Fatal error: Call to a member function bind_param() on a non-object in

Oh what do you know. I must have accidentally deleted the asterix right before saving earlier. Now I feel dumb -_-

I get this as a result:

[php]array(1) { [0]=> object(stdClass)#4 (24) { [“form_corpo_testID”]=> string(1) “6” [“compagnie”]=> string(13) “ggfgfgdfgfgdf” [“telephone”]=> string(10) “2147483647” [“site_web”]=> string(14) “77777777777777” [“texte_fr”]=> string(14) “77777777777777” [“texte_en”]=> string(16) “7777777777777777” [“categories”]=> string(0) “” [“profil_exposant”]=> string(19) “Agent manufacturier” [“stands_du_manufacturier”]=> string(32) “77777777777777777777777777777777” [“pourcentage_quebec”]=> string(2) “77” [“pourcentage_canada”]=> string(2) “77” [“pourcentage_usa”]=> string(2) “77” [“pourcentage_autre”]=> string(2) “77” [“exporte”]=> string(3) “non” [“exporte_souhaite”]=> string(21) “@souhaiteexporter.eps” [“produits_vert”]=> string(3) “non” [“nouveau_produits”]=> string(3) “non” [“nom”]=> string(2) “77” [“courriel”]=> string(14) "[email protected]" [“telephone_ressource”]=> string(10) “2147483647” [“personne_ressource_c_toi”]=> string(3) “oui” [“autre_personne_ressource”]=> string(0) “” [“autre_courriel”]=> string(0) “” [“autre_telephone”]=> string(1) “0” } }

aww, something bad happened, it should have been catched by the try/catch inside the DB class…
[/php]

Ok, so we know querying works. Have no idea why it’s echoing that error though. it really shouldn’t do that…

are you doing $result = $db->query…?

Then just fix up your big query and it seems like you’re good to go.

Well, that is what I’m baffled about. Because this code here seems correct. I’m no PDO expert, but it looks good.

[php]$result = $db->query("INSERT INTO form_corpo_test (compagnie,
telephone,
site_web,
texte_fr,
texte_en,
categories,
profil_exposant,
stands_du_manufacturier,
pourcentage_quebec,
pourcentage_canada,
pourcentage_usa,
pourcentage_autre,
exporte,
exporte_souhaite,
produits_vert,
nouveau_produits,
nom,
courriel,
telephone_ressource,
personne_ressource_c_toi,
autre_personne_ressource,
autre_courriel,
autre_telephone)

                                                VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)", $data);

if (!$result) {
echo ‘aww, something bad happened, it should have been catched by the try/catch inside the DB class…’;
}
[/php]

It looks correct. Do you get any error messages?

Only this one
[php]
aww, something bad happened, it should have been catched by the try/catch inside the DB class…[/php]

Just for fun, I stripped this line of code:
[php] VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)", $data);[/php]

To this:
[php]VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)");[/php]

So it added zeros to my db, so clearly the problem is with the array itself.

EDIT: This is an example of how the array looks like:
[php]
$data = array();
$data[‘compagnie’] = !empty($_POST[‘company’]) ? $_POST[‘company’] : ‘’;[/php]

Have you tried var_dumping the result? how does the build of the array look now? (post your entire code atm)

Yes, I have left it there. It shows me the string number and what is inside the db.

[php]

