#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    40
    Rep Power
    2

    Mysqli connect into PDO connect


    I have been reading and have been told that prepared statements are one way to prevent SQL injections.

    My mysqli conect works, but my new PDO statement doesn't connect

    $username = "root";
    $password = "1212";
    try {
    $conn = new PDO('mysql:host=localhost;dbname=test', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
    }

    Can you tell me why this doesn't work?

    Thanks in advance friends
  2. #2
  3. DEVILS IN RED
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2005
    Location
    Kerala, India
    Posts
    200
    Rep Power
    10
    Are you getting any errors echoed?
    Ahmed Shefeer
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    Originally Posted by phpnewbie34
    Can you tell me why this doesn't work?
    How could we tell you when you don't even know what your problem is? What makes you think the code "doesn't work"?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    40
    Rep Power
    2

    Re:


    Originally Posted by Jacques1
    Hi,



    How could we tell you when you don't even know what your problem is? What makes you think the code "doesn't work"?
    Code:
    $query = mysqli_query($con,"SELECT * FROM pixs WHERE title LIKE '%$keyword%' OR Description LIKE '%$keyword%'");
    The above code produces an error when used with this.

    Code:
    Warning: mysqli_query() expects parameter 1 to be mysqli, object given in C:\xampp\htdocs\PhpProject1\pagination2.php on line 14


    I am currently trying to switch my code from Mysqli statements into PDO so it is more secure.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    You cannot mix MySQLi and PDO, they're incompatible. So you cannot pass a PDO connection to mysqli_query() (which is what you tried).

    Also, you won't get your code secure if you keep inserting variables directly into your queries. Don't do that. You need to use prepared statements. It doesn't matter if you use prepared statements with MySQLi or with PDO.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo