MYSQLI error with _GET attribute - Fatal error: Call to a Member Function error() on a non-object in

Question

MYSQLI error with _GET attribute - Fatal error: Call to a Member Function error() on a non-object in

Asked 7 years, 8 months ago

Viewed 84 times

1

I got a problem and I don’t know how to fix it.

I am using MYSQLI to query a database using GET to get the name of the table where the query should be made.

BD connection code:

$hostbd = "localhost";
$usuariobd = "usuario";
$senhabd = "senha";
$bancobd = "bd";

// Conecta ao banco de dados
$mysqli = new mysqli($hostbd, $usuariobd, $senhabd, $bancobd);
// Verifica se ocorreu algum erro
if (mysqli_connect_errno()) {
    die('Não foi possível conectar-se ao banco de dados: ' . mysqli_connect_error());
    exit();
}

The code is:

$sql = $mysqli->prepare('SELECT * FROM ? ORDER BY `id` DESC');
$modulo = $_GET["modulo"];
$sql->bind_param('s', $modulo);
$sql->execute();
$RESULT = get_result($sql);
$sql->store_result();
$registro = $sql->num_rows;

if ($registro < 1) {
    echo "resultado";
}

When accessing the page the following error is displayed:

Fatal error: Call to a Member Function bind_param() on a non-object in /path/module.php on line 24

The line 22 is this: $sql->bind_param(’s', $module);

I already printed the variable $modulo and she’s pulling the table name right out of the table, if I put the table name in the variable $module the problem still persists which shows me that the problem is not the GET. If I put the table name directly in the query the error is not displayed and works normally.

Does anyone have any idea what it might be?

Where you are declaring the object $mysqli?

– Thiago Santos

2017/02/13 at 10:13
@Thiagosantos $mysqli is declared in the connection code with the database. I will edit the original code so you can see

– Frederico Moreira

2017/02/13 at 10:33
Have you ever stopped to think that in this way some "smart guy" can see the data from other tables only changing values in Quey string?

– Jéf Bueno

2017/02/13 at 11:28
@jbueno Do you talk if the smart change the data sent via GET? What suggest me? Thank you

– Frederico Moreira

2017/02/14 at 11:41

1 answer

Browser other questions tagged php database mysqli

You are not signed in. Login or sign up in order to post.

by deoliveiralucas • **156** points · Answer 1 · 2017-02-13T10:17:54+00:00

1

You have an error in your SQL syntax; you cannot use the method bind_param to link the table name, hence the method prepare must be returning false and not the object statement, then try to directly add the table name in SQL that should work.

Yes, if I type the table name directly into the query works. The problem is that this code is from some modules, IE, needed to take the table name via GET and play in the query.

– Frederico Moreira

2017/02/13 at 10:32
So, but using the bind_params so it won’t work, so it won’t help? $sql = $mysqli->prepare(sprintf('SELECT * FROM %s ORDER BY id DESC', $_GET["modulo"])); and then remove line 22. Just do a treatment/validation on the variable $_GET["modulo"] before, you can validate if it really exists.

– deoliveiralucas

2017/02/13 at 10:40
This way you passed, when I took the line from bind_params the error went to the bottom line (execute). But I managed to make it work by following its logic: $modulo = $mysqli->real_escape_string($_GET["modulo"]); $consulta = 'SELECT * FROM '. $modulo . ' ORDER BY id DESC'; $sql = $mysqli->prepare($query)or die($mysqli->error);

– Frederico Moreira

2017/02/13 at 10:51
That, the idea is the same, you’re treating the variable $modulo before concatenating to SQL, so it will work, only with the bind_param that would not be possible.

– deoliveiralucas

2017/02/13 at 10:53