PDO Update Statement not working - php

I am trying to update a simple query and I keep getting the following error message...
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':cat_name, menu_category_description = :cat_desc WHERE id = :id' at line 1
The query I am using looks perfectly valid. I don't know why it keeps showing that error message.
Below is my query I am using.
$query = "UPDATE menu_categories SET menu_category_name = :cat_name, menu_category_description = :cat_desc WHERE id = :id ";
$stmt = $db->query($query);
$stmt->execute([":cat_name" =>$category_name, ":cat_desc" => $category_description, ":id" => $id ]);


You need to first prepare your query: (you're querying instead of preparing)
change this line:
$stmt = $db->query($query);
to:
$stmt = $db->prepare($query);
then change this line
$stmt->execute([":cat_name" =>$category_name, ":cat_desc" => $category_description, ":id" => $id ]);
to (and remove the square brackets)
$stmt->execute(":cat_name" =>$category_name, ":cat_desc" => $category_description, ":id" => $id);


See if this works for you,
$query = "UPDATE menu_categories SET menu_category_name = :cat_name, menu_category_description = :cat_desc WHERE id = :id ";
$stmt = $db->prepare($query);
$stmt->bindParam(':cat_name', $category_name);
$stmt->bindParam(':cat_desc ', $category_description);
$stmt->bindParam(':id', $id);
$stmt->execute();
Also, where are you defining values for your $category_name, $category_description, $id? Make sure they are not empty.
Here's an example of Updating PDO
$pdo = Database::getInstance();
$stmt = $pdo->db->prepare("UPDATE people SET reset='1', active=:acTive WHERE user_id=:id limit 1");
$stmt->bindParam(':acTive', $_POST['active_key']);
$stmt->bindParam(':id', $_POST['id']);
$stmt->execute();
Hope it helps

Related

Prepared statements in Extbase TYPO3 7.6 not working

I want to submit the query as a prepared statement, like below.
$query = $this->createQuery();
$query->getQuerySettings()->usePreparedStatement(TRUE);
$sqlParamList[] = 'test#gamil.com';
$sql = 'SELECT uid FROM table_name WHERE email = ?';
$query->statement($sql, $sqlParamList);
$result = $query->execute();
But I always get errors like below.
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near '?' at line 1'
Where I am wrong?

You need to parse your $sql to a prepared statement first:
$preparedSql = $this->objectManager->get(\TYPO3\CMS\Core\Database\PreparedStatement::class, $sql, 'table_name');
With $this->objectManager->get() you instantiiate the class PreparedStatement with the arguments $sql and 'table_name'.
This will change your $sql and parse the ? to be used as prepared statement.

Another approach:
$query = $this->createQuery();
$query->getQuerySettings()->usePreparedStatement(TRUE);
$sqlParamList = [
':email' => 'test#gamil.com'
];
$sql = 'SELECT uid FROM table_name WHERE email = :email';
$query->statement($sql, $sqlParamList);
$result = $query->execute();
Cannot test it, just an approach.

MySQL SELECT query returning false when prepared

My file should get all users with this id (It's only one since id is unique in this table) and prepare a statement to execute later. When I execute it I get this error:
Fatal error: Uncaught Error: Call to a member function execute() on
boolean in C:\xampp\htdocs\Gamanware.ga\Admin\update.php:7 Stack
trace: #0 {main} thrown in
C:\xampp\htdocs\Gamanware.ga\Admin\update.php on line 7.
And I can't see anything wrong with it. The id is alright (I echo it out to be sure), Im not using reserved words and have made sure that it won't matter anyway, but I still get this error. I have been on several forums and many questions have not worked for me. I hope some of you can! My code:
<?php
require '../includes/login_system.dbh.php';
$id = $_GET['id'];
$sql = 'SELECT * FROM `users` WHERE `id`=:id';
$statement = $conn->prepare($sql);
$statement->execute([':id' => $id ]);

