0

I'm trying to add data to my database, but don't know how to do this properly with PDO prepare/execute statements.

In my html file, I have this button call:

<form name="addRecord" method="POST">
    <button data-ng-click="addNewRecord()" name="add">Add Record</button>
</form>

Which goes to my controller:

app.controller('DateHoursController', function ($scope, $http) {
    var date = 456;
    var hours = 5;
    var minutes = 45;
    var cid = 'jk7814982';
    var em = '[email protected]';
    var versionN = 0;

    $scope.addNewRecord = function () {
        var today = Date.now();

        $http.post("server/insert.php", { 'id': cid, 'createdon': today, 'email': em, 'date': date, 'hour': hours, 'minute': minutes, 'version': versionN })
            .success(function (data, status, headers, config) {
                console.log("inserted Successfully");
            });
    };
});

Which calls my PHP file:

<?php
    if(isset($_POST['add']))
    {
        try {
            $db = new PDO('mysql:host=localhost;dbname=myDBNAME;charset=utf8',
                            'myDBUSER',
                            'myDBPASS');
            $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
            $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
        }
        catch(PDOException $ex) {
            echo "did not connect...";
        }

        $sth = $db->prepare("INSERT INTO my_db_table 
                            (tcode, created_on, email, move_in_date, move_in_hour, move_in_minute, version)
                            VALUES (?, ?, ?, ?, ?, ?, ?)");

        $data = json_decode(file_get_contents("php://input"));
        $sth->bindValue(1, $data->id);
        $sth->bindValue(2, $data->createdon);
        $sth->bindValue(3, $data->email);
        $sth->bindValue(4, $data->date);
        $sth->bindValue(5, $data->hour);
        $sth->bindValue(6, $data->minute);
        $sth->bindValue(7, $data->version);

        $success = $sth->execute();
        Print $success;
    }
?>

In the console, I see "inserted Successfully", and checking the browser network, if I click "insert.php" I see status 200, but an empty response.

Am I forgetting something here? I don't understand what's making this fail.

Improve this question
4
  • 1
    Why are you using mysql_real_escape_string with PDO? Commented Jul 11, 2016 at 19:44
  • Use prepared statements. Commented Jul 11, 2016 at 19:44
  • @don'tpanic because of this answer: stackoverflow.com/questions/20004325/… Commented Jul 11, 2016 at 19:46
  • @Sirko can you please demonstrate? If it works with my solution I'll accept your answer. Commented Jul 11, 2016 at 19:46

1 Answer 1

Reset to default
2

Do not use mysql_real_escape_string, or any other escaping functions, before binding your values.

Prepare the statement, with placeholders where you are currently inserting your values:

$sth = $db->prepare("INSERT INTO my_db_table 
             (tcode, created_on, email, move_in_date, move_in_hour, move_in_minute, version)
             VALUES (?, ?, ?, ?, ?, ?, ?)");

Bind the values to the prepared statement:

$sth->bindValue(1, $data->id);
$sth->bindValue(2, $data->createdon);
$sth->bindValue(3, $data->email);
$sth->bindValue(4, $data->date);
$sth->bindValue(5, $data->hour);
$sth->bindValue(6, $data->minute);
$sth->bindValue(7, $data->version);

Execute the prepared statement.

$success = $sth->execute();

$success will indicate whether or not the execute was successful.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

This is a good demonstration, but it's worth mentioning that named placeholders like :tcode are super useful and make this a lot less messy.
I went ahead and used your solution, but Although I'm getting a success message in console, no data is being added to my database.
Don't forget to enable PDO exceptions to have errors bubble up automatically.
@VolcovMeter Sorry, I just noticed that I had forgotten to add the parameter numbers in the bindValue statements. I agree with tadman about named placeholders. If you want to try them instead of ? placeholders, you can see examples for how to use them in the pdo manual
Just as a sidenote: one can pass the parameters also as an array to the execute() function. then no call to bindValue() is needed.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.