0

I want to save form informations in my database. Without the statements it works but i want to include them.

When I submit the form I get the following error messages:

-Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables

-Fatal error: Uncaught Error: Call to undefined function execute()

<?php

$id= " 1"; $firstname = $_POST["Vorname"]; $lastname = $_POST["Nachname"]; $email = $_POST["EMailAdresse"]; $msg = $_POST["IhrAnliegen"];



$mysqli = new mysqli("localhost", "user", "password", "database"); if ($mysqli->connect_errno) {
    die("Verbindung fehlgeschlagen: " . $mysqli->connect_error); }

$sql = "INSERT into Requests SET email ='$email' , firstname
='$firstname' , lastname = '$lastname' , msg = '$msg'"; $statement = $mysqli->prepare($sql); $statement->bind_param("s", $email ,$firstname ,$lastname ,$msg);


$statement = execute()


?>
Bob Limbach
  • 29
  • 1
  • 3
  • 4
    Please please please read the [documentation](https://www.php.net/mysqli_prepare). Your SQL has no placeholders for data, you just interpolate the values directly into the string which bypasses all the security benefits. Also, execute should be run on the MySQLi statement object, not just on its own, and finally the bind is wrong as per the answers below. – Jonnix Aug 14 '19 at 09:23

1 Answers1

3

The Issues

The First Issue:

There are two lines in your code that have issues, the first is with the query:

$sql = "INSERT into Requests SET email ='$email' , firstname ='$firstname' , lastname = '$lastname' , msg = '$msg'";

You should write your query separate from the data, instead of entering the variables you want the field to store, use a question mark instead. You will pass the variables into the query later using bind_param.

The Second Issue:

The second issue you have is with your bind_param, the first argument is wrong, by writing 's' you are telling the function to expect one string variable.

$statement->bind_param("s", $email ,$firstname ,$lastname ,$msg);

The Third Issue:

You do not currently execute the query correctly, you are overwriting the statement with a call to a function instead of running the function from the object: 

$statement = execute()

Please see in my solution below how to get this to work.

The Solutions:

To fix the first issue you will need to replace the variables in your query with question marks like this:

$sql = "INSERT into Requests SET email = ?, firstname = ?, lastname = ?, msg = ?";

You'll then want to update the following line to replace the question marks in the query above with the actual data, these are entered in the order they appear in the query.

$statement->bind_param("ssss", $email, $firstname, $lastname, $msg);

As you can see, I've changed your 's' to 'ssss' this means that we are expecting four strings, instead of one.

If you were expecting a string, an integer and then two more strings you would instead write 'siss'.

To fix the third issue you will need to actually execute the script correctly by writing:

$statement->execute();
Mark
  • 1,852
  • 3
  • 18
  • 31
  • 1
    After changing the my line of code i get this error message: Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement – Bob Limbach Aug 14 '19 at 09:27
  • Just updated my answer, you need to change your query as well. – Mark Aug 14 '19 at 09:29
  • Updated my code but i still get this error messages: Fatal error: Uncaught Error: Call to undefined function execute() – Bob Limbach Aug 14 '19 at 10:02
  • I've updated my answer again - there was a third issue I hadn't noticed. – Mark Aug 14 '19 at 10:14