Errors in query to database with mysqli

Question

something here is wrong but I can't find it. Plz help.

And I have a question: Why should we close the connection in the end? Is it a necessity?

$conn = new mysqli($dbConfig['DB_HOST'], $dbConfig['DB_USER'], $dbConfig['DB_PASSWORD'], $dbConfig['DB_NAME']);

if ($conn->connect_errno) {
    $errstr = printf("connection has been failed: %s", $conn->connect_error);
    echo $errstr;
    exit();
}

printf("you are connected to the <b><i>%s</i></b> database successfully.<br>", $dbConfig['DB_NAME']);

$result = $conn->prepare("select * from customers");
if (!$result) 
    printf('errno: %d, error: %s', $result->errno, $result->error);

$b = $result -> execute();
if (!$b) 
    echo "execute dosn't work";

$rows = $result->fetch_array(1);
printf("Name is: %s\n <br>",$rows['name']);

The code has updated!

so I removed bind_param line and add directly my table name to the query, now I have this error Fatal error: Call to undefined method mysqli_stmt::fetch_array() — Farid S, Nov 03 '17 at 21:59
I assumed the result is an object, I am not sure! The code has updated — Farid S, Nov 04 '17 at 08:36
yes it is with print_r($result) it returned this mysqli_stmt Object — Farid S, Nov 04 '17 at 08:40
if we use prepare method there is no need sanitize for query? — Farid S, Nov 04 '17 at 08:50

score 0 · Accepted Answer · answered Nov 04 '17 at 15:18

You can't bind tables or column names. For that you need to use a whitelist.
You do not need to sanitize data in a prepared statement IF you parameterize (like you had done with the table name) the query. Prepared statements have no difference if they aren't parameterized.

The current issue is that you need to get the result, http://php.net/manual/en/mysqli-stmt.get-result.php.

so the end of your code should be:

$b = $result->execute();
if (!$b) 
    echo "execute dosn't work";
$result2 = $result->get_result();
$rows = $result2->fetch_array();

Errors in query to database with mysqli

1 Answers1