Hello,
In relation to the code from this website Updating row value from one table into another in MySQL database without success, I am trying to secure it against SQL injections using prepared statements. Please find the code which is a main part of the script below with explanation:
This is db_connection.php where where the insert() method is executed for the INSERT and UPDATE queries, and the insertID() method have to return the auto generated id used in the latest query, both in the ipn.php:
class dbConnect
{
private $host = "localhost";
private $user = "root";
private $password = "";
private $database = "database";
private $conn;
function __construct()
{
$this->conn = $this->connectDB();
}
function runQuery($query, $param_t, $param_val_arr)
{
$sql = $this->conn->prepare($query);
$this->bindQueryParams($sql, $param_t, $param_val_arr);
$sql->execute();
$result = $sql->get_result();
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
$resultset[] = $row;
}
}
if (! empty($resultset)) {
return $resultset;
}
}
function bindQueryParams($sql, $param_t, $param_val_arr)
{
$param_val_ref[] = & $param_t;
for ($i = 0; $i < count($param_val_arr); $i ++) {
$param_val_ref[] = & $param_val_arr[$i];
}
call_user_func_array(array(
$sql,
'bind_param'
), $param_val_ref);
}
function connectDB()
{
$conn = mysqli_connect($this->host, $this->user, $this->password, $this->database);
return $conn;
}
function insert($query, $param_t, $param_val_arr)
{
$sql = $this->conn->prepare($query);
$this->bindQueryParams($sql, $param_t, $param_val_arr);
$sql->execute();
}
// insertID() method have to return the auto generated id used in the latest query
function insertID($query)
{
$sql = $this->conn->prepare($query);
$this->bind_param($sql);
$sql->execute();
$new_id = $this->mysqli->insert_id;
}
}
This is part of the ipn.php where everything is executed well up until to the part where the UPDATE query has to be executed:
$txn_id = !empty($_POST['txn_id'])?$_POST['txn_id']:'';
$custom = $_POST['custom'];
include("db_connection.php");
$db = new dbConnect();
// check whether the payment_status is Completed
$payment_completed = false;
if($payment_status == "Completed") {
$payment_completed = true;
}
// check that txn_id has not been previously processed
$unique_txn_id = false;
$param_t="s";
$param_val_arr = array($txn_id);
$result = $db->runQuery("SELECT id FROM user_subscr WHERE txn_id = ?",$param_t,$param_val_arr);
if(empty($result)) {
$unique_txn_id= true;
}
if($payment_completed) {
$param_t = "ds";
$param_val_arr = array($custom, $txn_id);
$payment_id = $db->insert("INSERT INTO user_subscr( user_id, txn_id) VALUES(?, ?)", $param_t, $param_val_arr);
}
// error_log throws that $payment_id is undefined variable
if($payment_id && !empty($custom)){
$param_type = "dd";
$param_value_array = array($subscr_id, $custom);
// insertID() method have to return the auto generated id used in the latest query
$subscr_id = $db->insertID;
$update = $db->insert("UPDATE members SET subscr_id = ? WHERE id = ?", $param_t, $param_val_arr);
}
In the ‘members’ table in the row in ‘subscr_id’ column where logged in user is has to be stored the last payment id taken from ‘user_subscr’ table from the ‘id’ column, but instead it is not updated. The error_log throws that $payment_id variable is undefined. Also I am not sure that insertID() method works as it should or at all. I know that somewhere I’ve messed up something but need assistance in how to solve this issue.
Thank you.