This question already has an answer here:
I'm trying to prevent SQL injection using PDO, but I can't seem to connect. This is the working version - not SQL injection safe:
<html>
<head>
<title>Insert data into database</title>
</head>
<body>
<?php
session_start();
$_SESSION['name'] = $_POST['name'];
// Connect to database server
mysql_connect("localhost", "********", "********") or die(mysql_error());
// Select database
mysql_select_db("mydatabase") or die(mysql_error());
// The SQL statement is built
$strSQL = "INSERT INTO mytable(name) VALUES('" . $_POST["name"] . "')";
// The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());
// Close the database connection
mysql_close();
echo "Your name is " . $_POST["name"] ;
?>
</body>
</html>
This is working just fine. I read these pages on how to use PDO to protect against SQL injection attacks:
http://www.w3schools.com/php/php_mysql_connect.asp
http://www.w3schools.com/sql/sql_injection.asp
and wrote the following code following the guideline:
<html>
<head>
<title>Insert data into database</title>
</head>
<body>
<?php
session_start();
$_SESSION['name'] = $_POST['name'];
$servername = "localhost";
$username = "********";
$password = "********";
try {
$conn = new PDO("mysql:host=$servername, dbname=mydatabase", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "Connected successfully";
}
catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}
echo "You have connected to the database server with PDO"
// The SQL statement is built
$stmt = $dbh->prepare("INSERT INTO mytable (name)
VALUES (:name)");
$stmt->bindParam(':name', $_POST['name']);
$stmt->execute();
// Close the database connection
mysql_close();
echo "Your name is " . $_POST["name"] ;
?>
</body>
</html>
But this code just gives me a blank page - no error message and nothing inserted into the database.
I also tried doing the connection as described in
http://www.stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
but the result was the same - a blank page without error messages.
What am I doing wrong?
</div>
You're using the wrong variable for $stmt = $dbh->prepare
which should be $conn and not $dbh as per your connection.
Having used error reporting, would have signabled an undefined variable dbh notice/warning.
You also can't use mysql_close(); with PDO as you are mixing APIs, which you can't do.
See Example #3 Closing a connection of "Connections and Connection" in the manual http://php.net/manual/en/pdo.connections.php
Another thing session_start(); is best to be above anything. You may be outputting before header.
Edit: You forgot a semi-colon in this line:
echo "You have connected to the database server with PDO"
which should read as
echo "You have connected to the database server with PDO";
which will break your code.
Error reporting would also have caught that syntax/parse error.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.