pb PHP using mysql prepare statement

[fomalhaut]

Hello.

I want use prepare statement for a mysql insert statement but I have the following error :
Parse error: syntax error, unexpected ':' in C:\xampp\htdocs\fomalhaut\gesUtil.php on line 2
I don't understand really how do I link this $dbh with my database which would already connected ?!

PHP Code:

<?php session_start(); 
  $ins = $dbh->prepare("INSERT INTO ayant-droit (utilisateur, upass, service, creation, limite, RV) VALUES(?, ?, ?, ?, ?, ?)");
  $ins->bindParam(1, $utilAGerer);
  $ins->bindParam(2, $paAgerer1);
  
  $ins->bindParam(3, $servAGerer);
  $ins->bindParam(4, $creDateAGerer);
  $ins->bindParam(5, $revDateAGerer);
  $ins->bindParam(6, $RV);
?>
   <html><head><title>Gestion du mot de passe</title>
<link rel=stylesheet href="Fomalhaut.css" type="text/css">
</head>
<body>
<div class="flot"><center>
<form action="gesUtil.php" method="post">
<fieldset><legend>Cr&eacute;ation d'un utilisateur</legend>
Utilisateur :<br /><input type="text" name="utilAGerer" maxlength="15" value="<?php echo $utilAGerer; ?>" /><br />
Mot de Passe :<br /><input type="password" name="passAGerer1" maxlength="15" /><br />
V&eacute;rification du Mot de Passe :<br /><input type="password" name="passAGerer2" maxlength="15" /><br />
Service :<br /><input type="text" name="servAGerer" maxlength="3" value="000" /><br />
Date de cr&eacute;ation :<br /><input type="text" name="creDateAGerer" maxlength="19" value="<?php echo date("Y-m-d H:i:s"); ?>" /><br />
Date de r&eacute;vocation :<br /><input type="text" name="revDateAGerer" maxlength="19" value="<?php echo "2032-12-31 23:59:59" ?>" /><br />
<input type="submit" name="submit" />
</fieldset>
</form></center>
</div>
<?php
$ut=$_SESSION['util'];   // le nom de l'utilisateur est passé de page en page par $_SESSION['util']
//This code runs if the form has been submitted
if (isset($_POST['submit'])) {

//This makes sure they did not leave any fields blank
if (!$_POST['utilAGerer'] | !safe($_POST['passAGerer1']) | !safe($_POST['passAGerer2']) | !$_POST['servAGerer'] | !$_POST['creDateAGerer'] | !$_POST['revDateAGerer']) {
  die('Il faut remplir tous les champs !');  }
$utilAGerer = $_POST['utilAGerer'];  
$paAGerer1 = safe($_POST['passAGerer1']);
$paAGerer2 = safe($_POST['passAGerer2']);
$servAGerer = $_POST['servAGerer'];
$creDateAGerer = $_POST['creDateAGerer'];
$revDateAGerer = $_POST['revDateAGerer'];

// this makes sure both passwords entered match
  if ($paAGerer1 != $paAGerer2) {
    die('Vous devez entrer deux fois le <b>m&ecirc;me nouveau mot de passe</b> !');  }

//on se connecte à la database
$con = mysql_connect("localhost", "user**", "pw**");
$db  = "jyc_ayantdroit";
if (!$con) {die('Connection impossible : ' . mysql_error());}
mysql_select_db($db, $con);

// on regarde si l'utilisateur à gérer existe
$check = mysql_query("SELECT * FROM ayant_droit WHERE utilisateur = '" . $utilAGerer . "'")
or die(mysql_error());
$check2 = mysql_num_rows($check);

//si l'utilisateur n'existe pas, on le crée
if ($check2 = 0) {
  $RV = rand(******);
  $passtowrite = hash('******', $RV . $utilAGerer . $paAGerer1);
  $ins->execute();
  echo 'Cr&eacute;ation effectu&eacute;e';
}
else {
  echo ('maj non encore d&eacute;velopp&eacute;e&nbsp;: seulement pour cr&eacute;ation nouveaux utilisateurs.');
}

}
?>
<br /><a href="index.php">Retour au menu</a>
</body>
</html>

Thank you for your help.

