Is this a correct way of preparing and executing bind_param

Question

I am trying to insert into database but I always get the echo:

'ticket niet aangemaakt'

Can I use '?' inbetween variables?

If yes, can somebody see some fault otherwise I know there is a misspelling in the variables.

<?php
//this works fine
$ophaalKlantQuery = "SELECT * FROM klant WHERE klantNaam='$naam'";
    $result = $connectie->query($ophaalKlantQuery);
    if (mysqli_num_rows($result) == 0) {
        echo "klant niet gevonden";
    }
    while ($row = $result->fetch_assoc()) {
        if ($row['klantNaam'] === $naam) {
            echo $row['klantNaam'];
            $klantID = $row['klantId'];
        }
    }
// everything below doesnt insert
$insertticket = $connectie->prepare("INSERT INTO ticket (ticketId, inBehandeling, probleem, trefwoorden, prioriteit, aantalXterug,
                        terugstuurLock, lijnNr, datumAanmaak, nogBellen, log, streefdatum, redenTeLaat, klantTevreden, ftsAccountNr, aangewAccountNr, klantId, subCategorieId, 
                        binnenkomstId, vVLaptopTypeId, besturingssysteemId)
                        VALUES ('','$inbehandeling',?,?,?, '$aantalXterug','$terugstuurLock','$lijnNr','$datumAanmaak','$check','$log',?,'$redentelaat','$klanttevreden','$fstAccountNr',
                        '$aangewAccountNr','$klantID',?,?,?,?)");
            if ($insertticket) {
                $insertticket->bind_param('ssisiiii', $probleem, $trefwoorden, $prioriteit, $streefdatum, $scategorie, $binnenkomstT, $merktype, $besturingsysteem);
                if ($insertticket->execute()) {
                    echo 'ticket aangemaakt';
                    //header("Refresh:5; url=../index.php", true, 303);
                }
            }else {echo 'ticket niet aangemaakt';}
?>

Sorry, please clarify, why are you putting the "?" in place of the values? Is it to leave them blank? or are you wanting to put a variable to that value? — Craig B, Jan 13 '17 at 21:56
you need to show us what the real error is. Instead of that `else {echo 'ticket niet aangemaakt';}` you should use `echo "Error : " . mysqli_error($connectie);` and tell us what it was, and use php's error reporting. — Funk Forty Niner, Jan 13 '17 at 22:16
if the number of `?` placeholders match what you're trying to bind and are the correct ones `i` and `s` then there shouldn't be a problem. However, you should be using binding them all, rather than just a few. — Funk Forty Niner, Jan 13 '17 at 22:18
I just can't see where these have been defined `$probleem, $trefwoorden, $prioriteit, $streefdatum, $scategorie, $binnenkomstT, $merktype, $besturingsysteem` and other variables. Your question is unclear and voted to close as such. — Funk Forty Niner, Jan 13 '17 at 22:30
you seem to have left the question and so have I. someone gave you an answer below, ask them. Good luck — Funk Forty Niner, Jan 13 '17 at 22:35
i did the echo error and it was a a misspelling in the db thanks! the other var are defined but i didnt include them in this post. — Robby Morales, Jan 13 '17 at 22:37

Kaddath · Answer 1 · 2017-01-13T22:22:09.263

-1

there are different syntax, but the good way now to do SQL request is to separate the SQL from the passing of variables. You should NEVER concatenate a value directly in the SQL request string.

there are documentations about this, but globally the thing is to replace the values in the string by something that will be automatically and safely replaced by the bind method.

syntax examples:

'INSERT INTO test (name, age) VALUES (?, ?)'

'INSERT INTO test (name, age) VALUES (:name, :age)'

edited Jan 13 '17 at 22:22

answered Jan 13 '17 at 22:01

Kaddath

5,933
1
9
23

why the named placeholders? these are for PDO, not mysqli_ which is what they're using. – Funk Forty Niner Jan 13 '17 at 22:15
There's no `WHERE` clause in `INSERT`. – Barmar Jan 13 '17 at 22:21
that too ^ but it still doesn't explain named placeholders – Funk Forty Niner Jan 13 '17 at 22:23
yeah i'm tired i should stop helping people :D globally that was a polite RTFM, a general no to his question – Kaddath Jan 13 '17 at 22:23
*"a general no to his question"* - I don't see the problem with mixing variables and placeholders. @Kaddath and nobody is criticizing you here, just stating / asking why you included named placeholders – Funk Forty Niner Jan 13 '17 at 22:28
i may have become a bit maniac with not including variables directly into SQL strings, and i seen so many different syntaxes with the time.. I'm not here for rep but to help and learn, so please explain why when you downvote.. i will either edit or delete the answer depending on your comments – Kaddath Jan 17 '17 at 12:22

Is this a correct way of preparing and executing bind_param

1 Answers1