0

Edit: Professor Abronsius solved it in his comment, just replaced:

$stmt = $conn->prepare('SELECT * FROM table6_2');
$stmt->execute();

with:

$result = $conn->query('SELECT * FROM table6_2');

and then used $result instead of $stmt in the loop.

I'm trying to make a simple comment function for a blog, where I want to insert the sql data into an HTML form. My original code worked but after reading a bit more I wanted to make it more secure and use bind_param and rewrote the code to use the OOP syntax.

Now it only inserts 10 blank rows, no matter what the table contains, even if its completely empty.. What am I doing wrong?

Original code:

//Create connection
if (!$dbc = @mysqli_connect($servername, $username, $pw, $dbname)) { 
    print '<p> Cant connect to database because : <br>'.mysqli_error($dbc);
}
//creates table if it doesnt exist
$query = 'CREATE TABLE IF NOT EXISTS table6_2 (id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, namn varchar(100), email varchar(100), homepage varchar(100), comment varchar(5000), date_entered DATETIME NOT NULL) CHARACTER SET utf8';
            

if (!@mysqli_query($dbc, $query)){
    print '<p style="color: red;">Could not create the table because:<br>' . mysqli_error($dbc) . '.</p><p>The query being run was: ' . $query . '</p>';
}

//RFills out $form in $html with entries from table6_2 and replaces $form with them

function get_results(){
    $query = 'SELECT * FROM table6_2';
    global $html;
    global $dbc;
    global $form;
    $entries = ""; //will contain all stored entries from the database, in the correct format

    if($result=@mysqli_query($dbc,$query)){
        while($row = mysqli_fetch_array($result)){
            //stores this row in a html-encoded string based on $form
            $this_row = $form; 

            $this_row = str_replace('---no---',$row['id'],$this_row);
            $this_row = str_replace('---time---',$row['date_entered'],$this_row);
            $this_row = str_replace('---name---',$row['namn'],$this_row);
            $this_row = str_replace('---email---',$row['email'],$this_row);
            $this_row = str_replace('---homepage---',$row['homepage'],$this_row);
            $this_row = str_replace('---comment---',$row['comment'],$this_row);

            $entries.=$this_row;
        }
    } else {
        print '<p style="color: red;">Could not count entries because:<br>' . mysqli_error($dbc) . '.</p><p>The query being run was: ' . $query . '</p>';
    }

    $html = str_replace($form,$entries,$html);

}

New code:

// Create connection
$conn = new mysqli($servername, $username, $pw, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

//creates table if it doesnt exist
$stmt = $conn->prepare('CREATE TABLE IF NOT EXISTS table6_2 (id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, namn varchar(100), email varchar(100), homepage varchar(100), comment varchar(5000), date_entered DATETIME NOT NULL) CHARACTER SET utf8');
$stmt->execute();            

//Fills out $form in $html with entries from table6_2 and replaces $form with them

function get_results(){
    global $stmt;
    global $conn;
    global $html;
    global $form;
    $stmt = $conn->prepare('SELECT * FROM table6_2');
    $stmt->execute();
    $entries = ""; //will contain all stored entries from the database, in the correct format
    $counter = 0; //CHECK THIS! debugging only remove in final version
    foreach ($stmt as $row){
        global $counter;
        //stores this row in a html-encoded string based on $form
        $this_row = $form; 

        $this_row = str_replace('---no---',$row['id'],$this_row);
        $this_row = str_replace('---time---',$row['date_entered'],$this_row);
        $this_row = str_replace('---name---',$row['namn'],$this_row);
        $this_row = str_replace('---email---',$row['email'],$this_row);
        $this_row = str_replace('---homepage---',$row['homepage'],$this_row);
        $this_row = str_replace('---comment---',$row['comment'],$this_row);

        $entries.=$this_row;

        //CHECK THIS! debugging only remove in final version
        print '<p> One row submitted.<p>';
        $counter = $counter + 1; 
        print '<p> Counter is '.$counter.'<p>'; 

    }

    $html = str_replace($form,$entries,$html);

}
Bjathr
  • 85
  • 1
  • 10
  • 1
    You need to `fetch` the data - `foreach ($stmt as $row){` is not correct – Professor Abronsius Jan 12 '22 at 09:19
  • 2
    In that `select` query there is no need for a prepared statement as it is a simple select - you could simply use `query($sql);` – Professor Abronsius Jan 12 '22 at 09:21
  • 1
    Prepared Statements and `bind_param` are great, but as far as I can see your query doesn't actually have any parameters, so there's not a great deal of point in it _for this specific query_. It's a good habit to get into, as is not using `SELECT *` unless you actually want to use all the columns in the table - you should only retrieve what you need. – droopsnoot Jan 12 '22 at 09:24

0 Answers0