0

I'm working on a forum software currently.

I have a class called User, within that class I have a method called GetUserGroup to determine what group the user is in.

I am running the query and assoc the same way I've been doing with all my other queries, I'm not sure what I'm doing wrong, I've looked over the query for syntax errors but just don't see any.

Fatal error: Uncaught Error: Object of class Product could not be converted to string in C:\xampp\htdocs\LAB3\Entities\product.class.php:27 Stack trace: #0 C:\xampp\htdocs\LAB3\add_product.php(15): Product->save() #1 {main} thrown in C:\xampp\htdocs\LAB3\Entities\product.class.php on line 27

Here's the whole page:

<?php //IDEA:
require_once("/xampp/htdocs/LAB3/config/db.class.php");
/**
 * 
 */
class Product {
   public $productID;
   public $productName;
   public $cateID;
   public $price;
   public $quantity;
   public $description;
   public $picture;

   public function __construct($pro_name, $cate_id, $price, $quantity, $desc, $picture) {
      $this -> productName = $pro_name;
      $this -> cateID = $cate_id;
      $this -> price = $price;
      $this -> quantity = $quantity;
      $this-> description = $desc;
      $this -> picture = $picture;
   }
   //luu san pham 
   public function save() {
      $db = new Db();
      //them product vao csdl
      $sql = "INSERT INTO Product(ProductName, CateID, Price, Quantity, Description, Picture) VALUES ('$this->productName','$this -> cateID','$this -> price','$this -> quantity','$this -> description','$this -> picture')";

      $result = $db -> query_execute($sql);
      echo "<pre>";
      print_r($result);
      echo "</pre>";
      return $result;
   }
   public static function list_product () {
      $db = new Db();
      $sql = "SELECT * FROM product";
      $result = $db -> select_to_array($sql);
      return $result;
   }
}
?>
Shadow
  • 33,525
  • 10
  • 51
  • 64
edward
  • 1
  • 2
    ___Quite Likely___ Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should always use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenating user provided values into the query. Never trust ANY user input! This will also remove the unescaped character issue like a `'` in a text string. – RiggsFolly Sep 23 '22 at 11:21
  • The error is not with the sql statement, but with the php code. – Shadow Sep 23 '22 at 11:28
  • Remove the space in `$this -> cateID'` to `$this->cateID'` and all the others – RiggsFolly Sep 23 '22 at 11:30
  • 1
    However if you were using a proper Prepared and Bound query this would not have happened – RiggsFolly Sep 23 '22 at 11:30
  • Please read [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement) – ADyson Sep 23 '22 at 14:24

0 Answers0