I'm trying for a registration form with keeping to prevent SQL injection in mind, but it is ended up with a fatal error:-
( Call to undefined method mysqli_stmt::bind_parm()),
Can you guys help me why I'm getting this fatal error and also I want to know is my coding is secured or not from hacking.
Here is the connection file
<?php
define('HOST','localhost');
define('USER','root');
define('PASSWORD_HOST','');
define('DATABASE','ubhs');
if(defined('HOST') && defined('USER') && defined('PASSWORD_HOST') && defined('DATABASE')){
$conn = mysqli_connect(HOST, USER, PASSWORD_HOST, DATABASE);
}else{
die(connection_failed.mysqli_connection_error());
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
and here isportion of php file
$st_f_name_err1 = "";
$st_f_name_err2 = "";
$st_l_name_err1 = "";
$st_l_name_err2 = "";
$st_f_name = $_POST['st_f_name'];
$st_l_name = $_POST['st_l_name'];
$userinput = true; //trigger
if(isset($_POST['st_submit'])){
if(empty($st_f_name)){
$st_f_name_err1 = "You have to provide first Name";
$userinput = false;
}
if (!preg_match("/^[a-zA-Z ]*$/",$st_f_name)){
$st_f_name_err2 = "You can't provide numeric value in name field";
$userinput = false;
}else{
$st_f_name = test_input($st_f_name);
}if(empty($st_l_name)){
$st_l_name_err1 = "You have to provide last Name";
$userinput = false;
}
if (!preg_match("/^[a-zA-Z ]*$/",$st_l_name)){
$st_l_name_err2 = "You can't provide numeric value in name field";
$userinput = false;
}else{
$st_l_name = test_input($st_l_name);
}
if($userinput==true)
{
$stmt = $conn->prepare("INSERT INTO student_info (st_f_name,st_l_name,st_class,st_dob) VALUES(?,?,?,?)");
$stmt->bind_parm("sssi",$st_f_name,$st_l_name, $st_class,$st_dob);
$stmt->execute();
}
}
I assumed that you have two files (so code improvement along with TYPO indication):-
<?php
include_once('connection.php'); // include your connection file or put your code directly here
$st_err = array(); // take error array
$st_f_name = '';
$st_l_name = '';
if(!empty($_POST['st_f_name']) && !empty($_POST['st_l_name'])){ // check with posted values not with button name
$st_f_name = $_POST['st_f_name']; // assign values to variable
$st_l_name = $_POST['st_l_name'];
if (!preg_match("/^[a-zA-Z ]*$/",$st_f_name)){
$st_err[] = "You can't provide numeric value in first name field"; // assign error to error array
}else{
$st_f_name = test_input($st_f_name);
}
if (!preg_match("/^[a-zA-Z ]*$/",$st_l_name)){
$st_err[] = "You can't provide numeric value in last name field";// assign error to error array
}else{
$st_l_name = test_input($st_l_name);
}
}else{
$st_err[] = "your need to provide both first name and last name";// assign error to error array
}
if(count($st_err)>0){ // now check if error array have some value
$error_string = "<ul>" // create a string of ul li to show all errors
foreach ($st_err as $st_er){
$error_string .= "<li>".$st_er."</li>"; // append all errors
}
$error_string .= "</ul>";
die($error_string); // show errors and stop execution
}else{ // if no error is there
$stmt = $conn->prepare("INSERT INTO student_info (st_f_name,st_l_name,st_class,st_dob) VALUES(?,?,?,?)");
$stmt->bind_param("sssi",$st_f_name,$st_l_name, $st_class,$st_dob); // TYPO HERE a is missed in param
$stmt->execute();
}