Try the code below and see if it helps
require '../includes/login_system.dbh.php';
$sql= "SELECT * FROM users WHERE id = :id";
$statement = $conn->prepare($sql);
$statement->bindParam(':id', $id, PDO::PARAM_INT);
$id = $_GET['id'];
$statement->execute();
You can also do an if else statement with your execute like so to see what it gives you.
require '../includes/login_system.dbh.php';
$sql= "SELECT * FROM users WHERE id = :id";
$statement = $conn->prepare($sql);
$statement->bindParam(':id', $id, PDO::PARAM_INT);
$id = $_GET['id'];
if ($statement->execute()) {
echo "Success";
} else {
echo "Failed";
}

PDO::exec() expects parameter 1 to be string, object given

This is the code that makes the error:
$sql = 'INSERT INTO pedidos (pagado, instalado) VALUES ("'.$_POST['email'].'", "'.$_POST['b'].'") WHERE email="'.$_POST['2'].'"';
$stm = $conn->prepare($sql);
$conn->exec($stm);

That's not the proper way to use prepare and execute. The reason this was created was so that you wouldn't need to put logic and data together and put yourself at risk of an SQL injection attack.
$sql = 'INSERT INTO pedidos (pagado, instalado) VALUES (:pagado, :instalado)';
$stm = $conn->prepare($sql);
$stm->bindParam(':pagado', $_POST['email']);
$stm->bindParam(':instalado', $_POST['b']);
$stm->execute();
It also doesn't make sense to put a WHERE in an INSERT query. You're inserting into your table, you're not getting data.
However, if you're updating data based on other data, then you should use an UPDATE query.
UPDATE pedidos SET pagado=?, instalado=? WHERE email=?
An example of this would be:
$sql = 'UPDATE pedidos SET pagado=:padago, instalado=:instalado WHERE email=:email';
$stm = $conn->prepare($sql);
$stm->bindParam(':pagado', $_POST['email']);
$stm->bindParam(':instalado', $_POST['b']);
$stm->bindParam(':email', $_POST['2']);
$stm->execute();

UPDATE - 2:
$sql = 'INSERT INTO pedidos SET pagado = ?, instalado = ? WHERE email = ?';
$stm = $conn->prepare($sql);
$stm->bindParam(1,$_POST['email']);
$stm->bindParam(2,$_POST['b'] );
$stm->bindParam(3,$_POST['2'] );
$stm->execute(); // here your code generate error
Reason: You put $stm in execute() , which makes an error.

Php pdo update statement

I need to update my database so I write:
try {
$STH = $db->prepare("UPDATE zemljiste (naziv, ha, ar, m2, udeo_ha, udeo_ar, udeo_m2, lokacija, osnov, kat_kul, 2013_kol, ocekivano) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9,:10,:11,:12) WHERE id = :id_akt AND user_id=:13");
$STH->bindParam(':id_akt', $_POST['naziv']);
$STH->bindParam(':1', $_POST['naziv']);
$STH->bindParam(':2', $_POST['ha']);
$STH->bindParam(':3', $_POST['ar']);
$STH->bindParam(':4', $_POST['m2']);
$STH->bindParam(':5', $_POST['udeo_ha']);
$STH->bindParam(':6', $_POST['udeo_ar']);
$STH->bindParam(':7', $_POST['udeo_m2']);
$STH->bindParam(':8', $_POST['lokacija']);
$STH->bindParam(':9', $_POST['osnov']);
$STH->bindParam(':10', $_POST['kultura']);
$STH->bindParam(':11', $_POST['prinos_2013']);
$STH->bindParam(':12', $_POST['ocekivano']);
$STH->bindParam(':13', $user_id);
$STH->execute();
but I get error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '(naziv, ha, ar,
m2, udeo_ha, udeo_ar, udeo_m2, lokacija, osnov, kat_kul, 2013_ko' at
line 1Data submitted successfully
How I can solve this?
What is exactly error in my code?

