I'm trying to execute a pdo update statement definded as follows:
$sql = "UPDATE users SET (email,name) VALUES (:email,:name) WHERE userId = :userId";
$result= $db->prepare($sql);
$result->execute(array(':userId'=>21,':email'=>'test',':name'=>'testname'));
But no matter what I try it returns the following error
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(email,name) VALUES ('test','testname') WHERE userId = '21'' at line 1' in /var/www/vhosts/tftest.co.uk/biggreensquare.co.uk/application/models/user_model.php:79
I can't see what is wrong with my syntax that is causing this any feedback much appreciated.
I would expect the syntax to look like:
UPDATE users
SET email = :email,
name = :name
WHERE userId = :userId;
Related
I have a strange error:
I have that simple code:
$id = strip_tags($_SESSION["infos_profile_id"]);
$id_friend = strip_tags($_POST["update_user_chat_every_5_second"]);
$q = $bdd->query('SELECT * FROM message WHERE id_sender = '.$id_friend.' AND id_send_to = '.$id.' AND message_read = "0"');
It work fine on mysql.
But after hosting my website on mariadb server, It see that error.
PHP Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND message_read = "0"' at line 1' in
I have done everything to solve but I can't find where is really the error from.
Any help to solve that error ?
Thanks.
I agree with the comment from #MaxT above -- you should echo your SQL query after interpolating all variables into it. It's too difficult to debug when you're looking at code that formats an SQL query, instead of the query itself.
Comments are also correct that strip_tags() is not useful for SQL injection protection.
Query parameters are the best protection against SQL injection, and they help you avoid syntax errors too.
Here's what it would look like for your code:
$id = $_SESSION["infos_profile_id"];
$id_friend = $_POST["update_user_chat_every_5_second"];
$sql = 'SELECT * FROM message WHERE id_sender = :id_friend AND id_send_to = :id AND message_read = 0';
$q = $bdd->prepare($sql);
$q->execute( ['id'=>$id, 'id_friend'=>$id_friend] );
It's really very easy!
I keep getting the following error when trying to submit details of an order into my database:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' in /home/ubuntu/workspace/handlers/checkout-handler.php on line 111 PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order (order_details, order_address, cust_id, cust_name, delivery_type, paid) ' at line 1.
I can't figure out whats wrong with it, all of the variables are being posted correctly to the page.
$query1 = "INSERT INTO order (order_details, order_address, cust_id, cust_name, delivery_type, paid) VALUES(:details,:address,:d,:name,:delivery,:paid);";
$sql=$conn->prepare($query1);
$sql->bindParam(':details', $details);
$sql->bindParam(':address', $address);
$sql->bindParam(':name', $name);
$sql->bindParam(':delivery', $delivery_type);
$sql->bindParam(':paid', $paid);
$sql->bindParam(':d', $d);
$sql->execute();
order is a reserved keyword. You should add backticks ` around it to use it:
$query1 = "INSERT INTO `order` (order_details, order_address, cust_id, cust_name, delivery_type, paid)
VALUES(:details,:address,:d,:name,:delivery,:paid);";
$sql = $conn->prepare($query1);
See also : Keywords and Reserved Words
Im just trying for pagination in one of my project and I am getting an error like this
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0',5' at line 1
Please Help me..
You get this error because $go parameter is being inserted as string rather than int.
I recommend to bind parameters before execute. You can do it like this:
$stmt->bindParam(':go', $go, PDO::PARAM_INT);
My question today is that I'm trying to return an id after I inserted a new line into my DB.
$sql = ('INSERT INTO `tSections`(`sSection`, `pCity_id`) VALUES (:sSection, :pCity_id) RETURNING pSection_id');
$new_section = $DBH->prepare($sql);
Without the returning pSection_id it works fine. Any ideas or solution. I'm assuming that I just forgot something simple.
Hope to hear from you guys soon.
This is the error that it gives
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'RETURNING pJob_Type_id' at line 1' in
There's no such thing as RETURNING in MySQL.
You're looking for PDO::lastInsertID().
I'm gettng a weird error from PDO and it doesn't make sense. I am trying the following code but even if I change the code I get the exact same error that doesn't reflect any of the changes.
$stmt = $db->prepare("SELECT database, gpsthr from ccprefs where fleetnumber=?");
$stmt->bindValue(1, (int) $smpfleet, PDO::PARAM_INT);
$stmt->execute();
Here's the error message:
"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' gpsthr from ccprefs where fleetnumber= ?' at line 1"
If I change the code to this I still get the same error.
$stmt = $db->prepare("SELECT database, gpsthr from ccprefs where fleetnumber= :fleet");
$stmt->bindValue(':fleet', (int) $smpfleet, PDO::PARAM_INT);
$stmt->execute();
DATABASE is a reserved keyword and as such you have to quote it.