Mysqli Update Help

[SlayerACC]

What am i doing wrong?

PHP Code:

$mysqli = new mysqli("localhost", "user", "pass", "db");
if (!$mysqli) {
$mysqli=("UPDATE `home` SET `text`='$text' WHERE `home_id`='$home_id'");
}
mysqli_query($mysqli); 


Thanks in advance.


Slayer.

[Fou-Lu]

You're overwritting the $mysqli object with a string. I'm also not sure what you are trying to do with the if; mysqli will return an object even if you failed to connect, so you want to use mysqli_connect_error/errno to deal with connection errors.

Procedural mysqli_query will also require two arguments, the first being the mysqli object and the second being the string to execute.

[SlayerACC]

Thanks Fou Lou.


I have got this to work so far.

PHP Code:

$mysqli = new mysqli("localhost", "user", "pass", "db");

$stmt = $mysqli->prepare("UPDATE `home` SET `text`='$text' WHERE `home_id`='$home_id'");
$stmt->execute(); 
$stmt->close(); 


Still need to know what else is needed and what is correct..

Thanks. Slayer.

[Fou-Lu]

You need to make sure you connect.

PHP Code:

if ($mysqli->connect_errno)
{
    die('Could not connect to database: ' . mysqli_connect_error($mysqli)); // this bug is fixed in 5.3+ so you can use $mysqli->connect_error() instead if you have 5.3+
} 


That is also not the proper use of a prepared statement. If you are not making use of prepared statements (and you should be for anything that accepts variable data), than you may as well just use the query method.

PHP Code:

if ($stmt = $mysqli->prepare("UPDATE `home` SET `text`=? WHERE `home_id`=?"))
{
    $stmt->bind_param('ss', $text, $home_id);
    $stmt->execute();
    $stmt->close();
} 


[SlayerACC]

What is an example of the query method?

I am becoming lost again...

What are the differences in how it works?:

PHP Code:

$mysqli = new mysqli("localhost", "user", "pass", "db"); 

$stmt = $mysqli->prepare("UPDATE `home` SET `text`='$text' WHERE `home_id`='$home_id'"); 
$stmt->execute();  
$stmt->close(); 


and yours?

PHP Code:

if ($stmt = $mysqli->prepare("UPDATE `home` SET `text`=? WHERE `home_id`=?"))
{
    $stmt->bind_param('ss', $text, $home_id);
    $stmt->execute();
    $stmt->close();
} 


Thanks... Sorry Fou Lou...


Slayer.

[tangoforce]

Quote:

Originally Posted by SlayerACC

What are the differences in how it works?:

PHP Code:

$stmt = $mysqli->prepare("UPDATE `home` SET `text`='$text' WHERE `home_id`='$home_id'"); 


and yours?

PHP Code:

if ($stmt = $mysqli->prepare("UPDATE `home` SET `text`=? WHERE `home_id`=?"))
{
    $stmt->bind_param('ss', $text, $home_id);
} 


The difference is pretty obvious .. The first one is a bog standard query and you should be using mysqli_query() for it.

The second one is a prepared statement. You see those ? marks? They are called place holders. This tells mysqli that it is a place holder for data which will be supplied seperately. You then bind your data to the appropriate parameters and supply the data seperately. Mysqli then uses that data and does what the statement was telling it to do with it. As I understand this, it deals with the statement and the actual data seperately thus meaning that the query can't be injected with malicious instructions / data because the data is kept seperate.

[SlayerACC]

Hey Tango..

What is the SS for and where did it come from?

PHP Code:

$stmt->bind_param('ss', $text, $home_id); 


[tangoforce]

It's the order and type of data.

In this case, you have a string and then another string - hence ss. Then you put your types (in this case the ss) and variables in the same order as the statement - Say you had a string and an integer.. you'd use si and then put your $string and $Integer in bind_param() in that order like this:
bind_param('si', $String, $Integer);

See this page for more:
http://www.php.net/manual/en/mysqli-stmt.bind-param.php

[SlayerACC]

Hey thanks again Tango..


This is all seeming to be alot more confusing and complicated to the standard mysql ways...

I will see what I can figure out...Still not sure if I will get this..

I will let ya know..


Slayer.

[SlayerACC]

Okay I think I have this one now. at least I hope so...

I just cant get over all the steps to get it done!!

PHP Code:

$text=$_POST['text'];

$text= addslashes($text);

$stmt = new mysqli("localhost", "user", "pass", "db");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$stmt = $mysqli->prepare("UPDATE `home` SET `text` = ? WHERE `home_id` = ?");
$stmt->bind_param('si', $text, $_POST['home_id']);
$stmt->execute();
$stmt->close(); 


thanks Slayer.

[SlayerACC]

Why does this not work??

PHP Code:

$image=$filename;

$stmt = new mysqli("localhost", "user", "pass", "db");
$stmt = $mysqli->prepare("INSERT INTO artist(`artist_id`, `name`, `bio`, `email`, `specialities`, `photo`, `title`) VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('issssss', $_POST['artist_id'], $_POST['name'], $_POST['bio'], $_POST['email'], $_POST['specialities'], $image, $_POST['title']);
$stmt->execute();
$newId = $stmt->artist_id;
$stmt->close(); 


This is really making me angry... I have tried so many examples to this point .. I should have got this insert by accicdent already..

All help is appreciated.


Thanks, Slayer.

[SlayerACC]

I have it figured out....


Yahoo!!!

PHP Code:

$mysqli = new mysqli("localhost", "user", "pass", "db");
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$stmt = $mysqli->prepare("INSERT INTO artist(`artist_id`, `name`, `bio`, `email`, `specialities`, `photo`, `title`) VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('sssssss', $_POST['artist_id'], $_POST['name'], $_POST['bio'], $_POST['email'], $_POST['specialities'], $image, $_POST['title']);
$image=$filename;
$stmt->execute();
$newId = $stmt->artist_id;
$stmt->close(); 


Slayer