#1
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7

    Bind_param() on a non-object


    Apparently another blonde moment here. The query in the first item works just fine via PMA. The second item brings the error below. Any ideas?

    Fatal error: Call to a member function bind_param() on a non-object in D:\htdocs\triple_nothing\kissingerappliance.com\www\admin\index.php on line 82

    Code:
    SELECT `id`,`model`,`cat_id` FROM inv_items_used ORDER BY 'model' ASC
    Code:
    $cat = "model";
    $order = "ASC";
      $statement = $link->prepare("SELECT `id`,`model`,`cat_id` FROM inv_items_used ORDER BY ? ?");
      $statement->bind_param('ss', $cat, $order);
      $statement->execute();
      $statement->bind_result($id,$model,$cat_id);
      while ($statement->fetch()) {
        $itemid[] = $id;
        $itemmodel[] = $model;
        $catid[] = $cat_id;
      }
      $statement->close();
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Obviously $link->prepare() doesn't return an object. Check the error of that statement.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    two things:

    You cannot pass arbitrary expressions to a prepared statement, only values. It's not possible to pass column names or key words. If that was possible, then prepared statements would be useless, because they would be just as vulnerable to SQL injections like the "good" ol' query strings.

    By the way, your ORDER BY 'model' does not order by the column named model but by the string 'model' (which obviously makes no sense).

    Secondly, you need to turn MySQLi exceptions on to avoid those stupid return value errors:

    PHP Code:
    // enable exceptions in MySQLi driver 
    $mysqli_driver = new mysqli_driver(); 
    $mysqli_driver->report_mode MYSQLI_REPORT_ERROR MYSQLI_REPORT_STRICT
    Otherwise, you'll have to check every return value by hand.
    Last edited by Jacques1; June 20th, 2013 at 01:36 PM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    I looked up how to do some of the error returns, but apparently I'm not getting the format of such right. Could you offer an example how I'd include an error call or such?
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    See the reply above your post.

    If you insist on doing manual error handling, you have check the return value of any statement that could go wrong and trigger an error in case of false:

    PHP Code:
    // wrong statement for testing
    $statement $link->prepare("SELECT `id`,`model`,`cat_id` FROM inv_items_used ORDER BY ? ?");

    if (
    $statement) {
        
    // go on with the fetching    
    } else {
        
    trigger_error('MySQLi error: ' $link->errorE_USER_ERROR);

    Since that's gonna bloat your code massively, I strongly suggest using exceptions as explained above.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    677
    Rep Power
    7
    Sry. I guess I was responding as ur post posted. When learning the new Prepared Statements setup, I was under the assumpution that PHP variables could no longer be placed in the statement, and had to be inserted via the bind_param() function. I changed it back to below and all is good. Thanks for the input.

    PHP Code:
    $statement $link->prepare("SELECT `id`,`model`,`cat_id` FROM inv_items_used ORDER BY $cat $order"); 
  12. #7
  13. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    If $cat and $order come from the user, they still need to be escaped.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Location
    Burb of Detroit, Michigan
    Posts
    92
    Rep Power
    78
    Originally Posted by Triple_Nothing
    PHP Code:
    $statement $link->prepare("SELECT `id`,`model`,`cat_id` FROM inv_items_used ORDER BY $cat $order"); 
    First, if you have you database properly propagated (data) then doing $cat, $order is just plain silly and incorrect.

    You use a query to find (everything if you want) something and display or grab the data that is in the database from a table.
    PHP Code:
    $stmt $link->prepare("SELECT id, model, cat_id, FROM inv_items_used WHERE model=? ORDER BY id ASC LIMIT 500"
  16. #9
  17. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by ManiacDan
    If $cat and $order come from the user, they still need to be escaped.
    Not escaped, but validated.

    Escaping might help prevent injection but if the user isn't providing a valid column or sort order the query will explode. He can kill two birds with one stone by just making sure the provided variables are valid ones.
  18. #10
  19. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Either/or, yes. Checked in some way. Let's compromise and use "sanitized" to cover both scenarios.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  20. #11
  21. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7170
    First, if you have you database properly propagated (data) then doing $cat, $order is just plain silly and incorrect.
    What?

    I was under the assumpution that PHP variables could no longer be placed in the statement
    Once a variable is interpolated into a string, the string is just a string. There is no way for PHP to know whether part of the string came from a variable or not.
    Last edited by E-Oreo; June 20th, 2013 at 09:51 PM.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  22. #12
  23. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Originally Posted by E-Oreo
    What?
    Yeah, I didn't bother responding to that. Nonsense words arranged into a sentence-looking thing.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.

IMN logo majestic logo threadwatch logo seochat tools logo