Prepared statements mysqli php

Asked May 25 '17 at 18:58

Active May 25 '17 at 18:58

Viewed 17 times

I have some code that works (mysqli), but I need to make it secure from SQL injection:

$sql = "INSERT INTO scratch_entry (email, fname, lname, phone, promo) VALUES ('$email', '$fname', '$lname', '$phone', $promo);";

I attempted to use a prepared statement, but I keep getting the error Fatal error: Call to a member function bind_param() on a non-object

This is what I am attempting to use and is giving me the error:

$stmt = $mysqli->prepare("INSERT INTO scratch_entry (email, fname, lname, phone, promo) VALUES(:email, :fname, :lname, :phone, :promo");
$stmt->bind_param(":email", $email);
$stmt->bind_param(":fname", $fname);
$stmt->bind_param(":lname", $lname);
$stmt->bind_param(":phone", $phone);
$stmt->bind_param(":promo", $promo);
$stmt->execute();

Does anyone know what I am doing wrong with this prepared statement? If you need more info let me know. Thanks!

asked May 25 '17 at 18:58

Cliff

1

That looks like PDO, should be ? instead of :email, then bind_param("sssss",$email,$fname,$lname,$phone,$promo); – clearshot66 May 25 '17 at 19:00
1

The prepare query is missing a closing `)` at the end. – helllomatt May 25 '17 at 19:06

Prepared statements mysqli php

0 Answers0