at 21:20

Fetching in prepared statements

EDIT 1:

EDIT 2:

1 Answers1