Converting mysqli insert into prepared statements

gills4prem · January 16, 2021, 1:44pm

//add user to the table
$salt = "\$5\$rounds=5000\$" . "gillinghamforprem" . $username . "\$";
$hash = crypt($password, $salt);

   // $insertuserquery = $mysqli->("INSERT INTO Users (username, hash, salt) VALUES ('". $username . " ', '" . $hash . "', '" . $salt . "');");
$insertuserquery = $mysqli->("INSERT INTO Users (username, hash, salt) VALUES (?,?,?)");
$insertuserquery->bind_param("sss", '". $username . " ', '" . $hash . "', '" . $salt . "');
$insertuserquery->execute();

mysqli_query($con, $insertuserquery) or die("4: Insert user query failed"); // error #4 - insert queryfailed

echo("0");

Hi i am getting a parse error, i am learning to convert code to prepared statements and struggling with this insert section.

any help would be helpful.

skawid · January 16, 2021, 2:31pm

What does the error say? I can probably guess, but it’s easier for people to help you if you give all the details of the problem.

phdr · January 16, 2021, 2:55pm

The correct syntax to call an object’s method is -

$returned_value = $some_object->method_name();

Where are you calling mysqli’s ->prepare() method? Also, why are you still calling mysqli_query(). The functional-point of a prepared query is you are replacing the query() call with the statements needed for a prepared query - prepare(), bind_param(), and execute().

gills4prem · January 16, 2021, 4:19pm

Parse error: syntax error, unexpected '(', expecting identifier (T_STRING) or variable (T_VARIABLE) or '{' or '$' in /home/sites/5a/8/83a6433687/public_html/SalesTrackerV1/register.php on line 40

(line 40) $insertuserquery = $mysqli->(“INSERT INTO Users (username, hash, salt) VALUES (?,?,?)”);

Im creating a program via unity to keep sales data for work. I had it working but was not prepared statements so trying to secure it more.

gills4prem · January 16, 2021, 4:25pm

changed code as i spotted where I was possibly making a mistake and have a new error.

//add user to the table

    $salt = "\$5\$rounds=5000\$" . "gillinghamforprem" . $username . "\$";

    $hash = crypt($password, $salt);

    

   // $insertuserquery = $mysqli->("INSERT INTO Users (username, hash, salt) VALUES ('". $username . " ', '" . $hash . "', '" . $salt . "');");

    $insertuserquery ="INSERT INTO Users (username, hash, salt) VALUES (?,?,?)";

    $insertResult = $con->prepare($insertuserquery);

    $insertResult->bind_param("sss", '". $username . " ', '" . $hash . "', '" . $salt . "');

    $insertResult->execute();
 //mysqli_query($con, $insertuserquery) or die("4: Insert user query failed"); // error #4 - insert queryfailed

    echo("0");

ERROR

Fatal error: Uncaught Error: Cannot pass parameter 2 by reference in /home/sites/5a/8/83a6433687/public_html/SalesTrackerV1/register.php:42 Stack trace: #0 {main} thrown in /home/sites/5a/8/83a6433687/public_html/SalesTrackerV1/register.php on line 42

gills4prem · January 16, 2021, 5:44pm

Thank you I have corrected all mistakes and now working as expected

//add user to the table

    $salt = "\$5\$rounds=5000\$" . "gillinghamforprem" . $username . "\$";

    $hash = crypt($password, $salt);

       

    $insertuserquery ="INSERT INTO Users (username, hash, salt) VALUES (?,?,?)";

    $insertResult = $con->prepare($insertuserquery);

    

    $insertResult->bind_param("sss", $username,  $hash, $salt);

    $insertResult->execute();