<?php include ('config.php'); ini_set('error_reporting', E_ALL); ini_set('display_errors', '1'); // The following checks to see whether PDO is enabled or not. /*if (!defined('PDO::ATTR_DRIVER_NAME')) { echo 'PDO unavailable'; } elseif (defined('PDO::ATTR_DRIVER_NAME')) { echo 'PDO available'; } */ require_once ('db.php'); $db = new db(); //This is useful to see whether or not you can actually read the $result = $db->query('SELECT * FROM form_corpo_test WHERE compagnie = ?', array('ggfgfgdfgfgdf')); var_dump($result); //This gets all the other information from the form and adds them to an array $data = array(); $data['compagnie'] = !empty($_POST['company']) ? $_POST['company'] : ''; $data['telephone'] = !empty($_POST['phone']) ? $_POST['phone'] : ''; $data['site_web'] = !empty($_POST['website']) ? $_POST['website'] : ''; $data['texte_fr'] = !empty($_POST['messagefr']) ? $_POST['messagefr'] : ''; $data['texte_en'] = !empty($_POST['messageen']) ? $_POST['messageen'] : ''; $data['categories'] = !empty($_POST['categories']) ? $_POST['categories'] : ''; $data['profil_exposant'] = !empty($_POST['profession']) ? $_POST['profession'] : ''; $data['stands_du_manufacturier'] = !empty($_POST['manufacturiers_stand']) ? $_POST['manufacturiers_stand'] : ''; $data['pourcentage_quebec'] = !empty($_POST['percent_quebec']) ? $_POST['percent_quebec'] : ''; $data['pourcentage_canada'] = !empty($_POST['percent_canada']) ? $_POST['percent_canada'] : ''; $data['pourcentage_usa'] = !empty($_POST['percent_usa']) ? $_POST['percent_usa'] : ''; $data['pourcentage_autre'] = !empty($_POST['percent_autre']) ? $_POST['percent_autre'] : ''; $data['exporte'] = !empty($_POST['bt_export']) ? $_POST['bt_export'] : ''; $data['exporte_souhaite'] = !empty($_POST['bt_exporte_souhaite']) ? $_POST['bt_exporte_souhaite'] : ''; $data['produits_vert'] = !empty($_POST['bt_prod_verts']) ? $_POST['bt_prod_verts'] : ''; $data['nouveau_produits'] = !empty($_POST['bt_new_prod']) ? $_POST['bt_new_prod'] : ''; $data['nom'] = !empty($_POST['name']) ? $_POST['name'] : ''; $data['courriel'] = !empty($_POST['email']) ? $_POST['email'] : ''; $data['telephone_ressource'] = !empty($_POST['resource_phone']) ? $_POST['resource_phone'] : ''; $data['personne_ressource_c_toi'] = !empty($_POST['personne_ressource']) ? $_POST['personne_ressource'] : ''; $data['autre_personne_ressource'] = !empty($_POST['backup_name']) ? $_POST['backup_name'] : ''; $data['autre_courriel'] = !empty($_POST['backup_email']) ? $_POST['backup_email'] : ''; $data['autre_telephone'] = !empty($_POST['backup_phone']) ? $_POST['backup_phone'] : ''; // run db query and enter the entire data array at once. Note that you could/should // write a function that automatically generates the ?,?,? string based on the parameters (count($array)) //$result = $db->exec("INSERT INTO form_corpo_test"); $result = $db->query("INSERT INTO form_corpo_test (compagnie, telephone, site_web, texte_fr, texte_en, categories, profil_exposant, stands_du_manufacturier, pourcentage_quebec, pourcentage_canada, pourcentage_usa, pourcentage_autre, exporte, exporte_souhaite, produits_vert, nouveau_produits, nom, courriel, telephone_ressource, personne_ressource_c_toi, autre_personne_ressource, autre_courriel, autre_telephone) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)", $data); if (!$result) { echo 'aww, something bad happened, it should have been catched by the try/catch inside the DB class...'; } // ... the rest of your code ?>[/php]

it’s the second $result you should var_dump…

It dumps only the word NULL.

Oh man, I messed up something. Sorry ^^

Will post a revised code in a sec.

This should work! heh… We were sending in an array with keys => values. the DB class is expecting an array with the values only (in the same order as the question marks in the query).

[php]<?php
ini_set(‘error_reporting’, E_ALL);
ini_set(‘display_errors’, ‘1’);

include (‘config.php’);
require_once (‘db.php’);

$db = new db();

//This gets all the other information from the form and adds them to an array
$data = array();
$data[] = !empty($_POST[‘company’]) ? $_POST[‘company’] : ‘’;
$data[] = !empty($_POST[‘phone’]) ? $_POST[‘phone’] : ‘’;
$data[] = !empty($_POST[‘website’]) ? $_POST[‘website’] : ‘’;
$data[] = !empty($_POST[‘messagefr’]) ? $_POST[‘messagefr’] : ‘’;
$data[] = !empty($_POST[‘messageen’]) ? $_POST[‘messageen’] : ‘’;
$data[] = !empty($_POST[‘categories’]) ? $_POST[‘categories’] : ‘’;
$data[] = !empty($_POST[‘profession’]) ? $_POST[‘profession’] : ‘’;
$data[] = !empty($_POST[‘manufacturiers_stand’]) ? $_POST[‘manufacturiers_stand’] : ‘’;
$data[] = !empty($_POST[‘percent_quebec’]) ? $_POST[‘percent_quebec’] : ‘’;
$data[] = !empty($_POST[‘percent_canada’]) ? $_POST[‘percent_canada’] : ‘’;
$data[] = !empty($_POST[‘percent_usa’]) ? $_POST[‘percent_usa’] : ‘’;
$data[] = !empty($_POST[‘percent_autre’]) ? $_POST[‘percent_autre’] : ‘’;
$data[] = !empty($_POST[‘bt_export’]) ? $_POST[‘bt_export’] : ‘’;
$data[] = !empty($_POST[‘bt_exporte_souhaite’]) ? $_POST[‘bt_exporte_souhaite’] : ‘’;
$data[] = !empty($_POST[‘bt_prod_verts’]) ? $_POST[‘bt_prod_verts’] : ‘’;
$data[] = !empty($_POST[‘bt_new_prod’]) ? $_POST[‘bt_new_prod’] : ‘’;
$data[] = !empty($_POST[‘name’]) ? $_POST[‘name’] : ‘’;
$data[] = !empty($_POST[‘email’]) ? $_POST[‘email’] : ‘’;
$data[] = !empty($_POST[‘resource_phone’]) ? $_POST[‘resource_phone’] : ‘’;
$data[] = !empty($_POST[‘personne_ressource’]) ? $_POST[‘personne_ressource’] : ‘’;
$data[] = !empty($_POST[‘backup_name’]) ? $_POST[‘backup_name’] : ‘’;
$data[] = !empty($_POST[‘backup_email’]) ? $_POST[‘backup_email’] : ‘’;
$data[] = !empty($_POST[‘backup_phone’]) ? $_POST[‘backup_phone’] : ‘’;

