Sql query isnt executed

Question

I am modifying my code against sql injection. Commented is old code (2 strings). Uncommented is new. But i see no effect of the code. Database isnt updated and debug info isnt printed. My server runs php 5.6. Neither "Success" nor "Error" is printed. Heres the code:

add_answer.php

// Insert answer 
//$sql2="INSERT INTO $tbl_name(question_id, a_id, a_name, a_email, a_answer, a_img, a_datetime)VALUES('$id', '$Max_id', '$a_name', '$a_email', '$a_answer', '$a_img', '$datetime')";
$stmt = $dbh->prepare("INSERT INTO $tbl_name (question_id, a_id, a_name, a_email, a_answer, a_img, a_datetime)
VALUES (:qid, :aid, :nam, :eml, :ans, :img, :datet)");
$stmt->bindParam(':qid', $id);
$stmt->bindParam(':aid', $Max_id);
$stmt->bindParam(':nam', $a_name);
$stmt->bindParam(':eml', $a_email);
$stmt->bindParam(':ans', $a_answer);
$stmt->bindParam(':img', $a_img);
$stmt->bindParam(':datet', $a_datetime);
$result2=$stmt->execute(); $stmt->debugDumpParams();
//$result2=mysql_query($sql2);
if ($result2)
    echo "Success";
else
    echo "Error";

What does your page show? is there any error or just a blank page? — catcon, Aug 28 '20 at 02:00
Please enable error report in PHP, if you check your network tab in the development console, your request probably return code 500 hence the blank page. Have a look here: https://stackoverflow.com/a/21429652/11430357 — catcon, Aug 28 '20 at 02:56

score -2 · Answer 1 · answered Aug 28 '20 at 02:06

-2

Not sure it will work, but maybe try hard coding the table name rather than using a variable for it in the query.

answered Aug 28 '20 at 02:06

nrsbus

78
1
12

I tried to enter the name of the table but with no result. – Alexey Podshivalin Aug 28 '20 at 02:08
I tried as you wrote but still no effect. – Alexey Podshivalin Aug 28 '20 at 02:17
Try removing the $result2 line and everything after and replace with this: $stmt->execute(); if ($stmt->affected_rows === 0) { // something} else { // something} – nrsbus Aug 28 '20 at 02:19
One more idea - try rewording entire syntax into this format: $stmt = $dbh->prepare("INSERT INTO tablename (colone,coltwo,colthree,colfour,colfive,colsix) VALUES (?,?,?,?,?)"); $stmt->bind_param("sssss", $varone, $vartwo, $varthree, $varfour, $varfive); $stmt->execute();if ($stmt->affected_rows === 0) { echo "no";} else {echo "yes";} – nrsbus Aug 28 '20 at 02:26
Also, double and triple check exact column names... and test all variables. Null variables could present problem possibly. – nrsbus Aug 28 '20 at 02:31
I didnt make initial calls like connect on dbh. Maybe thats the problem :) – Alexey Podshivalin Aug 28 '20 at 02:48
You didn't connect to the database? Hehe... We've all made mistakes like that at times... $dbh = new mysqli("localhost", "username", "password", "database"); if ($dbh->connect_error) { exit('Error connecting to database'); } – nrsbus Aug 28 '20 at 02:59

Sql query isnt executed

1 Answers1