prepare($sql) function not working on one script

Question

I'm working on a school project involving a website with database integration. Currently working on adding new content (text, titles, images) to the website through it. I can already add new users to the database through the website, but for some reason the same code and logic doesn't apply for the content.

I noticed that printing $stmt with echo does not print anything.

<?php

include "../conn.php";

$sql = "INSERT INTO `contenido` (`id_contenido`, `tipo_contenido`, `id_seccion`, `orden_contenido`, `largo_contenido`, 'corto_contenido', 'extra_contenido') VALUES (NULL, '".$_POST["tipo"]."', '".$_GET['id']."','".$_POST["orden"]."','".$_POST["largo"]."','".$_POST["corto"]."','".$_POST["extra"]."')";

$stmt = $conn->prepare($sql);
if ($stmt = $conn->prepare($sql))
{
    //echo "It worked";

    $stmt->execute();
    $last_id = $conn->insert_id;

    header("Location: editarContenidos.php?id=".$_GET['id']);
}

?>

Expected Results: The content information is uploaded to the database and the user is redirected to the Edit Contents page (editarContenidos.php)

Actual Results: White screen, no errors. Since the if condition is false, you are never redirected and the content is not uploaded to the database.

NOTE: The Insert User .php is working with the same logic and syntax, I'm not experienced enough with php to understand what I'm doing wrong.

There's not enough information here to answer the question; please show your `$_POST` content, ensuring that each of the values are set. It would be a good idea to check these with `isset()`. Also check they match your database values correctly, and that you have the required permission to run the operation. Finally, [**check for error messages**](https://stackoverflow.com/questions/845021/how-to-get-useful-error-messages-in-php) in the output. — Obsidian Age, Jan 28 '19 at 02:04
Please also be aware that your code is **vulnerable** to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). Never use `$_POST` directly in SQL statements! You should use [**prepared statements**](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead, binding to variables. Also ensure that your database user only has the [**required privileges**](https://en.wikipedia.org/wiki/Principle_of_least_privilege). You can refer to [**this post**](http://stackoverflow.com/questions/60174) for further information on how to prevent SQL injection in PHP :) — Obsidian Age, Jan 28 '19 at 02:04
Finally, `header()` will never trigger after you `echo` content to the page. Your redirect should work correctly, assuming you do not echo out `it worked`. — Obsidian Age, Jan 28 '19 at 02:05
I am aware it's vulnerable to SQL injection as we have not seen that topic in class yet. Thanks for the links anyway, will give them a read when I get the chance. Can you specify what you mean to checking the values are set? Some of the values are empty because that's the way it is in the database. How do I check if the values match the database directly? I do have the required permission since I have other 2 .php's that do basically the same operation as this .php Thanks again — Heidren, Jan 28 '19 at 02:37

score 0 · Answer 1 · answered Jan 28 '19 at 03:04

I am assuming id_contenido is an auto_increment field and I'm not sure houw the backticks work in various languages. I would recommend adding some error handling PDO::errorInfo and changing the SQL code to:

$sql = "INSERT INTO contenido (tipo_contenido, id_seccion, orden_contenido, largo_contenido, corto_contenido, extra_contenido) VALUES ('".$_POST["tipo"]."', '".$_GET['id']."','".$_POST["orden"]."','".$_POST["largo"]."','".$_POST["corto"]."','".$_POST["extra"]."')";

There is a $_GET['id'] in the SQL code and I cant tell if that is intentional.

I would recommend using parameters and some debugging using print_r($_POST);.

Try the following code:

<?php

include "../conn.php";

$sql = "INSERT INTO contenido (id_contenido, tipo_contenido, id_seccion, orden_contenido, largo_contenido, corto_contenido, extra_contenido) VALUES (?,?,?,?,?,?)";

$stmt = $conn->prepare($sql);
if ($stmt))
{
    //echo "It worked";

    $stmt->execute(array($_POST["tipo"], $_GET['id'],$_POST["orden"],$_POST["largo"],$_POST["corto"],$_POST["extra"]));
    $last_id = $conn->lastInsertId();

    header("Location: editarContenidos.php?id=".$_GET['id']);
}

?>

Hey, thanks for answering. I tried your code and it doesn't seem to change anything. It still shows a white screen only and there is no change in the database. — Heidren, Jan 28 '19 at 06:48

score 0 · Answer 2 · answered Jan 28 '19 at 23:49

I found out what the problem was. The quotation marks were not properly used. The following code worked:

    <?php

    include "../conn.php";

    $sectionid = $_GET['id'];

    $sql = "INSERT INTO contenido (id_contenido, tipo_contenido, id_seccion, orden_contenido, largo_contenido, corto_contenido, extra_contenido) VALUES (NULL, '".$_POST["tipo"]."', '".$sectionid."','".$_POST["orden"]."','".$_POST["largo"]."','".$_POST["corto"]."','".$_POST["extra"]."')";

    $stmt = $conn->prepare($sql);

    //echo $sql;

    if ($stmt = $conn->prepare($sql))
    {
        $stmt->execute();
        $last_id = $conn->insert_id;

        header("Location: editarContenidos.php?id=".$sectionid);
    }

?>

prepare($sql) function not working on one script

2 Answers2