Invalid parameter number: no parameters were bound

Question

I have a static chat application using php and mysql, here\'s the code to display the messages in the chat box

$sql=\"SELECT id,msg,time,msg.from,msg.to from ms         


        

Answer 1

You're not using bind_param, as per the prepared statement paradigm.

In your select:

$sql = "SELECT id,msg,time,msg.from,msg.to 
        FROM msg 
        WHERE msg.from IN (?, ?) 
            AND msg.to IN (?, ?)
        ORDER BY time";

$ex = $conn->prepare($sql);
$ex->bind_param("s", $_SESSION["username"]);
$ex->bind_param("s", $_SESSION["tousermessage"]);
$ex->bind_param("s", $_SESSION["username"]);
$ex->bind_param("s", $_SESSION["tousermessage"]);
$ex->execute();

And in your update:

$sql = "UPDATE msg 
        SET readmsg=1 
        WHERE id = ? 
            AND msg = ?";

$ex1 = $conn->prepare($sql);
$ex1->bind_param("i", $result['id']);
$ex1->bind_param("s", $result["msg"]);
$ex1->execute();

The above allows your prepared statement to accept parameters in the parameterized string format (using "?" to represent a param), and to accept params with type information, via the bind_param() method.

This allows the DB engine to properly cast and escape params prior to executing your query.

There's no point using prepared statements if you're not binding params, which is probably why you're getting that warning.

On a side note, concatenation of queries (as you're doing above) is a very bad habit - it opens you up to SQL Injection

---

See the docs for more info on prepared statements:

http://php.net/manual/en/mysqli-stmt.prepare.php