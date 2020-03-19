Php mysqli prepared statement data for specific user session and ticket id

#1

I am trying to retrieve filenames that are stored in the database and the actual files stored on my ftp server in a folder and what I am trying to do is display a list of the filenames related to the ticket id and the specific user session but can’t work out how to do it, I am bit new to prepared statements (late to the party on this one I know). My current coding is below. I have been looking on google for examples and looking at php.net etc. but not getting any closed I think

<?php
														$mysqli = new mysqli("localhost", "username", "password", "dbname");
														if ($mysqli->connect_errno) {
															echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
														}
														?>
														<?php
														$stmt = $mysqli->prepare("SELECT support_tickets.ticket_id, support_ticket_files.file_name, support_tickets.user_name FROM support_tickets INNER JOIN support_ticket_files ON support_tickets.user_name=support_ticket_files.user_name
    													WHERE support_tickets.ticket_id = ? and support_tickets.user_name = '".$_SESSION['user_name']."'");
														$stmt->bind_param("iss", $_POST['ticket_id']);
														$stmt->execute();
														$stmt->store_result();
														if($stmt->num_rows === 0) exit('No rows');
														$stmt->bind_result($ticket_idRow, $filenameRow, $usernameRow); 
														while($stmt->fetch()) {
														  $ticket_ids[] = $ticket_idRow;
														  $filename[] = $filenameRow;
														  $username[] = $usernameRow;
														}
														var_export($ticket_ids);
														$stmt->close();
														?>
                                                        <ul class="nav">
														<li><a href="support-ticket-images/<?php echo $filename; ?>" class="noline" download="download"><?php echo $filename; ?></a></li>
														<?php $stmt->close(); ?>
                                                      </ul>

That code just outputs no rows

#2

You have a few mistakes! This will help you I think : https://stackoverflow.com/a/26826585/12232340

And this one : https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection

#3

I originally looked at https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection yesterday and did try the following code going by the example on that site but it just says No rows

<?php
														$mysqli = new mysqli("localhost", "user", "password", "dbname");
														if ($mysqli->connect_errno) {
															echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
														}
														?>
														<?php
														$stmt = $mysqli->prepare("SELECT support_tickets.ticket_id, support_ticket_files.file_name, support_tickets.user_name FROM support_tickets INNER JOIN support_ticket_files ON support_tickets.user_name=support_ticket_files.user_name
    													WHERE support_tickets.ticket_id = ? and support_tickets.user_name = '".$_SESSION['user_name']."'");
														$stmt->bind_param("i", $_POST['ticket_id']);
														$stmt->execute();
														$result = $stmt->get_result();
														if($result->num_rows === 0) exit('No rows');
														while($row = $result->fetch_assoc()) {
														$ticket_id[] = $row['ticket_id'];
														$filename[] = $row['file_name'];
														$username[] = $row['user_name'];
														}
														var_export($ticket_id);
														$stmt->close();
														?>
#4

I have just checked the error log on the server and it says the following

PHP Warning: mysqli_stmt::bind_param(): Number of variables doesn’t match number of parameters in prepared statement in /home/itdonerightco/public_html/account/view-support-ticket.php on line 222

Line 222 is below

$stmt = $mysqli->prepare("SELECT support_tickets.ticket_id, support_ticket_files.file_name, support_tickets.user_name FROM support_tickets INNER JOIN support_ticket_files ON support_tickets.user_name=support_ticket_files.user_name
    													WHERE support_tickets.ticket_id = ? and support_tickets.user_name = '".$_SESSION['user_name']."'");

It’s also go the following error

PHP Fatal error: Uncaught Error: Call to a member function fetch_assoc() on bool in /home/itdonerightco/public_html/account/view-support-ticket.php:226
Stack trace:
#0 {main}
thrown in /home/itdonerightco/public_html/account/view-support-ticket.php on line 226

Line 226 is below

while($row = $result->fetch_assoc()) {
#5

Your where clause is not equal to bind_param.

Change this :

$stmt->bind_param("i", $_POST['ticket_id']);

To :

$stmt->bind_param("is", $_POST['ticket_id'], $_SESSION['user_name']);

And this :

$ticket_id[] = $row['ticket_id'];
														$filename[] = $row['file_name'];

To this:

echo $row['ticket_id'];
														 echo $row['file_name'];

If you want to use values out of while loop then change while :

while($row = $result->fetch_assoc()) {

To this:

$row = $result->fetch_assoc();

And then use like this in html
<?php echo $row['file_name']; ?>

I am on mobile sorry can’t write full codes :frowning:

#6

No worries thank you I done the changes you mentioned but also think my other select script is causing issues as well as the whole side column has disappeared now.

The whole code is below

<?php
						$mysqli = new mysqli("localhost", "user", "password", "dbname");
						if ($mysqli->connect_errno) {
							echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
						}
					?>
<?php
$stmt = $mysqli->prepare("SELECT DATE_FORMAT(created_at,'%d/%m/%Y \at\ %H:%i') AS created_at, DATE_FORMAT(ticket_timestamp,'%d/%m/%Y %H:%i') AS ticket_timestamp, user_name FROM support_tickets WHERE ticket_id = ? AND user_name = '".$_SESSION['user_name']."'");
						
if ($stmt === FALSE) {
    die($mysqli->error);
}
						
						$stmt->bind_param("sss", $_POST['created_at'], $_POST['ticket_timestamp'], $_SESSION['user_name']);
						$stmt->execute();
						$result = $stmt->get_result();
						if($result->num_rows === 0) exit('No rows');
						$row = $result->fetch_assoc();
?>
<?php echo $row['created_at']; ?>
<?php echo $row['ticket_timestamp']; ?>

