-2

In my inventory management app for the update functionalities, after setting up the sql I'm executing the $stmt and if it executed successfully I'm headed to the home page. Otherwise do some other actions. And in the if statement where I'm preparing the sql command and executing it, I'm closing the $stmt with $stmt->close(). But this throws me the error above. I followed some other question answers where they suggested to move the close() line inside the if statement. But it didn't work.

Update.php

    // Check input errors before inserting in database
    if(empty($itemname_err) && empty($itemnumber_err) && empty($cost_err)&& empty($details_err)){
        // Prepare an update statement
        $sql= "UPDATE inventory SET itemname=$itemname, itemnumber=$itemnumber, cost=$cost,details=$details, WHERE id = $id";
      
        if($stmt = $mysqli->prepare($sql)){
   
            // Set parameters
            $param_itemname = $itemname;
            $param_itemnumber = $itemnumber;
            $param_cost = $cost;
            $param_details = $details;
            $param_id = $id;
    
            //$stmt->bind_param("sssss", $param_itemname, $param_itemnumber, $param_cost, $param_details, $param_id);
            // Attempt to execute the prepared statement
            if($stmt->execute()){
                // Records updated successfully. Redirect to landing page
                header("location: index.php");
                exit();
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }
        }
        // Close statement
        $stmt->close(); // here's the problem line
    }
    // Close connection
    $mysqli->close(); 
    }else{
        ...
}

I tried checking the sql but it seemed fine to me. So any suggestions?

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
buzz
  • 896
  • 2
  • 10
  • 22

1 Answers1

0

You are using the concept of preparing query all wrong. The idea is that you prepare a query with placeholders in it, and not the actual data. Removing the data from the query compile phase, removes the ability to inject bad code into the SQL.

The error you are getting is because the prepare is failing and therefore your code jumps to the line after the IF, where you attempt to us the $stmt variable that now contains FALSE as if it were an object, which it would have been, if the query had been successful.

So try this

    // Check input errors before inserting in database
    if( empty($itemname_err) && empty($itemnumber_err) && 
        empty($cost_err) && empty($details_err))
    {
        // Prepare an update statement
        $sql= "UPDATE inventory SET itemname=?, itemnumber=?, 
                                    cost=?, details=? 
                                    WHERE id = ?";
      
        $stmt = $mysqli->prepare($sql);
    
        $stmt->bind_param("sidsi", $itemname, $itemnumber, 
                                    $cost, $details, $id);
        // Attempt to execute the prepared statement
        if($stmt->execute()){
            // Records updated successfully. Redirect to landing page
            header("location: index.php");
            // these 2 are unnecessary but if they go anywhere it 
            // should be before the exit statement
            $stmt->close();
            $mysqli->close(); 

            exit();
        } else{
            echo "Oops! Something went wrong. Please try again later.";
        }
    }
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149