0

I am trying to figure out why this wont work I had it working with adding just one entry off of the form and then added email and it broke it. Also is this safe from SQL Injection? Here is the error message

ERROR: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens

Here is my code for insert.php:

<?php 

try {
$conn = new PDO('mysql:host=localhost;dbname=info', 'blah', 'test');
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare('INSERT INTO people (name, email) VALUES (:name, :email)');
$stmt->bindParam(':name', $POST_['name']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->execute(array(':name' => $_POST['name']));
$stmt->execute(array(':email' => $_POST['email']));
#If one or more rows were returned...

} catch(PDOException $e){
    echo'ERROR: ' . $e->getMessage();
}

?>

Here is the working code if I am inserting only one value from the form:

<?php 

try {
$conn = new PDO('mysql:host=localhost;dbname=encorem2_info', 'encorem2', 'Yamaha!32088!');
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare('INSERT INTO people (name) VALUES (:name)');

$stmt->execute(array(':name' => $_POST['name']));

#If one or more rows were returned...

} catch(PDOException $e){
    echo'ERROR: ' . $e->getMessage();
}

?>

Here is my html code in separate file:

<!DOCTYPE html>

<html>
    <head>
        <title>Welcome!</title>

    </head>
    <body>

<form action="insert.php" method="post">
Name: <input type="text" name="name" id="name" />
Email: <input type="text" name="email" id="email"/>
<input type="submit" />
</form>

    </body>

</html>
Improve this question
2
  • What happens if you remove the bindParams Commented Oct 31, 2012 at 2:16
  • Same thing I have been trying several different methods but still no luck Commented Oct 31, 2012 at 2:17

3 Answers 3

Reset to default
2

Bind both params when you execute and skip the separate bindParam() calls.

$stmt->bindParam(':name', $POST_['name']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->execute(array(':name' => $_POST['name']));
$stmt->execute(array(':email' => $_POST['email']));

should just be

$stmt->execute(array(':name' => $_POST['name'], ':email' => $_POST['email']));
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Actually there is no reason to pass anything to execute when you have already bound the parameters individually. Just call

$stmt->execute();

After your bindParam calls.

Improve this answer

Comments

0

You need to pass your data in either the bindParam OR execute. It'd be simpler to replace 

$stmt->bindParam(':name', $POST_['name']);
$stmt->bindParam(':email', $_POST['email']);
$stmt->execute(array(':name' => $_POST['name']));
$stmt->execute(array(':email' => $_POST['email']));

with

$stmt->execute(array(':name' => $_POST['name'],':email' => $_POST['email']));
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.