0

using prepared statement and mysqli I'm trying to insert the bellow data into a table. When I run the code I get this error even though I'm following a tutorial from w3school.

here is my code:

$dbServerName = "localhost";
    $dbUserName = "root";
    $dbPassword = "";
    $dbName = "candiadateDB";
    $conn = mysqli_connect($dbServerName,$dbUserName,$dbPassword,$dbName);
    $stmt_values = $conn->prepare("INSERT INTO candidates (username, firstname, lastname, password, coalition,program, starting_year, slogan, email) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
                                $stmt_values->bind_param("sssssssss",$username, $firstname, $lastname, $password, $coalition,$program, $starting_year, $slogan, $email);
                                $stmt_values->execute();
                                $stmt_values->close();
                                $conn->close();

I'm retrieving the variables $username, $fname,.. like so from a form:

$fname = mysqli_real_escape_string($conn,$_POST['fname']);

here is the error: Fatal error: Call to a member function bind_param() on a non-object in

  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 07 '17 at 18:55
  • You need to get in the habit of [accepting answers](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) which help you to solve your issues. You'll earn points and others will be encouraged to help you. – Jay Blanchard Jul 07 '17 at 19:04
  • Please do not report questions: https://stackoverflow.com/questions/44954198/writing-a-prepared-statement-to-retrieve-data-from-table-fatal-error – Jay Blanchard Jul 07 '17 at 19:05

1 Answers1

3

bind_param does not accept non-variables as parameters

They must be variables. Store meee as $meee = 'meee' for example

See the manual: http://php.net/manual/en/mysqli-stmt.bind-param.php

Example:

$value1 = 'mee';
$value2 = 'youu';
.
.
.
$stmt->bind_param("ss",$value1,$value2);

See the point of bound parameters is to not allow invalid/unsafe data to be used in a query. You're hard coding string/parameters in so in this case, there's no reason to USE a prepared statement because you could do the same with INSERT INTO X (col1,col2) VALUES ('val1',val2').

clearshot66
  • 2,292
  • 1
  • 8
  • 17
  • thanks for the answer, now I get a different error. I get the values from a form like so $value1 = mysqli_real_escape_string($conn,$_POST['value1']); and when I run the code I get this error: Fatal error: Call to a member function bind_param() on a non-object in –  Jul 07 '17 at 19:22
  • You don't need to escape them with escape string. Get rid of that.Check that you're also connecting and that $conn is in the right order for connect. – clearshot66 Jul 07 '17 at 19:25
  • I did it like this $fname = $_POST['fname']; and still I get this error: Fatal error: Call to a member function bind_param() on a non-object in –  Jul 07 '17 at 19:39
  • Have you verified that your database connection was successful? – Adeleke Akinade Jul 07 '17 at 19:47
  • yes the database is fine –  Jul 07 '17 at 19:47
  • correction: I added the database info directly into the file and the error is gone but, no data is being inserted into the table –  Jul 07 '17 at 19:53