Insert Query Not Working


public function actionSavesearch()

	{

		$searchresult = Yii::app()->db->createCommand()->insert('usersearch',array(

			'userid'=>$_SESSION['UserID'],

			'queryName'=>$_GET['txtName'],

			'queryString'=>$_SESSION['QueryString'],

		));

		$this->redirect($_SESSION['QueryString']);

	}




<form id="SaveSearchForm" action="<?php echo Yii::app()->createUrl('site/savesearch'); ?>" onsubmit="return ValidateThisForm();">

                                <div class="form" style="padding:0px 0px 0px 25px;width:540px;">

                                

                              		<div class="errordiv" id="nameError" style="display:none;padding:0px;">Name address already exists.</div>

                                	<div class="enquiry-text">Search Name</div>

                                    <div class="enquiry-input-area"><?php echo CHtml::textField('txtName', '', array('class'=>"enquiry-input", 'id'=>"txtName")); ?></div>

                                    <div class="enquiry-clear" style="padding-bottom:24px;"></div>

                                    

                                    

                                    <div class="enquiry-text">&nbsp;</div>

									<?php echo CHtml::imageButton(Yii::app()->request->baseUrl . '/images/submit.gif', array('title'=>"Save my search")); ?>

                                    

                                </div>

                                </form>

on clicking save search 21 rows are inserted in usersearch table with NULLS in userId column and queryString column. queryName column gets correct entry

Are you sure that $_SESSION[‘UserID’] and $_SESSION[‘QueryString’] are defined?

$_SESSION[‘QueryString’] gets defined in search view if the user is logged in otherwise the user is directed to login page


<?php if(Yii::app()->user->isGuest==false) 

   { 

        $_SESSION["QueryString"] = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; ?>

                  <a class="services" href="<?php echo Yii::app()->createUrl('site/displaysavesearch'); ?>" title="Save your search"><img src="<?php echo Yii::app()->request->baseUrl; ?>/images/save_searches.png" alt="Save your search" /><span style="font-size: 11px; position: relative; top:-3px; margin-left:5px;">Save This Listing</span></a>

                  <?php }

else

                     {

					 

					 $searchurl = end(split('/', $_SERVER['REQUEST_URI']));

                         $_SESSION["Search"] = $searchurl; ?>

                  <a href="<?php echo Yii::app()->createUrl('site/login'); ?>" title="Save your search"><img src="<?php echo Yii::app()->request->baseUrl; ?>/images/save_searches.png" alt="Save your search" /><span style="font-size: 11px; position: relative; top:-3px; margin-left:5px;">Save This Listing</span></a>

                  <?php } ?>




and $_SESSION[‘UserID’] gets defined when the user logs in. In actionLogin :


if(isset($_POST['LoginForm']))

		{

			

			$model->attributes = $_POST['LoginForm'];

			if($model->validate() && $model->login()){

			

			$query = yii::app()->db->createcommand()->select('userregistration.*')

				 ->from('userregistration')

				 ->where("email='".$_POST[LoginForm][email]."' and password='".$_POST[LoginForm][password]."'")

				 ->query();

				 foreach($query as $result)

				$_SESSION["UserdID"] = $result['id'];

				if(isset($_SESSION["Search"]) && $_SESSION["Search"]!= null){

				  $this->redirect(array($_SESSION["Search"]));	

			    }

				else $this->redirect(Yii::app()->user->returnUrl);

			}

		}


->where("email='".$_POST[LoginForm][email]."' and password='".$_POST[LoginForm][password]."'")

Is $_POST[LoginForm][email] incorrect syntax ?


$model=new LoginForm('login');


if(isset($_POST['LoginForm']))

		{

Wow, you’ve got a wide open SQL injection vulnerability there, unless the user name and password are thoroughly restricted in the model. Look into using parameterized queries before you worry about anything else.

Also, the syntax is technically incorrect and will cause PHP errors depending on how your PHP is configured. You should use strings to access the POST array, such as $_POST[‘LoginForm’].

Edit:

For your information, setting up a parameterized query might look something like this:




    $query = yii::app()->db->createcommand()

        ->select('userregistration.*')

        ->from('userregistration')

        ->where('email=:email and password=:password')

        ->params(array(

            ':email'=>$_POST['LoginForm']['email'],

            ':password'=>$_POST['LoginForm']['password'],

        ))

        ->query();



I’m getting this error on login

CDbCommand and its behaviors do not have a method or closure named "params".

My mistake, params is a property.

You can pass parameters in as the single argument to query():




$query = Yii::app()->db->createCommand()

        ->select('userregistration.*')

        ->from('userregistration')

        ->where('email=:email and password=:password')

        ->query(array(

            ':email'=>$_POST['LoginForm']['email'],

            ':password'=>$_POST['LoginForm']['password'],

        ));



Slightly cleaner:




$query = Yii::app()->db->createCommand()

        ->select('userregistration.*')

        ->from('userregistration')

        ->where('email=:email and password=:password');


$params = array(

    ':email'=>$_POST['LoginForm']['email'],

    ':password'=>$_POST['LoginForm']['password'],

);


$query->query($params);



or:




$query = Yii::app()->db->createCommand()

        ->select('userregistration.*')

        ->from('userregistration')

        ->where('email=:email and password=:password');


$query->params = array(

    ':email'=>$_POST['LoginForm']['email'],

    ':password'=>$_POST['LoginForm']['password'],

);


$query->query();



Keep Posting