Uncaught Error: Call to a member function bind_param() on bool

I was in the process of developing an RESTFul API for my recent project after creating a
class and testing it in postman it displays the following error

Error displayed in postman

<br />
<b>Fatal error</b>: Uncaught Error: Call to a member function bind_param() on bool in
C:\xampp\htdocs\phpRestfulAPI\sample1\classes\students.php:35
Stack trace:
#0 C:\xampp\htdocs\phpRestfulAPI\sample1\v1\create.php(21): Student-&gt;create_data()
#1 {main}
thrown in <b>C:\xampp\htdocs\phpRestfulAPI\sample1\classes\students.php</b> on line <b>35</b><br />

Class code

<?php
class Student
{
    //Declare variables
    public $name;
    public $email;
    public $mobile;

    private $conn;
    private $table_name;

    //Constructor
    public function __construct($db)
    {
        $this->conn = $db;
        $this->table_name = "tbistudent";
    }

    public function create_data()
    {

        //SQL query to insert data
        $query = "INSERT INTO" . $this->table_name . "SET name= ?, email = ?, mobile = ?";

        //Prepare the sql
        $obj = $this->conn->prepare($query);

        //Sanitize input variables => basically removes extra characters like some special
        //symbols as wel as if some tags available in input values
        $this->name = htmlspecialchars(strip_tags($this->name));
        $this->email = htmlspecialchars(strip_tags($this->email));
        $this->mobile = htmlspecialchars(strip_tags($this->mobile));

        //Bind parameters with prepared statement
        $obj->bind_param("sss", $this->name, $this->email, $this->mobile);

        //$obj->store_result();

        if ($obj->execute()) {
            //Execute query
            return true;
        } else {
            # code...
            return false;
        }

    }
}

Regards

So trying not to be nit picky here, but you shouldn’t be modifying the user’s input. They’ll hate you for that. What you should do is validate and verify against those inputs with the user. If a certain character or something shouldn’t be in the field, you should alert the user and tell the user to correct it. So for instance, if you’re looking at the name. No one in the world has a name called John@123 Smith!345. So what you’d do is run a regex to see if the input contains those special characters and numbers. If that field does, output an error message saying "Please provide a valid full name" or something like that. When you modify the user’s input, that’s a huge no no.

Also, this is your issue. When you look at the query. it reads

INSERT INTOtbistudentSET name= 'John Smith', email = 'john@smith.com', mobile = '123456789'

You need a space in there on both sides so it doesn’t return boolean since your query is not valid.

The error means that the ->prepare() call failed, but you don’t have any error handling so that you would know if and why it failed, or to stop code execution to prevent follow-on errors where you try to use a result from a statement that has failed.

You ALWAYS need error handling for statements that can fail. For database statements that can fail - connection, query, prepare, and execute, the simplest way of adding error handling, without adding logic at each statement, is to use exceptions for errors and in most cases simply let php catch and handle the exception, where php will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors.) The exception to this rule is when inserting/updating duplicate or out of range user submitted data. In this case, your code would catch the exception, test if the error number is for something that your code is designed to detect, and then setup a message for the user letting them know exactly what was wrong with the data that they submitted. For all other error numbers, just re-throw the exception and let php handle it.

To enable exceptions for the mysqli extension, add the following line of code before the point where you make the database connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

Since this will now cause an error at the ->execute() call to throw an exception, you will need to remove the existing if/else logic, add a try/catch block, and you need to test if the error number is for a duplicate index error (you are missing this in the current code, since the ->execute() call can fail with a bunch of different errors, not just a duplicate index error) before returning the false value or re-throwing the exception for other error numbers.

As to the posted code, as already stated, do not modify (other than trimming it, mainly so that you can detect if it was all white-space characters) user submitted data. In addition to the reason given, htmlspecialchars is an output function, it is used when you output data in a html context, do NOT use it on the input data to your code. There are also valid email addresses that have <...> in them that strip_tags would remove and break. Also, it is not the responsibility of your create_data() method to validate input data. You should do that before ever calling the create_data method.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.