-1

I'm trying to get a simple mysqli prepared statement to work. I'm running this script using an XMLHttpRequest.

On the website I'm working on you'll be able to give a bunch of inputs and I need to sanitize everything. Since mysqli_real_escape_string is not sufficient I have to use prepared statements.

This is the query without prepared statement:

$account = $_POST["passaccountname"];
$newFullName = $_POST["userNameUpdate"];

$mysqli = new mysqli('localhost', 'root', '', 'os_test');
$sql = $mysqli->query("UPDATE test_users SET FULLNAME='".$newFullName."' WHERE LOWER(REPLACE(NAME, ' ', ''))='".$account."'");

This worked perfectly but of course this is not secure!

So I looked into how to make a prepared statement and it didn't look to hard. I changed the passaccountname variable around and match it to the 'NAME' column/row.

Even though on the surface it seemed simple nothing seems to happen, this is the code now:

$account = $_POST["passaccountname"];
$newFullName = $_POST["userNameUpdate"];

$mysqli = new mysqli('localhost', 'root', '', 'os_test');
$sql = $mysqli->query("UPDATE test_users SET FULLNAME=? WHERE NAME=?");
$stmt = $mysqli->prepare($sql);
$stmt->bind_param("ss", $n, $a);

$n = $newFullName;
$a = $account;
$stmt->execute();

Is there something wrong with my code? I really do not understand what I'm doing wrong here.

halfer
  • 19,824
  • 17
  • 99
  • 186
Miger
  • 1,175
  • 1
  • 12
  • 33
  • 2
    Remove query() call. – Dharman Dec 10 '19 at 12:33
  • Well change the `->query()` line to `$sql = "UPDATE test_users SET FULLNAME=? WHERE NAME=?";` would be better @Dharman – RiggsFolly Dec 10 '19 at 12:35
  • `$sql = "UPDATE test_users SET FULLNAME=? WHERE NAME=?"; $stmt = $mysqli->prepare($sql);` Also note you should have `LOWER(REPLACE(NAME, ' ', '')) = ?` to match your existing query – Nick Dec 10 '19 at 12:35
  • 2
    Why don't you just bind to the existing variables - `$stmt->bind_param("ss", $newFullName, $account);` rather than create new ones. – Nigel Ren Dec 10 '19 at 12:36
  • 2
    @Dharman bet you're wishing you'd answered instead of commenting! – Nick Dec 10 '19 at 12:37
  • @NigelRen Oh, that's a good point. Thanks. – Miger Dec 10 '19 at 12:39
  • 1
    @nick Sometimes I can't judge whether it should be closed as typo or answered. Plus I should actually be working, not wasting time on SO. – Dharman Dec 10 '19 at 12:39
  • @Dharman well I voted for typo... but I just can't see how you could call time on SO wasted!!!! :-) – Nick Dec 10 '19 at 12:39
  • 2
    The oddest thing is 2 people upvoted the question :( – RiggsFolly Dec 10 '19 at 12:40
  • 1
    @RiggsFolly I'm pretty sure the `Suffrage` and `Vox Populi` badges are the cause of a lot of such votes. – Nick Dec 10 '19 at 12:47

1 Answers1

4

You're almost there.

Currently you're trying to execute this query instead of prepare it:

$sql = $mysqli->query("UPDATE test_users SET FULLNAME=? WHERE NAME=?");

Remove the call to query(). You could just replace that line with:

$sql = "UPDATE test_users SET FULLNAME=? WHERE NAME=?";

Since you pass that variable to prepare() on the next line.

Edit: In response to a comment below, it's also generally a good idea to enable mysqli exceptions in your code. By default errors like this one "fail silently", which can make them difficult to catch. (This was likely just for backward compatability with previous mysql/mysqli error checking.)

By enabling these exceptions, these errors are more visibly reported and easier to find.

David
  • 208,112
  • 36
  • 198
  • 279
  • crazy how I didn't see that.. thanks a lot, it works now! – Miger Dec 10 '19 at 12:36
  • 2
    I would also recommend to enable MySQLi exceptions, because such mistakes would not be reported otherwise. – Dharman Dec 10 '19 at 12:37
  • I'm only using notepad++ – Miger Dec 10 '19 at 12:39
  • 1
    @Miger: I don't see what you're getting at in your last comment. While it's recommended to use a full IDE, any text editor is technically fine for editing code. But surely at some point you're *running* this code, which is where/when the error takes place? – David Dec 10 '19 at 12:41
  • I'm testing everything with XAMPP and while I'm sorry that this question was therefore quite unnecessary, such typos don't happen very often to me and usually I find them myself. I've never used mysqli before and also php is only now getting a little more familiar. I'm sorry for the inconvenience. – Miger Dec 10 '19 at 12:45
  • @Miger: No need to be sorry :) I just wanted to make sure you're not still experiencing an issue with the code. It looks like this question was a bit on the fence in the overall Stack Overflow debate of "answering or voting to close". Admittedly I thought about it a moment, but decided to answer. Others decided to vote to close. I don't think either course of action was incorrect, and as long as you got your answer then either way the exchange was successful. Battling for reputation points is a lesser concern than helping the community :) – David Dec 10 '19 at 12:47