[descalzo]

1.

PHP Code:

session_start(); 
  $ins = $dbh->prepare("INSERT INTO ayant-droit (utilisateur, upass, service, creation, limite, RV) VALUES(?, ?, ?, ?, ?, ?)");
 
.....
 
  $con = mysql_connect("localhost", "user**", "pw**");
$db  = "jyc_ayantdroit";
if (!$con) {die('Connection impossible : ' . mysql_error());}
mysql_select_db($db, $con); 


Where does $dbh come from, especially if you are connecting to the DB later on?

2. And I think you changed something between the error and posting here.

Parse error: syntax error, unexpected ':' in C:\xampp\htdocs\fomalhaut\gesUtil.php on line 2

There is no ':' even close to line 2 and when I cut a paste your code, that parse error does not occur.

Hmmmmmmmm.. Wild guess. 'gesUtil.php' is a file you include, but you did not show the include in what you posted. And gesUtil.php is where you get $dbh. And there is probably a ':' in the first couple of lines of gesUtil.php which is unexpected because there is a missing { or ( or " .

[misson]

And there is probably a ':' in the first couple of lines of gesUtil.php which is unexpected because there is a missing { or ( or " .

Further guess: there's a colon rather than a semicolon at the end of the line.

PHP Code:

<?php session_start(); 
  $ins = $dbh->prepare("INSERT INTO ayant-droit (utilisateur, upass, service, creation, limite, RV) VALUES(?, ?, ?, ?, ?, ?)");
  $ins->bindParam(1, $utilAGerer);
  $ins->bindParam(2, $paAgerer1);
  
  $ins->bindParam(3, $servAGerer);
  $ins->bindParam(4, $creDateAGerer);
  $ins->bindParam(5, $revDateAGerer);
  $ins->bindParam(6, $RV);
?>

At this point, none of the variables you're binding params to (e.g. $utilAGerer) are defined. Either move these lines after you set the variables or pass the values to PDO::execute (which you seem to be using):

PHP Code:

$ins->execute(array($utilAGerer, $paAgerer1, $servAGerer, $creDateAGerer, $revDateAGerer, $RV)); 


PHP Code:

<?php 
...
//on se connecte à la database
$con = mysql_connect("localhost", "user**", "pw**");
$db  = "jyc_ayantdroit";
if (!$con) {die('Connection impossible : ' . mysql_error());}
mysql_select_db($db, $con);

// on regarde si l'utilisateur à gérer existe
$check = mysql_query("SELECT * FROM ayant_droit WHERE utilisateur = '" . $utilAGerer . "'")
or die(mysql_error());

Don't neglect to prepare this query using the same connection you used for the INSERT.

There should be only one line in one script that's responsible for creating a DB connection. The more scripts contain user credentials, the more files there are for you to secure and the greater chance of typos screwing things up. Reduce critical code repetition.

die() is a bad choice, both here and when you test that all user input is defined. Use an "if {...} else {...}" statement or exceptions. You can configure PDO to throw exceptions when errors occur:

PHP Code:

$dbh = new PDO("mysql:host=localhost;dbname=$dbname", 'username', 'password');
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 


[fomalhaut]

Hello

I'm very ashamed of myself, sheepish, and confused !!!! :dunno:

The error message I gave was not the one corresponding to the code I joined !

Sorry...

There is no ':' even close to line 2 and when I cut a paste your code, that parse error does not occur.

Descalzo, you're right ! this isn't the good message ! The real message was :

Fatal error: Call to a member function prepare() on a non-object in C:\xampp\htdocs\fomalhaut\gesUtil.php on line 2

However, I've not poured down too much whisky in my milk, that morning ! :drool:

But this is now resolved :

I had misplaced the db connect, which was bad written !

I've write it now before the "prepare" statement, with your example, Misson... and of course, that works fine !!!

I thought the dbconnect made in the previous php file was enough !

Delcazo, Misson, thank you very much again and forgive me for my drivel !