Insert into phpmyadmin with bind param

Question

I want to insert values into my database. I have phpMyAdmin database on a free webserver. Here is the code:

$con = mysqli_connect("hostname", "user", "password", "databasename");
    $name = $_POST["name"];
    $username = $_POST["username"];
    $password = $_POST["password"];
    $email = $_POST["email"];
    $phonenumber = $_POST["phonenumber"];

    $statement = mysqli_prepare($con, "INSERT INTO User (name, username, password, email, phonenumber) 
                                        VALUES (?, ?, ?, ?, ?)"); 
    mysqli_stmt_bind_param($statement, "sss", $name, $username, $password, $email, $phonenumber);
    mysqli_stmt_execute($statement);
    mysqli_stmt_close($statement);
    mysqli_close($con);

And the problem is how in phpMyAdmin I could insert values like "... VALUES ('Caroline', 'CC'...");and it worked, and i can insert with the code above like "... VALUES ('?', '?', '?'..."); but it inserts ? into every column.

Here is the table with Values( '$name', '? ', '?'..):

So how could I insert $name with ' ' and bind param? If i change in bind_param the $name into '$name' it still doesn't work. But if I change VALUES('$name') then it insert the right value into the table.

count these `"sss"` and count your `?` in values. plus hoping you're not trying to execute this directly in phpmyadmin — Funk Forty Niner, Dec 09 '15 at 19:59
As mentioned @Fred-ii- you should have "sssss" string, cause you have 5 params to be bound. Check http://php.net/manual/en/mysqli-stmt.bind-param.php for more info. — Gino Pane, Dec 09 '15 at 20:04
PHPMyAdmin *is not* a database. It is a web interface for your MySQL database. — Jay Blanchard, Dec 09 '15 at 20:04
phpMyAdmin is not a database, your not inserting anything in to it. — , Dec 09 '15 at 20:05
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Dec 09 '15 at 20:09
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Dec 09 '15 at 20:09

score 2 · Accepted Answer · edited Mar 17 '17 at 10:45

As mentioned, you have 3x s's in your your binding, but 5x ? placeholders.

You also seem to be wanting to execute this directly in phpmyadmin; that's not how it works. Those placeholders/binding only get executed/populated via your website/local machine from the web browser and accessed as http://localhost|yourhost/file.php

It needs to be executed from a server and with an environment that has PHP/MySQL installed.

Plus, make sure your form does not fail you once you've done this; something that wasn't posted.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

You should also check for errors in your query, should there be any type of constraints or collision with your incoming/existing data.

http://php.net/manual/en/mysqli.error.php

Passwords

I also noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Insert into phpmyadmin with bind param

1 Answers1