MYSQLI error with _GET attribute - Fatal error: Call to a Member Function error() on a non-object in

Asked

Viewed 84 times

1

I got a problem and I don’t know how to fix it.

I am using MYSQLI to query a database using GET to get the name of the table where the query should be made.

BD connection code:

$hostbd = "localhost";
$usuariobd = "usuario";
$senhabd = "senha";
$bancobd = "bd";

// Conecta ao banco de dados
$mysqli = new mysqli($hostbd, $usuariobd, $senhabd, $bancobd);
// Verifica se ocorreu algum erro
if (mysqli_connect_errno()) {
    die('Não foi possível conectar-se ao banco de dados: ' . mysqli_connect_error());
    exit();
}

The code is:

$sql = $mysqli->prepare('SELECT * FROM ? ORDER BY `id` DESC');
$modulo = $_GET["modulo"];
$sql->bind_param('s', $modulo);
$sql->execute();
$RESULT = get_result($sql);
$sql->store_result();
$registro = $sql->num_rows;

if ($registro < 1) {
    echo "resultado";
}

When accessing the page the following error is displayed:

Fatal error: Call to a Member Function bind_param() on a non-object in /path/module.php on line 24

The line 22 is this: $sql->bind_param(’s', $module);

I already printed the variable $modulo and she’s pulling the table name right out of the table, if I put the table name in the variable $module the problem still persists which shows me that the problem is not the GET. If I put the table name directly in the query the error is not displayed and works normally.

Does anyone have any idea what it might be?

  • Where you are declaring the object $mysqli?

  • @Thiagosantos $mysqli is declared in the connection code with the database. I will edit the original code so you can see

  • Have you ever stopped to think that in this way some "smart guy" can see the data from other tables only changing values in Quey string?

  • @jbueno Do you talk if the smart change the data sent via GET? What suggest me? Thank you

1 answer

1


You have an error in your SQL syntax; you cannot use the method bind_param to link the table name, hence the method prepare must be returning false and not the object statement, then try to directly add the table name in SQL that should work.

  • Yes, if I type the table name directly into the query works. The problem is that this code is from some modules, IE, needed to take the table name via GET and play in the query.

  • So, but using the bind_params so it won’t work, so it won’t help? $sql = $mysqli->prepare(sprintf('SELECT * FROM %s ORDER BY id DESC', $_GET["modulo"])); and then remove line 22. Just do a treatment/validation on the variable $_GET["modulo"] before, you can validate if it really exists.

  • This way you passed, when I took the line from bind_params the error went to the bottom line (execute). But I managed to make it work by following its logic: $modulo = $mysqli->real_escape_string($_GET["modulo"]); $consulta = 'SELECT * FROM '. $modulo . ' ORDER BY id DESC'; $sql = $mysqli->prepare($query)or die($mysqli->error);

  • That, the idea is the same, you’re treating the variable $modulo before concatenating to SQL, so it will work, only with the bind_param that would not be possible.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.