I am trying to create an update query and I am looping in some set stuff to a var called $str and I cant seem to get it to work.
if (is_numeric($id)) {
if (!empty($values) && !empty($table_name)) {
$str = '';
$sql = "UPDATE `$table_name` SET :update_values WHERE `$column_name` = :id";
// Its one because we dont use ID like that
$i = 1;
foreach ($values as $key => $value) {
if ($key != $column_name) {
// Exclude the last one from having a comma at the end
if ($i == count($values) - 1) {
$str .= "$key='" . $value . "'";
} else {
$str .= "$key='" . $value . "', ";
$i++;
}
}
}
$query = $this->dbh->prepare($sql);
$query->bindValue('update_values', $str, PDO::PARAM_STR);
$query->bindValue(':id', $id, PDO::PARAM_INT);
$query->execute();
return true;
} else {
return false;
}
} else{
return false;
}
}
Output:
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or
access violation: 1064 You have an error in your SQL syntax; check the
manual that corresponds to your MariaDB server version for the right
syntax to use near ''note_name=\'yeet\', note_date=\'2020-02-20\',
note_desc=\'asdasdasdasdadsasdads' at line 1
Am I making any obvious mistakes?
Also for the life of me I don't know what the backslashes in front of the values mean.
In MySQL, identifiers cannot be provided as values.
References to columns must appear in the text of the SQL statement, they cannot be provided through bind parameters. This holds true for table names, column names, function names.
There is no workaround; this is a by-design restriction. There's several reasons for this. One of the most straightforward reasons is understanding how a SQL statement gets prepared, the information that is needed to come up with an execution plan, the tables and columns have to be known at prepare time (for the semantic check and privilege check. The actual values can be deferred to execution time.
Bind placeholders are for providing values, not identifiers.
With the code given, what MySQL is seeing something along the lines of
UPDATE `mytable` SET 'a string value' WHERE `id_col` = 42
And MySQL is balking at the 'a string value'.
We can (and should) use bind parameters for values.
We could dynamically generate SQL text that looks like this:
UPDATE `mytable`
SET `col_one` = :val1
, `col_two` = :val2
WHERE `id_col` = :id
and after the SQL text is prepared into statement, we can bind values:
$sth->bindValue(':val1', $value_one , PDO::PARAM_STR );
$sth->bindValue(':val2', $value_two , PDO::PARAM_STR );
$sth->bindValue(':id' , $id , PDO::PARAM_INT );
and then execute
Related
In the below code, I am attempting to take three form variables ($nps,$sch,$joint) and an id ($weld_id) and insert them into an UPDATE query. The problem is that I get $stmt->error "No data supplied for parameters in prepared statement."
When I cast the id of the row as "i". The weird thing is that the statement will execute error free if I put single quotes around the last question mark and cast as 's', however, the actual database row will not update. The function on row 3 does NOT use prepared statements to select the current values for this row in the database.
I have var_dumped all variables, copied them and successfuly run the query on MySQL workbench. I am out of ideas, please help.
$weld = mysqli_real_escape_string($db,$_POST['id']);
$weld = single_weld_query($db,$weld);
if(isset($_POST['edit_weld_parameters'])){
// Query to update 3 parameters on database entry where id = N
$stmt = $db->prepare("UPDATE `welds` SET `size` = '?' , `sch` = '?' , `joint` = '?' WHERE `id` = ?;");
$stmt->bind_param("sssi", $nps, $sch, $joint, $weld_id);
$nps = isset($_POST['size'])? mysqli_real_escape_string($db,$_POST['size']): $weld['size'];
$sch = isset($_POST['sch'])? mysqli_real_escape_string($db,$_POST['sch']): $weld['sch'];
$joint = isset($_POST['joint'])? mysqli_real_escape_string($db,$_POST['joint']): $weld['joint'];
$nps = (strlen($nps) and in_array($nps,$pipe_obj->sizes))? $nps: $weld['size'];
$sch = (strlen($sch) and in_array($sch,$pipe_obj->schedules))? $sch: $weld['sch'];
$joint = (strlen($joint) and in_array(strtoupper($joint),$pipe_obj->joint_types))? $joint: $weld['joint'];
$weld_id = $weld['id'];
if($stmt->execute()){
echo $weld['weld_number'].' parameters edited.';
}else{
echo $stmt->error;
}
}else{
echo 'ERROR: Form failure.';
}
You're using prepared statements with placeholder values, which is great, but you're also escaping things, which is bad. That ends up double-escaping them. Leave the escaping up to the driver, use placeholder values, and you'll be fine:
if (isset($_POST['edit_weld_parameters'])) {
// Query to update 3 parameters on database entry where id = N
$stmt = $db->prepare("UPDATE `welds` SET `size` = ? , `sch` = ? , `joint` = ? WHERE `id` = ?;");
$stmt->bind_param("sssi",
isset($_POST['size']) ? $_POST['size'] : $weld['size'],
isset($_POST['sch']) ? $_POST['sch'] : $weld['sch'],
isset($_POST['joint'])? $db,$_POST['joint'] : $weld['joint'],
$weld['id']
);
if ($stmt->execute()) {
echo $weld['weld_number'].' parameters edited.';
}
else {
echo $stmt->error;
}
}
else {
echo 'ERROR: Form failure.';
}
There's other code you'll need to wrangle in there, you're doing some very odd things to validate those after the fact, but try and stick with this general pattern.