<?php
														$mysqli = new mysqli("localhost", "user", "dbname", "dbname");
														if ($mysqli->connect_errno) {
															echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
														}
														?>
														<?php
														$stmt = $mysqli->prepare("SELECT support_tickets.ticket_id, support_ticket_files.file_name, support_tickets.user_name FROM support_tickets INNER JOIN support_ticket_files ON support_tickets.user_name=support_ticket_files.user_name
    													WHERE support_tickets.ticket_id = ? AND support_tickets.user_name = '".$_SESSION['user_name']."'");
														$stmt->bind_param("is", $_POST['ticket_id'], $_SESSION['user_name']);
														$stmt->execute();
														$result = $stmt->get_result();
														if($result->num_rows === 0) exit('No rows');
														$row = $result->fetch_assoc();
														?>
                                                        <ul class="nav">
														<li><a href="support-ticket-images/<?php echo $row['file_name']; ?>" class="noline" download="download"><?php echo $row['file_name']; ?></a></li>
                                                      </ul>
#7

In your first query, you only have one parameter defined, but in your bind_param() you try to pass in three parameters to it. In the second, you only have one parameter defined, but you try to pass two parameters to it.

I notice, though, that you use a parameter for your ticket_id, but then concatenate the username - why not do it consistently and use a parameter for both?

(Incidentally it would be easier to read your code if you didn’t indent it quite so much. I generally use two spaces for each “level” of indent.)

#8

Sorry but totally lost me as in the first query, I see three columns I want data from and in the bind_param I see three

In the second query I see two but have updated it to three. Below is the updated code with hopefully correct indentation

<?php
  $mysqli = new mysqli("localhost", "user", "password", "dbname");
  if ($mysqli->connect_errno) {
  echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
  }
  ?>
<?php
$stmt = $mysqli->prepare("SELECT DATE_FORMAT(created_at,'%d/%m/%Y \at\ %H:%i') AS created_at, DATE_FORMAT(ticket_timestamp,'%d/%m/%Y %H:%i') AS ticket_timestamp, user_name FROM support_tickets WHERE ticket_id = ? AND user_name = '".$_SESSION['user_name']."'");
						
if ($stmt === FALSE) {
    die($mysqli->error);
}
						
$stmt->bind_param("sss", $_POST['created_at'], $_POST['ticket_timestamp'], $_SESSION['user_name']);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0) exit('No rows');
$row = $result->fetch_assoc();
?>

<?php echo $row['created_at']; ?>
<?php echo $row['ticket_timestamp']; ?>

<?php
  $mysqli = new mysqli("localhost", "username", "password", "dbname");
  if ($mysqli->connect_errno) {
  echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
  }
  ?>
  <?php
  $stmt = $mysqli->prepare("SELECT support_tickets.ticket_id, support_ticket_files.file_name, support_tickets.user_name FROM support_tickets INNER JOIN support_ticket_files ON support_tickets.user_name=support_ticket_files.user_name
WHERE support_tickets.ticket_id = ? AND support_tickets.user_name = '".$_SESSION['user_name']."'");
$stmt->bind_param("iss", $_POST['ticket_id'], $_POST['file_name'], ['user_name']);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0) exit('No rows');
$row = $result->fetch_assoc();
?>

<ul class="nav">
<li><a href="support-ticket-images/<?php echo $row['file_name']; ?>" class="noline" download="download"><?php echo $row['file_name']; ?></a></li>
</ul>
#9

I think I am slowly winning as think sorted two issues and just got one last issue which I think is related to the first query by looks of it. The error message is below

Fatal error : Uncaught Error: Call to a member function bind_param() on bool in /home/itdonerightco/public_html/account/view-support-ticket.php:163 Stack trace: #0 {main} thrown in /home/itdonerightco/public_html/account/view-support-ticket.php on line 163

On line 163 is below

$stmt->bind_param("isss", $_POST['ticket_id'], $_POST['created_at'], $_POST['ticket_timestamp'], ['user_name']);

The query line is below

$stmt = $mysqli->prepare("SELECT DATE_FORMAT(ticket_id, created_at,'%d/%m/%Y \at\ %H:%i') AS created_at, DATE_FORMAT(ticket_timestamp,'%d/%m/%Y %H:%i') AS ticket_timestamp, user_name FROM support_tickets WHERE ticket_id = ? AND user_name = '".$_SESSION['user_name']."'");
#10

“Call … on bool” usually means that your previous statement has failed and returned “false” instead of returning a pointer to a query. So in this case, your prepare has failed, and $stmt contains the Boolean false value.

In your query, the first call to DATE_FORMAT has three parameters, and the second one has two - is that correct? I’ve never used DATE_FORMAT as far as I recall. A quick look at the doc suggests it only has two, so the third would probably be enough to stop the query working, leading to $stmt = false. You can test it easily in phpMyAdmin or similar.

On your line 163, the final value you pass in is in square-brackets as if it’s an array element, but you don’t specify an array name. Again, I don’t know if that matters.

My point about the parameters was based on me not using mysqli - I use PDO, and I use named placeholders. As far as I know (and I may be wrong, it’s happened before…) for each parameter that you supply in bind_param() you need a corresponding ? in your query. For example:

$q = $mysqli->prepare("select name, status from users where userid = ? and status = ? ";)
$q->bind_param("ss", $id, $stat);

and as far as I see it, you only have the single ? parameter. Maybe bind_param() ignores any excess ones.