Conversion of Insert and Select query to a Prepared statement

Beginners - Learning PHP
#1

Please can anybody help, I am trying to convert one Insert query and one select query to prepared statement but I was stuck on the way.

No.1 below is the original code that I want to convert to prepared statement,

No.2 is the one that I am working but get stucked

No.1

    $insert_customer = "insert into customers 
                        (customer_name,customer_email,customer_pass,
                        customer_country,customer_city,customer_contact,
                        customer_address,customer_image,customer_ip) 
                values ('$c_name','$c_email','$c_pass','$c_country',
                        '$c_city','$c_contact','$c_address',
                        '$c_image','$c_ip')";
    $run_customer = mysqli_query($dbc,$insert_customer);
    $sel_cart = "select * from cart where ip_add='$c_ip'";
    $run_cart = mysqli_query($cdbc,$sel_cart);
    $check_cart = mysqli_num_rows($run_cart);

    if($check_cart>0){
    
        /// If register have items in cart ///
        $_SESSION['customer_email']=$c_email;
        echo "<script>alert('You have been Registered Sucessfully')</script>";
        echo "<script>window.open('checkout.php','_self')</script>";
    
    }else{
    
        /// If register without items in cart ///
        $_SESSION['customer_email']=$c_email;
        echo "<script>alert('You have been Registered Sucessfully')</script>";
        echo "<script>window.open('index.php','_self')</script>";
    }
}
?>

2 here is the prepared statement I am working on but get stucked. I just want to know how to combine the two queries together

.

        $insert_customer = "INSERT INTO customers 
                        (customer_name,customer_email,customer_pass,
                        customer_country,customer_city,customer_contact,
                        customer_address,customer_image,customer_ip) 
                    VALUES (?,?,?,?,?,?,?,?,?)";
        // Prepare the statement:
        $stmt = mysqli_prepare($dbc,  $insert_customer);

        // Bind the variables:
        mysqli_stmt_bind_param($stmt, 'ssssssssi',
                                    $c_name,$c_email,$c_pass,
                                    $c_country,$c_city,$c_contact,
                                    $c_address,$c_image,$c_ip);

        $sel_cart = "select * from cart where ip_add=?";
        $stmt = mysqli_prepare($cdbc,$sel_cart);
        // Bind the variables:
        mysqli_stmt_bind_param($stmt,'i',$c_ip);
        // Execute the query:
        mysqli_stmt_execute($stmt);
        
        if (mysqli_stmt_affected_rows($stmt) == 1) {
            /// If register have items in cart ///
            $_SESSION['customer_email']=$c_email;
            echo "<script>alert('You have been Registered Sucessfully')</script>";
            echo "<script>window.open('checkout.php','_self')</script>";
        }else{
            /// If register without items in cart ///
            $_SESSION['customer_email']=$c_email;
            echo "<script>alert('You have been Registered Sucessfully')</script>";
            echo "<script>window.open('index.php','_self')</script>";
        }
    }
}
?>
#2

As long as you are going through the trouble of converting you might as well use PDO. Here is a tutorial to get you going.

https://phpdelusions.net/pdo

1 Like
#3

There’s too many issues here. Starting with things present in both No. 1/No. 2 cases -

  1. Most people have two or more parts to their name. You should enter and store these parts separately, so that you can distinguish which are the first and last names. Is someone’s name Ross Martin or Martin Ross?
  2. Addresses where I live have - a street address, an (optional) unit/apartment number, city, state, zipcode, and (internationally) a country.
  3. I suspect the contact column is a phone number? If so, it should be named that.
  4. I have an issue with repeating the table name as part of each column name. This just adds unnecessary clutter, making it harder, not easier, to write error free queries.
  5. To find if there are any matching rows in a table, don’t select all the columns and all the rows to find out. Use a SELECT COUNT(*) … query instead, then fetch and test the count value. There’s an additional problem with the current method and prepared queries in that if you don’t fetch all the data from a SELECT query, you will get an out of sync error if you try to run another query. Don’t SELECT data unless you want to use that data.
  6. A person’s IP address can change at any time, i.e their cable/dsl/fiber modem gets reset, their cell phone gets handed off to a different cell tower,… You should not use the ip address as the identifier for a cart. Even if you are not using a session based cart, you should use a session id as the identifier that relates a non-logged-in person to their cart.
  7. Just because a person has their registration data inserted into a table, doesn’t mean they should be allowed to continue. In order to verify an email address, your registration process should send an email with an activation link in it. You should require the account to be activated and then require that the user successfully logs in before allowing them to continue.
  8. The only redirect you should have upon successful completion of post method form processing code should be to the exact same url of the page to cause a get request for that page. Any navigation to other pages should be handled using navigation links that the user can choose.
  9. Any redirect you do have on a page needs an exit/die statement after it to stop program execution.

Problems specific to the conversion -

  1. You are not actually executing the INSERT query, before you move onto the code for the SELECT query, which I suspect has something to do with the question in your post about combining the queries. You need to execute and deal with the result from each query separately.
  2. When using a prepared query with the mysqli extension, mysqli_stmt_num_rows() does not function as expected until you call mysqli_stmt_store_result(). This is yet another reason to use the much simpler and more consistent PDO extension. For some reason, whoever designed the mysqli prepared query logic, thought it would be a good idea to make a SELECT query work different from a non-prepared query and from how every other database extension works.

As to your question about combining the queries, no, you cannot. Each query is for a different purpose and the result from each has a different meaning.

I’m assuming that you are attempting to test the number of affected rows for the INSERT query (which is not actually what the code is doing), because that would mean that the registration was successful. But what if it is not successful? What if the email address already exists (which should cause a duplicate key error from the INSERT query), either because the person has already registered or made a typo mistake when they entered the email address? You need to detect and handle this possibility in the code. If the user accurately entered the email address, it means they either need to activate the account or simply log in. If they made a typo, they need to correct the email address and re-submit the registration form.

Sponsor our Newsletter | Privacy Policy | Terms of Service