-2

I've got this code:

if (isset($_POST['save'])) {
    $name = $_POST['name'];
    $price = $_POST['price'];
    $description = $_POST['description'];
    $new_description = str_replace("'", "\'", $description);
    $cat_name = $_POST['dropdown'];

    $cat_id = mysqli_query($db, "SELECT cat_id FROM category where cat_name = '$cat_name';");

    mysqli_query($db, "INSERT INTO products (item_name, item_price, item_cat_id, item_descr) VALUES ('$name', '$price', '$cat_id', '$new_description')"); 
    $_SESSION['message'] = "Le produit a été ajouté avec succès!"; 
    header('location: admin.php');
}

I wanted to fetch the category id using the category name and use it to set the value of the item_cat_id column in the products table.

But when I click save I get this error instead:

Fatal error: Uncaught Error: Object of class mysqli_result could not be converted to string in C:\xampp\htdocs\jst\server.php:23
Stack trace:
#0 {main} thrown in C:\xampp\htdocs\jst\server.php on line 23

Dharman
  • 30,962
  • 25
  • 85
  • 135
Ashref Boubakri
  • 15
  • 3
  • 1
    `echo $cat_name = $_POST['dropdown'];` to see if you get a value, and use prepared statement against sql injections your code is open to injections. and see here for mysqli query https://www.php.net/manual/en/mysqli.query.php –  Dec 25 '20 at 23:09
  • 2
    `mysqli_query()` does not return a scalar value from `SELECT`. It returns a result resource on which you must use `mysqli_fetch_assoc()` to get an array where you have access to `cat_id`. – Michael Berkowski Dec 25 '20 at 23:34
  • 3
    **Warning!** You are _wide open_ for [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) attacks! You should use parameterized [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of using completely unescaped user data directly in your queries like that. _Never ever ever never_ trust user input. – M. Eriksson Dec 25 '20 at 23:54
  • Does this answer your question? [How to find all tables that have foreign keys that reference particular table.column and have values for those foreign keys?](https://stackoverflow.com/questions/806989/how-to-find-all-tables-that-have-foreign-keys-that-reference-particular-table-co) – Rohit Sharma Dec 26 '20 at 07:29

1 Answers1

1

See mysqli_query return values.

It returns either false, true, or mysqli_result object, depending on the query and if successful or not. Obviously the result is a mysql_result object, hence the error "...Object of class mysqli_result could not be converted to string..." in your second mysqli_query(). See mysql_result.

But first, don't directly use user-provided data. That leads to SQL injection. Use prepared statements instead.

$cat_id = null;
$stmt = mysqli_prepare($db, 'SELECT cat_id FROM category where cat_name = ?');
mysqli_stmt_bind_param($stmt, 's', $cat_name);
mysqli_stmt_execute($stmt);  // true on success, otherwise false
mysqli_stmt_bind_result($stmt, $cat_id);  // true on success, otherwise false;
mysqli_stmt_fetch($stmt);  // true on success, false if not, null if no more data
...
$stmt = mysqli_prepare($db, 'INSERT INTO products (item_name, item_price, item_cat_id, item_descr) VALUES (?, ?, ?, ?)');
mysqli_stmt_bind_param($stmt, 'sdis', $name, $price, $cat_id, $new_description);
...

You don't actually need to query for the category id given a category name. Instead pass the category id instead. For example in HTML:

<form ...>
    <select ...>
        <option value="1" ...>Some category name</option>
        ...
    </select>
</form>

Though this doesn't mean you won't need to query for the category. You still need to, to make sure the category id is valid or not. Of course this might not be possible if you don't control the frontend/html/ui/etc.

loydg
  • 229
  • 2
  • 3