Let the driver do the work. Do not put '?' in your query. Do not inline strings with interpolation. Don't escape anything that's already a placeholder value. Do try and keep your logic clean and obvious.
I'm trying to bind a search term and a limit value to a PDO execute query, but I get error messages no matter which way I do it
public static function searchUsersByName($searchTerm, $results = null) {
//getDBConnection
if($results == null) {
$results = 5;
}
$searchTerm = '%'.$searchTerm.'%';
$query = $database->prepare("SELECT user_id, user_firstname, user_lastname
FROM users_details
WHERE user_firstname LIKE :searchTerm
OR user_lastname LIKE :searchTerm
LIMIT :results");
$query->bindParam(':searchTerm', $searchTerm, PDO::PARAM_STR);
$query->bindParam(':results', $results, PDO::PARAM_INT);
$query->execute();
$search_results = array();
foreach ($query->fetchAll() as $user) {
$search_results[$user->user_id] = new stdClass();
$search_results[$user->user_id]->user_id = $user->user_id;
$search_results[$user->user_id]->user_firstname = $user->user_firstname;
$search_results[$user->user_id]->user_lastname = $user->user_lastname;
}
return $search_results;
}
This is the error I get from this:
PDOStatement::execute(): SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "5"
It works fine if I take out the bind for LIMIT and just hardcode 5 into the SQL query, but I want to be able to change it if possible
$query->execute(array(':searchTerm' => '%'.$searchTerm.'%', ':results' => $results));
I've tried doing it this way, but of course PDO automatically puts quotes around the values its inserting via this method, and as far as I know you can't put a PDO::PARAM_INT in while using this method.
What am I doing wrong?
Could it be that $results is not an integer? The error seems like your PHP code is posting a string into the query, which would explain the error.
I am guessing this is the issue because of the following piece of code
if($results == null) {
$results = 5;
}
How is $results set in the first place? Via GET/POST? Then it might have been converted to a string.
I've tried your piece of code myself and casting it to an int fixed it for me.
$query->bindParam(':results', intval($results), PDO::PARAM_INT);
Is there a way to handle multiple result sets from a single prepared query when the result sets have different columns?
I have a procedure like this:
CREATE PROCEDURE usp_CountAndList (in_SomeValue int)
BEGIN
SELECT COUNT(*) AS ListCount FROM Table WHERE SomeValue = in_SomeValue;
SELECT
Name, Cost, Text
FROM Table WHERE SomeValue = in_SomeValue
ORDER BY
Name
LIMIT 25;
END
And my PHP code looks like this:
$some_value = $_POST["SomeValue"];
if($some_value != null) {
$dbh = mysqli_connect(...connection stuff...) or die ('I cannot connect to the database.');
$query = $dbh->prepare("CALL usp_CountAndList( ? );");
$query->bind_param("i", $some_value);
if($query->execute() == true) {
$meta = $query->result_metadata();
$fields = $meta->fetch_fields();
var_dump($fields);
$query->store_result();
$query->bind_result($list_count);
while($query->fetch()) {
print_r("<TR>");
print_r("<TD>" . $list_count ."</TD>");
print_r("</TR>\n");
}
$query->free_result();
$dbh->next_result();
$meta = $query->result_metadata();
$fields = $meta->fetch_fields();
var_dump($fields);
$query->store_result();
$query->bind_result($name, $cost, $text);
while($query->fetch()) {
print_r("<TR>");
print_r("<TD>" . $name . "</TD>");
print_r("</TR>\n");
}
$query->free_result();
$dbh->next_result();
}
else {
print_r("Query failed: " . $query->error . "<BR>\n");
exit(0);
}
$query->close();
$dbh->close();
}
The issue I'm running into is that it looks like I'm getting the same meta-data for the second result set, even though it is returning a completely different set of columns, which means that my second bind_result call results in the following error:
PHP Warning: mysqli_stmt::bind_result() [<a href='mysqli-stmt.bind-result'>mysqli-stmt.bind-result</a>]: Number of bind variables doesn't match number of fields in prepared statement
I've banged my head against this for a while and am just not clear on what I'm doing wrong...it almost seems like a mysqli bug. Does anyone have some example code to show how to do what I'm attempting?
Basically there are a few requirements to make this work properly...
MYSQL 5.5.3 or higher
PHP 5.3 for mysqlnd support
This is a compile time setting so if you are using shared hosting you probably cannot change this.
Basically in your example, use $query->next_result() instead of $dbh->next_result().
mysqli_stmt::next_result
I've only found one SO example of some else attempting to do this.
I am having a syntax error with an sql statement I am executing but for the life of me I can't find any error.
