I'm gettng a weird error from PDO and it doesn't make sense. I am trying the following code but even if I change the code I get the exact same error that doesn't reflect any of the changes.
$stmt = $db->prepare("SELECT database, gpsthr from ccprefs where fleetnumber=?");
$stmt->bindValue(1, (int) $smpfleet, PDO::PARAM_INT);
$stmt->execute();
Here's the error message:
"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' gpsthr from ccprefs where fleetnumber= ?' at line 1"
If I change the code to this I still get the same error.
$stmt = $db->prepare("SELECT database, gpsthr from ccprefs where fleetnumber= :fleet");
$stmt->bindValue(':fleet', (int) $smpfleet, PDO::PARAM_INT);
$stmt->execute();
DATABASE is a reserved keyword and as such you have to quote it.
Related
I have a strange error:
I have that simple code:
$id = strip_tags($_SESSION["infos_profile_id"]);
$id_friend = strip_tags($_POST["update_user_chat_every_5_second"]);
$q = $bdd->query('SELECT * FROM message WHERE id_sender = '.$id_friend.' AND id_send_to = '.$id.' AND message_read = "0"');
It work fine on mysql.
But after hosting my website on mariadb server, It see that error.
PHP Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND message_read = "0"' at line 1' in
I have done everything to solve but I can't find where is really the error from.
Any help to solve that error ?
Thanks.
I agree with the comment from #MaxT above -- you should echo your SQL query after interpolating all variables into it. It's too difficult to debug when you're looking at code that formats an SQL query, instead of the query itself.
Comments are also correct that strip_tags() is not useful for SQL injection protection.
Query parameters are the best protection against SQL injection, and they help you avoid syntax errors too.
Here's what it would look like for your code:
$id = $_SESSION["infos_profile_id"];
$id_friend = $_POST["update_user_chat_every_5_second"];
$sql = 'SELECT * FROM message WHERE id_sender = :id_friend AND id_send_to = :id AND message_read = 0';
$q = $bdd->prepare($sql);
$q->execute( ['id'=>$id, 'id_friend'=>$id_friend] );
It's really very easy!
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 4 years ago.
I am having problems running a PDO execute and returns an error in MySQL syntax.
The code is as follows:
try {
global $connect;
$arr = array(':ranked' => $db_rank, ':tier' => $db_tier, ':id' => $_SESSION['user_id']);
$query = $connect->prepare('UPDATE users SET :ranked = :tier WHERE id = :id');
$query->execute($arr);
} catch (PDOException $e) {
echo $e->getMessage();
}
where $db_rank returns a string with the column name(conversion from json) and $db_tier returns a joined string(again conversion from json).
It is inside a loop that should update 1-3 columns, but upon execution an exception is thrown:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''<column name1>' = '<value1>' WHERE id = '3'' at line 1
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''<column name2>' = '<value2>' WHERE id = '3'' at line 1
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''<column name3>' = '<value3>' WHERE id = '3'' at line 1
It should probably be because of the passing of the table column as a variable, in which case how should I proceed to loop it with 3 different pre-set table names without making it spaghetti code ?
Found my answer:
Should prepare the statement with " and not with ' because inside the array the type changes 3 times(once from function, once from passing and once from PREPARE statement). The variables themselve are const and are fetched using a whitelist already(upon decoding from the json request).
$sql = 'INSERT INTO employee (cin,nom) VALUES(:cin,:nom)';
try{
$requete=$db->query($sql);
$requete->bindValue(':cin',$emp->GetCin(),PDO::PARAM_STR);
$requete->bindValue(':nom',$emp->GetNom(),PDO::PARAM_STR);
$requete->execute();
}
catch(Exception $e)
{
die("erreur".$e->getMessage());
}
When executing this code, the following error arises:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':cin,:nom)'
How to fix?
$db->query() executes the query as is.
The query you are using requires that you first prepare the statement, bind parameters and then execute the query. Otherwise, the tuple after VALUES is interpreted as data.
In order to fix this, use $db->prepare(). (Docs)
$requete=$db->prepare($sql);
$requete->bindValue(':cin',$emp->GetCin(),PDO::PARAM_STR);
$requete->bindValue(':nom',$emp->GetNom(),PDO::PARAM_STR);
$requete->execute();
Im just trying for pagination in one of my project and I am getting an error like this
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0',5' at line 1
Please Help me..
You get this error because $go parameter is being inserted as string rather than int.
I recommend to bind parameters before execute. You can do it like this:
$stmt->bindParam(':go', $go, PDO::PARAM_INT);
I'm trying to execute a pdo update statement definded as follows:
$sql = "UPDATE users SET (email,name) VALUES (:email,:name) WHERE userId = :userId";
$result= $db->prepare($sql);
$result->execute(array(':userId'=>21,':email'=>'test',':name'=>'testname'));
But no matter what I try it returns the following error
Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(email,name) VALUES ('test','testname') WHERE userId = '21'' at line 1' in /var/www/vhosts/tftest.co.uk/biggreensquare.co.uk/application/models/user_model.php:79
I can't see what is wrong with my syntax that is causing this any feedback much appreciated.
I would expect the syntax to look like:
UPDATE users
SET email = :email,
name = :name
WHERE userId = :userId;