I am currently undergoing the process to convert my code from MySQL to PDO however I am having an issue passing a variable. I have edited the content of the variable to give you an idea of exactly what is happening.
$status = 'Pending';
$stmt = $db->prepare("INSERT INTO
cusbuilder_sites(userid,name,imgurl,url,explain,status,incustom) VALUES
(:userid,:campname,:imgurl,:targeturl,:explain,:status,:incustom)");
$explain = '<p>Testing Input</p>';
$stmt->bindParam(':userid', $username);
$stmt->bindParam(':campname', $_POST['campname']);
$stmt->bindParam(':imgurl', $_POST['imgurl']);
$stmt->bindParam(':targeturl', $_POST['targeturl']);
$stmt->bindValue(':explain', $explain, PDO::PARAM_STR);
$stmt->bindParam(':status', $status);
$stmt->bindParam(':incustom', $_POST['incustom']);
$stmt->execute();
Now this is the error I am getting:
: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'explain,status,incustom) VALUES ('myuserid','testing12','http://testingsite.com' at line 1'
As you can see the $explain variable contains HTML code and when I remove the p tags it works fine but I need it to actually store the HTML in the database as it did with MySQL.
I have read the answers to this question and have checked if magic_quotes or gpc are enabled. They aren't. In my previous code I was using mysql_real_escape_string which obviously I cannot use in PDO so I just want to know how do i pass HTML in a variable and insert it into a database using PDO?
For those who are going to answer 'use bindValue instead of bindParam' you will see I have already done this and the error is the same.
This doesn't have anything to do with HTML. The SQL query itself is invalid. explain is a reserved word. Enclose your identifiers in back-ticks (assuming MySQL, other characters may be used by other databases) to specify them as identifiers:
INSERT INTO `cusbuilder_sites`
(`userid`,`name`,`imgurl`,`url`,`explain`,`status`,`incustom`) VALUES
(:userid,:campname,:imgurl,:targeturl,:explain,:status,:incustom)
Related
I've been digging over the PHP PDO documentation and I can't figure out why this query is failing.
Here's the query:
$var = 'information_schema_stats_expiry';
$stmt = $pdo->prepare('SHOW VARIABLES LIKE :var');
$stmt->execute([':var' => $var]);
When executed I get this error:
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1
I know I can work around it with slightly altered queries. These are a few I've tested that do work.
$var = 'information_schema_stats_expiry';
$stmt = $this->pdo->prepare('SHOW VARIABLES LIKE "' . $var . '"');
$stmt->execute();
Or,
$var = 'information_schema_stats_expiry';
$stmt = $this->pdo->prepare('SHOW VARIABLES WHERE variable_name=:var');
$stmt->execute([':var' => $var]);
Or, the same as above, but with
SHOW VARIABLES WHERE variable_name LIKE :var
However, I'm trying to understand why the first query doesn't work. It reminds me of the issues where people try to bind a variable for a LIMIT clause, but it fails because the number gets quoted; but, in this case, the variable name needs to be quoted, so I would think the query would work fine. Is this a bug, or is there a documented reason why this query would be failing?
To sum up, this query works fine when I run it directly through a MySQL client, or as a static query in PHP:
SHOW VARIABLES LIKE "information_schema_stats_expiry"
However, if I try to make a prepared statement with the exact same syntax, it it will fail:
SHOW VARIABLES LIKE :var
Is there any obvious reason this isn't working?
This is running on PHP 8 with MySQL 8.
It's a MySQL limitation. Not all statements can be prepared. (There is a PREPARE syntax which sets up parameter binding, which we don't usually see in PHP/PDO. You ought to be getting a warning of sorts.)
SHOW VARIABLES is definitely exempt:
https://dev.mysql.com/doc/refman/8.0/en/sql-prepared-statements.html#prepared-statements-permitted
Hi I have this query where I am inserting information into a database.
Submitting the form works as intended. However, when using ' (apostrophes) within the text entered,
I receive a PDOException SQLSTATE[42000] Syntax error or access violation: 1064
$result = $conn->prepare("UPDATE `news_articles`
SET `postedby`=:postedby,`title`=:title,
`short_title`=:short_title,
`article_image`=:article_image,
`contents`=:contents,
`datetime`=:datetime,
`event_datetime`=:event_datetime,
`type`=:type
WHERE `articleid`=:articleid");
$result->bindParam(':articleid', $articleid);
$result->bindParam(':postedby', $postedby);
$result->bindParam(':title', $title);
$result->bindParam(':short_title', $short_title);
$result->bindParam(':article_image', $article_image);
$result->bindParam(':contents', $contents);
$result->bindParam(':datetime', $datetime);
$result->bindParam(':event_datetime', $event_datetime);
$result->bindParam(':type', $type);
$result->execute();
Does anybody know why this is?