UPDATE syntax is wrong and you should avoid integer placeholders
$query ="UPDATE `zemljiste`
SET naziv = :naziv, ha = :ha, ar = :ar, m2 = :m2, udeo_ha = :udeo_ha,
udeo_ar = :udeo_ar, udeo_m2 = :udeo_m2, lokacija=:lokacija, osnov = :osnov,
kat_kul = :kultura, 2013_kol=:prinos_2013, ocekivano = :ocekivano
WHERE id = :id_akt AND user_id=:user_id";
$STH = $db->prepare($query);
$STH->bindParam(':id_akt', $_POST['naziv']);
$STH->bindParam(':naziv', $_POST['naziv']);
$STH->bindParam(':ha', $_POST['ha']);
$STH->bindParam(':ar', $_POST['ar']);
$STH->bindParam(':m2', $_POST['m2']);
$STH->bindParam(':udeo_ha', $_POST['udeo_ha']);
$STH->bindParam(':udeo_ar', $_POST['udeo_ar']);
$STH->bindParam(':udeo_m2', $_POST['udeo_m2']);
$STH->bindParam(':lokacija', $_POST['lokacija']);
$STH->bindParam(':osnov', $_POST['osnov']);
$STH->bindParam(':kultura', $_POST['kultura']);
$STH->bindParam(':prinos_2013', $_POST['prinos_2013']);
$STH->bindParam(':ocekivano', $_POST['ocekivano']);
$STH->bindParam(':user_id', $user_id);
$STH->execute();

You're using a syntax for INSERT statement in UPDATE, which is wrong.
It should look like this,
UPDATE table SET key=:value, key1=:value1 WHERE id=:id AND foo=:bar. So just replace,
"UPDATE zemljiste (naziv, ha, ar, m2, udeo_ha, udeo_ar, udeo_m2, lokacija, osnov, kat_kul, 2013_kol, ocekivano) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9,:10,:11,:12) WHERE id = :id_akt AND user_id=:13"
with
UPDATE zemljiste SET naziv =:1, ha =:2, ...... WHERE id=:id_akt AND user_id = :13

You are using the wrong syntax for update. It should be:
UPDATE zemljiste SET naziv=:1, ha=:2, ar=:3, ... WHERE ...

PHP PDO Update SQL Syntax Error

I am new to PDO and I'm trying to build my own CRUDS application. I already created CRD but I'm getting stuck with Updating user information. It seems that I have a problem with my syntax, but I thoroughly checked the documentation and I can't figure out what is wrong with the code. It's passing me this error:
ERROR: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Doe, email=johndoe#gmail.com, location=New York City WHERE id=1' at line 1
Here is my code:
include('database.inc.php');
if (isset($_POST['submit'])) {
$id = $_POST['userId']; // 1
$name = $_POST['employee_name']; // John Doe
$email = $_POST['email']; // johndoe#gmail.com
$location = $_POST['location']; // New York City
try {
$query = "UPDATE users SET employee_name=$name, email=$email, location=$location WHERE id=$id";
$statement = $conn->prepare($query);
$statement->execute();
header('Location: ../index.php');
} catch(PDOException $e) {
echo 'ERROR: ' .$e->getMessage();
}
}

The problem with your code is that you didn't put quotes around the string values in the SQL. But you should use parametrized queries, not substitute variables into the SQL. This solves the quoting problem, and also prevents SQL injection.
$query = "UPDATE users SET employee_name=:name, email=:email, location=:location WHERE id=:id";
$statement = $conn->prepare($query);
$statement->execute(array(':name' => $name,
':email' => $email,
':location' => $location,
':id' => $id));

Try surrounding the variables in the statement with single quotes ( ' )
$query = "UPDATE users SET employee_name='$name', email='$email',
location='$location' WHERE id='$id'";

Categories