2

I have been trying to convert a old mysql too pdo as I am trying to learn how pdo works, I have been working on this one file for hours now busting my head and can not figure out what is wrong, and I'm sure its a lot.

try{
    $check_user_data = $dbh->query("SELECT * FROM members WHERE username = '$username'");
    $stmt = $dbh->prepare($check_user_data);
    $stmt->execute();
    $result->bind_result($username);
    $data_exists = ($check_user_data->fetchColumn() > 0) ? true : false;
    if($data_exists = false){
        $final_report.="This username does not exist..";
    }else{
        $get_user_data = $stmt->fetch(PDO::FETCH_ASSOC);
        if($get_user_data['password'] == $password){
            $start_idsess = $_SESSION['username'] = "".$get_user_data['username']."";
            $start_passsess = $_SESSION['password'] = "".$get_user_data['password']."";
            $final_report.="You are about to be logged in, please wait a few moments.. <meta http-equiv='Refresh' content='2; URL=members.php'/>";
        }
    }
    foreach ($dbh->query($sql) as $row){
    }
    $dbh = null;
}
catch(PDOException $e){
    echo $e->getMessage();
}

Also getting a fatal

Fatal error: Call to a member function execute() on a non-object

Not sure if the fatal is related to the warning or not.

nempoBu4
  • 6,521
  • 8
  • 35
  • 40
Joshua Nightingale
  • 178
  • 2
  • 16

3 Answers3

3

First, change these two lines:

$check_user_data = $dbh->query("SELECT * FROM members WHERE username = '$username'");
$stmt = $dbh->prepare($check_user_data);

to:

$stmt = $dbh->prepare("SELECT * FROM members WHERE username = :username");
$stmt->bindParam(':username', $username);

This makes use of the parameter feature of prepared statements, which prevents SQL injection.

Next, PDO doesn't have a bind_result method, that's part of MySQLI. To get the results, you should do:

$get_user_data = $stmt->fetch(PDO::FETCH_ASSOC);
$data_exists = ($get_user_data !== false);

You should then remove the call to $stmt->fetch in the else block, because it will try to get the next row of results.

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • `SQLSTATE[42000]: Syntax error or access violation: 1065 Query was empty` Everything else works great. Ill post changes in a new answer. – Joshua Nightingale Oct 03 '14 at 23:57
  • Is that happening on the line with `$dbh->query($sql)`? Have you assigned `$sql`? – Barmar Oct 03 '14 at 23:58
  • Had this in there don't think i need it so I took it out, Not sure why it was there. `foreach ($dbh->query($sql) as $row)`, Everything works thanks for the help. – Joshua Nightingale Oct 04 '14 at 00:06
0

The fatal is definitely related to the warning; you are passing the results of $dbh->query() (which is a PDOStatementObject) into $dbh->prepare, causing $dbh->prepare to return something which is not an object.

Just move the SQL into the $dbh->prepare call and get rid of the $dbh->query() entirely.

TML
  • 12,813
  • 3
  • 38
  • 45
0

For people who might come over here my problem was a bit different i was trying to enable a filter on doctrine/symfony project and accidentally made a mistake on the following line :

$filter->setParameter($name, $someObject);

and when i called the function getParameter($name) in addFilterConstraint function i got the same error

Warning: PDO::prepare() expects parameter 1 to be string, object given

And later on i found the mistake. the fix would be to replace the setParameter second input from $someObject to $someString something like this:

$filter->setParameter($name, 'some string which is the real value you want to get later');
Yamen Nassif
  • 2,416
  • 2
  • 24
  • 48