I am not 100% sure of this but if you use the third parameter of the ->bindParam() to inform it of the data type it may well be all you need to correct this issue
So that would be specifically
$result->bindParam(':contents', $contents, PDO::PARAM_STR);
But you should use it on all your ->bindParam() calls
Manual http://php.net/manual/en/pdostatement.bindparam.php
and Param constants http://php.net/manual/en/pdo.constants.php
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
I am making myself a website and I am onto the backend administration section, I'm currently stuck on submitting the details from a form into my database, however I keep getting the same error over and over again no matter what, which is:
Error:
You have an error in your SQL syntax; check the manual that corresponds to your >MySQL server version for the right syntax to use near 'Change) VALUES ('Connor', >'Connor')' at line 1
This is the code which is giving me the error (it connects perfectly to the database):
$query = "INSERT INTO changes (DevName,Change) VALUES ('$dev', '$changed')";
$a = mysql_query($query);
It keeps saying syntax error when I have been looking at other code, and it shows the exact same thing as the code that I have (except the variables of course).
That's cause Change is a reserve word in MySQL.. You will have to escape it using backtique.
The following works fine, otherwise explosions:
create table changes
( DevName varchar(100),
`Change` varchar(100)
);
insert changes(DevName,`Change`) values ('1','2');
Please don't use mysql_* methods because they are deprecated in PHP5.5 and removed in PHP7. Instead of that you should use PDO or mysqli
$sth = $dbh->prepare('INSERT INTO changes ('DevName', 'Change') VALUES (:dev, :changed)');
$sth->bindParam(':dev', $dev, PDO::PARAM_STR);
$sth->bindParam(':changed', $changed, PDO::PARAM_BOOL);
$sth->execute();
For more details about PDO visit site http://php.net/manual/en/book.pdo.php
I'm trying to insert a large serialized object into a MySQL database using PDO. Attempting to insert directly gives:
PDOStatement::execute() [pdostatement.execute]: SQLSTATE[08S01]: Communication link failure: 1153 Got a packet bigger than 'max_packet_allowed' bytes
There seem to be a few possible ways to tackle this but my first tack is gzcompress, bringing it down from 2383731 to 155955 bytes (using compression level 6). But am now struggling to insert the result for a different reason:
PDOStatement::execute() [pdostatement.execute]: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'lob) VALUES ('[some binary data spued out here]'
Here's the basic gist of the code:
$value = gzcompress(serialize($lob));
$stmt = $conn->prepare("INSERT INTO saved (lob) VALUES (:value)");
$stmt->bindParam(':value', $value, PDO::PARAM_LOB);
$stmt->execute();
The examples in the documentation all seem to be using file streams rather than binary data stored in a string so am not sure this is valid. Could anyone advise?
The error sounds like you need to add backticks around the field name:
INSERT INTO saved (`lob`) VALUES (:value)
I'm having a problem with a query prepared in PHP with PDO. The code:
$link = new PDO("mysql:dbname=$dbname;host=127.0.0.1",$username,$password);
$link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = $link->prepare("SELECT locality_name FROM :passedday GROUP BY locality_name ORDER BY locality_name DESC");
$query->bindParam(":passedday",$day); //Where day is, well, a day passed to the script elsewhere
$query->execute();
$result = $query->fetchAll();
$link = null;
//Do things with the $result.
The error message I am getting is:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''05_26_09' GROUP BY locality_name ORDER BY locality_name DESC' at line 1
When I execute the query on the server directly, it returns the appropriate result set without any problem. Any ideas what I'm doing wrong?
TIA.
Edit:
$day is passed as a GET argument. So, http://127.0.0.1/day.php?day=05_26_09 leads to $day = $_GET['day'];.
If 05_26_09 is supposed to bet the table's name, then I guess you've an escaping problem. Is your local operating system different from the live server?
I don't think you can use bindValue()/bindParam() for something else than values (eg. table name, field name). So I'm a bit suprised, that it works on your local system.
PDO uses mysql's C-API for prepared statements.
http://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-prepare.html says:The markers are legal only in certain places in SQL statements. [...] However, they are not allowed for identifiers (such as table or column names)As a rule of thumb I use: "if you can't wrap it in single-quotes in an ad-hoc query string you can't parametrize it in a prepared statement"