0

I have a function called create:

function create($table, $data)
{
    global $conn;
    $sql = "INSERT INTO $table SET ";

    $i = 0;
    foreach($data as $key => $value) {
       if ($i === 0){

       
        $sql = $sql . " $key=?";
     } else{
        $sql = $sql . ", $key=?";
     }
      $i++;
    }
   
    $stmt = executeQuery($sql, $data);
    $id = $stmt->insert_id;
    return $id;

}

And the executeQuery inside this function:

function executeQuery($sql, $data){

    global $conn;
    $stmt = $conn->prepare($sql);
    $values = array_values($data);
    $types = str_repeat('s', count($values));
    $stmt->bind_param($types, ...$values);
    $stmt->execute();
    return $stmt;
}

The form that I try to submit with:

          <form action="myedit.php" method="post">
            <div class="input-group">
              <label>Om mig</label>
              <textarea class="text-input" name="about" id="john"></textarea>
            </div>
            <div class="input-group">
              <button type="submit" name="change-about" class="btn">Ändra om mig</button>  
            </div>
          </form>

and the code:

<?php
    include(ROOT_PATH . '/app/database/db.php');
    $table = 'about_me';
    
    if(isset($_POST['change-about'])){
    
        unset($_POST['change-about']);
        $about = create($table, $_POST);
        $_SESSION['message'] = 'innehåll ändrat';
        $_SESSION['type'] = 'success';
        header("location: " . BASE_URL . "/index.php");
        exit();
    }

Now the row in the database is named about. The table is named about_me. The function has worked fine in other files with other tables. The message gets displayed and I get redirected to index.php, but still nothing is in the row. The names are correct, so I'm at loss here.

ADyson
  • 57,178
  • 14
  • 51
  • 63
curioususer
  • 11
  • 4
  • If nothing is inserted into database then debug your sql and execute query. Look for errors with try { $pdo->beginTransaction(); $stmt->execute(); $pdo->commit(); }catch (Exception $e){ $pdo->rollback(); throw $e; } – user2463644 Jan 02 '21 at 09:53
  • "nothing is in the row"...you mean a row is created without anything in the fields? Or you mean no row is created at all? – ADyson Jan 02 '21 at 09:58
  • Anyway, if you don't see errors, please ensure error logging is switched on in PHP and mysqli is set to throw errors when SQL problems occur. Then re-run the code and check the log file. That might give you a better clue. Your current code doesn't seem to be checking for errors currently. See https://stackify.com/php-error-logs-guide/ (php error logging/reporting) https://stackoverflow.com/a/14578644/5947043 (mysqli error handling) if you need guidance on setting this up. – ADyson Jan 02 '21 at 10:00
  • @user2463644 nice idea but it's clearly shown in the question and the tags that the OP is using mysqli not PDO. Although possibly the code would work with mysqli anyway despite you calling the variable $pdo. But adding general error handling for mysqli (as per my comment) is necessary before it would work, too. – ADyson Jan 02 '21 at 10:00
  • 1
    First of all, **your function is vulnerable to SQL injection!** See here https://phpdelusions.net/pdo/sql_injection_example for the explanation. And then implement a whitelisting filter for the field names added to the query. Here is an example, https://codereview.stackexchange.com/q/253882/101565 – Your Common Sense Jan 02 '21 at 10:08
  • By the way, your executeQuery() is top notch (though using global is frowned upon). however, selectOne() is horrible. There is absolutely no point in having a function like this. A simple, regular, raw SQL will be a whole world better – Your Common Sense Jan 02 '21 at 10:10
  • Thanks for the sql injection reminder. I was pretty certain the code was secure – curioususer Jan 02 '21 at 11:53
  • @ADyson no row is created at all – curioususer Jan 02 '21 at 11:58
  • Ok well, do the error checking as I mentioned above. – ADyson Jan 02 '21 at 12:08
  • @ADyson But I do get error messages for other errors. I just had a file there I forgot to include root_path file and it gave me an undefined root_path. – curioususer Jan 02 '21 at 12:21
  • you have to do an extra step to make sure mysqli errors are reported. I have you information about that in my earlier comment – ADyson Jan 02 '21 at 12:39
  • @ADyson I managed to figure it out when it reported the error. I had to remove a foreign constraint in the table after id. Then it somewhow worked. Do you know why that was the case? – curioususer Jan 03 '21 at 11:44
  • Not without knowing anything about the database or seeing the exact error, no – ADyson Jan 03 '21 at 12:12

0 Answers0