// run db query and enter the entire data array at once. Note that you could/should
// write a function that automatically generates the ?,?,? string based on the parameters (count($array))
$result = $db->query("INSERT INTO form_corpo_test (compagnie,
telephone,
site_web,
texte_fr,
texte_en,
categories,
profil_exposant,
stands_du_manufacturier,
pourcentage_quebec,
pourcentage_canada,
pourcentage_usa,
pourcentage_autre,
exporte,
exporte_souhaite,
produits_vert,
nouveau_produits,
nom,
courriel,
telephone_ressource,
personne_ressource_c_toi,
autre_personne_ressource,
autre_courriel,
autre_telephone)

                                               VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)",
                                               $data);

if (!$result) {
echo ‘aww, something bad happened, it should have been catched by the try/catch inside the DB class…’;
}
// … the rest of your code[/php]

If we were using named placeholders (’:compagnie’) we should’ve sent in both key (named placeholder) and value…

Yes! You are right lol. It does work perfectly well. I still have to make further tests, as I have other codes for pics uploads etc.

Although, I had to add this in (since I have a categories option that has multiple checkboxes).

[php]$cats = array();
if($_SERVER[‘REQUEST_METHOD’] == ‘POST’) {
if(isset($_POST[‘cats’])) {
$cats = implode(",", $_POST[‘cats’] );
}
$categories= $_POST[‘categories’];

$str = $categories . ": " . $cats;
//echo $str;

}
[/php]

And so, I modified

This part here:

[php]$data[] = !empty($str) ? $str : ‘’;[/php]

How safe exactly is PDO? I mean, with the current code, are there any steps I should take? Or are the securities in place good? To my untrained PDO eye, this looks good, but I would like your opinion on this (as you have much more experience than me).

As long as you do not add any variables directly into the query, and instead use named (:name) or unnamed placeholders (?) sql injection can not happen.

You mean, like I was doing before with the $_POST?

Truth be told, I was only worried about the categories options (as there is a specific way or specific ways to divide them for adding them subsequently inside the db). Never could tell if it was hacker friendly or hacker non-friendly (if that makes sense).

So, the ‘?’ in the values; you are stating that those are vulnerable IF I would use $_POST[‘category’]? If that’s the case, I’ll try out the code I have presently (on my own website to see if my server likes it as well. I assume it will). That being the case, I’ll feel safer

Jim, you are awesome! Hopefully I will get to be as good as you are. I started as a Front End developer with some design skills, but I’ve been wanting to give backend a bigger chance than I had given it before. As our training in PHP was minimal. For sure, it is painfully hard, but I’m sure it’s worth it.

Thank you for your relentless help! It’s very much appreciated! More than you will ever know
I’ll definitely help some people if ever they are looking to do something like this.

yes, any variables will risk making your code vulnerable. Some times you have to use variables though (ie: order by and limit), in which cases you should make 100% sure you are only accepting valid values. Like doing something like this:
[php]$order = !empty($_POST[‘order’]) && $_POST[‘order’] === ‘desc’ ? ‘desc’ : ‘asc’;[/php]

If you use placeholders (either named or unnamed) and send in all variables as parameters (like we did here) you are safe. (note: some extreme and spesific situations may leave you vulnerable, like using UTF7 with some queries, etc).

Awesome!

UTF7? I did not know there was such a thing. Since we use French and English, we have to use UTF-8. I don’t think we could use any other (I could be wrong though).

I just read up on UTF7 just now. Interesting read to be certain.

It is awesome

Just dont forget xss, and that you should protect sensitive data (logins and session ids, etc) with ssl (https)

btw: this is also perfectly safe, just to make sure we understand eachother

[php]$result = $db->query(‘SELECT *
FROM user
WHERE id = ?
AND data = ?
AND count = ?’,

                 array($_GET['userId'],
                       $_POST['data'],
                       $count));[/php]

Right! Damn hackers!

I was thinking of checking some sanitizers as well for my site. I just didn’t have time to check up on that.

I’ll keep the other one in mind (I’ll save it and mail it to myself).

Send me your site on pm and I can poke around some