View Full Version : MYSQLI Statement help please

01-26-2012, 08:17 PM
I have created a blog for learning php and have created the login, register delete using mysqli statements and I am on to the edit page and having syntax error and cannot see what is wrong.

$stmt = $mysqli->prepare("SELECT postID,title,content,author,image FROM posts where postID = ?");

The edit page is a link that get the postID with the correct postID. how can i check that the bind_param has the correct postID? if any??


01-26-2012, 08:25 PM
printf('$_GET['postID'] = "%s"', &$_GET['postID']);. You can also just look in the URL so long as this isn't an AJAX request or a frame.
We worked through a similar issue with delete, where the problem was postID was what you were looking for, while get provided id. Have you confirmed that to not be the issue with the edit?

01-26-2012, 08:37 PM
I have got it to work, and yes it isn't the 'get' my next problem is the edit post script that the edit page sends the data too does not update the database..
here is my code:

$stmt = $mysqli->prepare("UPDATE posts SET
title = ?,
content = ?,
author = ?,
image = ?
WHERE postID = ?");
$stmt->bind_param('ssssi', $_POST['title'],
header("Location: index.php"); // redirect browser
exit; // make sure no other code executed

Should I have the WHERE to (?????)

01-26-2012, 08:44 PM
Drop the header and exit and add an output indicating the number of changes before you close the statement:

printf('Affected rows: %d', $stmt->affected_rows);

Does that show anything other than 1?

01-26-2012, 08:48 PM
It goes to the page and says affected rows 0

01-26-2012, 10:07 PM
Okay, find out the error. After the line added add this line: printf('SQL error: %s', $stmt->error);. What does that show?

01-27-2012, 05:36 AM
echo postID to screen and check it... it's prob invalid so there's nothing to update

01-27-2012, 08:53 AM
Your code is not validating the $_POST values prior to using them in the database access - it therefore will be able to contain anything at all when someone tries to break into your site and so the update call will be used to insert millions of garbage records into your database.

You should always validate each $_POST field and move it to a field that has a name that indicates that it has been validated before you have ANY other code in your script. That way you know that the fields contain valid values when you use them.