0

I have written a small web app using php. I am now trying to replace my SQL written directly in the php scripts with calls to stored procedures.

Example

I have replaced: 

$GetIDforInsertSQL=("SELECT idUser FROM user WHERE userName='$username'");

With:

$GetIDforInsertSQL="CALL Get_User_ID('$username')";

Here is the code for Get_User_ID

CREATE DEFINER=`root`@`localhost` PROCEDURE `Get_User_ID`(IN UserNametoCheck varchar(45) )
BEGIN

SELECT idUser FROM user
 WHERE userName=UserNametoCheck;

END

When I run this query and extract the result set i.e.

$result=($conn->query($GetIDforInsertSQL));


while($row=mysqli_fetch_array($result))// Get the Userid from the users table to insert into watchlist
{
    $Userid=$row['idUser'];

    echo $Userid;

}

It echos out the expected value of $Userid which is 8.

However, further down in my script I have another query

$AddToWatchlistSQL=("INSERT INTO watchlist(UserID,AdvertID)VALUES('$Userid','$Advertid')");

followed by: 

$results=($conn->query($AddToWatchlistSQL));



 if($results)
     {

        echo" Advert Added to watchlist, Redirecting";

        header('Refresh: 3; "Indexlogged.php');

     }

     else
     {
         echo "Thats an error";

     }

Since I have replaced the Select state to get the userId with the stored procedure Get_User_ID I keep getting the error message for the insert query.

When I comment out the stored procedure call and just use the original query: 

$GetIDforInsertSQL=("SELECT idUser FROM user WHERE userName='$username'");

It works, I don't understand why as when I echo the value of $Userid after the stored procedure call it outputs the expected result. Any Ideas as to why this is happening?

Edit: Output of log file after attempting insert using stored procedure:

160421 18:35:30     9 Connect   root@localhost as anonymous on carhubdb
            9 Query SELECT * FROM caradvert WHERE Advert_ID='13'
            9 Query SELECT * FROM user WHERE userName='John123'
            9 Query SELECT AdvertImagePath FROM advertimage WHERE Advert_IDENTIFIER='13'
            9 Query SELECT userName FROM user WHERE idUser='9'
            9 Query SELECT * FROM watchlist WHERE UserID='8' AND AdvertID='13'
            9 Quit  
160421 18:35:32    10 Connect   root@localhost as anonymous on carhubdb
           10 Query CALL `carhubdb`.`Get_UserID`('John123')
Improve this question
14
  • Your INSERT is not in a stored procedure that I can see. Commented Apr 21, 2016 at 16:46
  • Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe! Commented Apr 21, 2016 at 16:46
  • Return the actual error from the query or check your error logs. Commented Apr 21, 2016 at 16:47
  • I know, I have tried putting it in one but its not working either. Commented Apr 21, 2016 at 16:47
  • I haven't learned about avoiding SQL injection yet so I'm not too worried... Just want to get it working as is Commented Apr 21, 2016 at 16:49
Related questions
1868
Insert results of a stored procedure into a temporary table
1160
Search text in stored procedure in SQL Server
1023
Function vs. Stored Procedure in SQL Server
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.