I have created my own database class with functionality to make prepared statements and execute them, I don't think there is a problem with my implementation as I have never had any issues with it before now. But, just in case there is a problem there I am going to show the code for that too.
Prepare:
public function prepare($index, $sql) {
if(isset(self::$PS[$index])){
$ermsg = "Index [$index] is already in use.";
throw new Exception($ermsg, 1);
}
try{
self::$PS[$index] = $this->dbh->prepare($sql);
}
catch(PDOException $e){
return false;
}
return true;
}
and execute:
public function execute($index, Array $param = array()) {
if(!isset(self::$PS[$index])){
$ermsg = "Index [$index] is unavailable.";
throw new Exception($ermsg, 1);
}
foreach($param as $key => $val){
if(is_int($key)) ++$key;
$type = $this->getValueType($val);
$bnd = self::$PS[$index]->bindValue($key, $val, $type);
if(!$bnd){
$ermsg = "Paramater '$key' in [$index] failed to bind";
throw new Exception($ermsg, 2);
}
}
try{
$bnd = self::$PS[$index]->execute();
}
catch(PDOException $e){
$ermsg = "PDO-Error while executing prepared statement [$index] ".$e->getMessage();
throw new Exception($ermsg, 3);
}
if($bnd === false){
$ermsg = "Result error in prepared statement [$index]";
throw new Exception($ermsg, 3);
}
return self::$PS[$index];
}
As I mentioned, I have never experienced issues using this so I don't think it's the problem, but who knows.
Now my implementation:
$sql = "INSERT INTO ratings (course_id, overall, design, condition, service, value, rated_by, date_rated)
VALUES (:course_id, :overall, :design, :condition, :service, :value, :rated_by, now()))";
DBH::getInstance()->prepare('rateit', $sql);
$stmt = DBH::getInstance()->execute('rateit', array(
":course_id"=>$course_id,
":overall"=>$overall,
":design"=>$design,
":condition"=>$condition,
":service"=>$service,
":value"=>$value,
":rated_by"=>$log_user_id
));
}
if($stmt) {
echo 'suc, Thanks! Your ratings have been added to the course.';
exit();
}else{
echo 'err, There was an error rating the course. Please try again later';
exit();
}
This is the exact syntax error message I receive:
Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'condition, service, value, rated_by, date_rated) VALUES (1, 5, 5, 5, 5, 3, '18',' at line 1'
If someone can spot my syntax error, or maybe find something else wrong that would be causing this that would be awesome. Thanks for any help.
Condition is a reserved word in MySQL. That could be it.
According to 9.2 Schema Object Names, to use reserved words as identifiers they must be quoted. Use backticks or, with enabled ANSI_QUOTES SQL mode, double quotation marks. Quoting is not necessary if the reserved word follows a period in a qualified name.
$sql = "INSERT INTO ratings (course_id, overall, design, condition, service, value, rated_by, date_rated)
VALUES (:course_id, :overall, :design, :condition, :service, :value, :rated_by, now()))";
Should be:
$sql = "INSERT INTO ratings (course_id, overall, design, `condition`, service, value, rated_by, date_rated)
VALUES (:course_id, :overall, :design, :condition, :service, :value, :rated_by, now())";
Condition is a reserved word in MySQL. You should always use backticks ("`") in `table` and `column` names to avoid errors like that. Also looks like you have an extra ) at the end of the sql query
List of Reserved Words
I'm getting the following errors when trying to loop through an array on my server to bind statements with PDO:
"Only variables can be passed by reference"
or
"Cannot pass parameter 2 by reference pdo"
Works fine on my local XAMPP.
Code:
$sql = rest of sql query etc.
$loop = 1;
foreach ($animal_array $ani)
{
if ($loop == 1) {$sql .= " WHERE animal.id= :animal_id".$loop; }
else {$sql .= " OR animal.id= :animal_id".$loop;}
$loop++;
}
$stmt = $crud->db->prepare($sql);
$loop = 1;
foreach ($animal_array as $ani)
{
$stmt->bindParam(':animal_id'.$loop, $ani['animal_id'], PDO::PARAM_STR);
$loop++;
}
Also tried this at the end as I read somewhere that concatonations sometimes aren't liked:
foreach ($animal_array as $ani)
{
$ref = ":animal_id".$loop;
$stmt->bindParam($ref, $ani['animal_id'], PDO::PARAM_STR);
$loop++;
}
.
EDIT:
The array contains other values, sort of like this:
$animal_array['animal_id'];
$animal_array['name'];
$animal_array['colour'];
$animal_array['quantity']; etc
You ought to use bindValue for pure input parameters. The bindParam method is reserved for binding variables which can be used as input but also return query results (output).
Though that doesn't explain your issue. But we don't know what your array contains.
It's not the key generation / concatenation for sure.
It feels like you're overcomplicating matters... why not just pass the array to execute directly:
$sql .= 'WHERE animal.id IN ('
. '?'.str_repeat(',?', count($animal_array['animal_id'])-1)
. ')';
$qry = $crud->db->prepare($sql);
$qry->execute($animal_array['animal_id']);