2

I am trying to save message in MySQL but failure is what i get. 

public function actionChat()
    {
        $message = \Yii::$app->request->get('message');
        $user_id = \Yii::$app->user->identity->id;
        \Yii::$app->db->createCommand("INSERT INTO chat(message_content, user_id) VALUES ($message, $user_id)")->execute();

        return $message;
    }

When i write the same query in phpmyadmin it works fine but not in my controller. I also tried to put some string in the query like

\Yii::$app->db->createCommand("INSERT INTO chat(message_content, user_id) VALUES ('first message', $user_id)")->execute();

but result was the same. Can you give me advice where is my mistake? Thank you! AJAX: 

$('body').on('click', '#chat-button', function () {
        var message = $('#chat-message').val();
        $.ajax({
            method : 'GET',
            url : '../site/chat?message=' + message,
            dataType : 'text',
            success : function ( data ) {
                alert(data);
            }
        }) ;
    });
Improve this question
2
  • What's the error message? Commented Apr 25, 2017 at 15:37
  • GET http://letsblog/site/chat?message=fa 500 (Internal Server Error) but i think my ajax is fine. Will add it too. No other error is shown. Just it refuse to add the message in database :) Commented Apr 25, 2017 at 15:38

2 Answers 2

Reset to default
2

Another approach would be to use a parameterized query; avoiding any quoting issues.

\Yii::$app->db->createCommand(
     "INSERT INTO chat(message_content, user_id)
      VALUES (:content, :userID)", 
      [':content' => $message, ':userID' => $user_id])->execute();
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes, i red some yii2 documentation :) Thank you!
0

If $message is string value you should use single queto in you sql statement ( and if $user_id is a string then add quote to this var too)

 \Yii::$app->db->createCommand("INSERT INTO chat(message_content, user_id)
           VALUES ('$message', $user_id)")->execute();

and be carefull the use of $var in SQL statements can implies sqlijnjection .. you should use param bindig for assign values

Improve this answer

5 Comments

Correct! Thank you very much!
Ofcourse! I was just waiting 5 minutes to pass :) Stackoverflow rules :)
This is a very poor way of doing things as you are subject to SQL injection attacks. If the message was something like filler', 1); DROP TABLE chat; -- then you're pretty much toast.
@PhilCairns .. the answer if not for the way the OP use the var in SQL .. but is about the error message .. so you comment and downvote ishould not be attributed to my answer but should be made to the OP. Commenting and giving negative judgments based on aspects that are not introduced by the response is basically a symptom of incompetence. If you have a better answer to it .. if you do not have it you should not criticize others for things they did not do.
@scaisEdge, you have almost 60k reputation and I'd suggest that with that comes a certain level of responsibility. It costs nothing to add a bit extra that says "oh, and you might want to be careful with that, because someone could destroy your application simply by typing something into your web form, and even if they don't, you could get some really weird errors just because they typed a quote in their message". I didn't provide an answer, because Pedro's already provided a better one.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.