This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 1 year ago.
Does anyone here have some experience with this error?
Only If I use the WHERE clause, I get this error.
I use php PDO to get the results.
And this is my simple table
$sql = "CREATE TABLE samenvatting (
stem_id INTEGER PRIMARY KEY AUTOINCREMENT,
poll_id TEXT,
stem_waarde_id TEXT,
totaal INTEGER
)";
$crud->rawQuery($sql);
$poll_id = "somepoll";
$records = $crud->rawSelect('SELECT * FROM samenvatting WHERE poll_id='.$poll_id);
pdo abstract class
public function conn()
{
isset($this->username);
isset($this->password);
if (!$this->db instanceof PDO)
{
$this->db = new PDO($this->dsn, $this->username, $this->password);
$this->db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
}
public function rawSelect($sql)
{
$this->conn();
return $this->db->query($sql);
}
Thanks, Richard
It is treating "somepoll" as a column in the table. You need to quote it, since it is declared as text. Something like
$records = $crud->rawSelect(
'SELECT * FROM samenvatting WHERE poll_id="' . $poll_id . '"'
);
perhaps?
Related
This question already has answers here:
Getting raw SQL query string from PDO prepared statements
(16 answers)
Why does this PDO statement silently fail?
(2 answers)
Closed last month.
I'm trying to come up with a way to control what happends if some UPDATE/INSERTS into a BD fail.
private $db;
public function __construct() {
$dsn = 'mysql:dbname=BDNAME;host=localhost';
$this->db = new PDO($dsn, 'USEER', 'PASSWORD', array('charset' => 'utf8'));
}
public function createnewthingtodo($what,$where,$when,$how,$done){
$sql= "INSERT INTO TODOLIST (what,where,when,how,done) VALUES (:what, :where, :when, :how, :done)";
$st = $this->db->prepare ($sql);
$st->bindValue(':what',$what);
$st->bindValue(':where',$where);
$st->bindValue(':when',$when);
$st->bindValue(':how',$how);
$st->bindValue(':done',$done);
if($st->execute()){
return true;
}else{
return false;
}
}
This example is returning always false, if i delete the last "if" and put the execution part just below the last binvalue, it works just fine, but then i end up with no error handling, any ideas on how can i achieve this? Thanks for your time.
This question already has answers here:
delete using where and or
(4 answers)
Why does this PDO statement silently fail?
(2 answers)
Closed 4 years ago.
I'm coding a blog to get experience with php.
I want the admin to be able to delete a post, but when I click the delete-button which should actually bring me to a function that deletes the post I get the error Call to a member function execute() on boolean.
Here is the code of the postsRepository.php which interacts with the database and the function in the postsAdminController.php:
public function deletePost($id)
{
$table = $this->getTableName();
$model = $this->getModelName();
$stmt = $this->pdo->prepare("DELETE * FROM `{$table}` WHERE id = :id");
$stmt->execute([
'id' => $id
]);
}
public function deletePost()
{
$id = $_GET['id'];
if ($this->postsRepository->deletePost($id)) {
header("Location: posts-admin");
return;
} else {
}
}
I've var_dumped the $id right before the $stmt, it's correct and the shown error says the it is because of $stmt->execute([.
The $stmt is stated as false when I var_dumped it, but why?
The correct syntax for DELETE is
DELETE FROM tableName WHERE ...
Remove the * in your query.
$stmt is false because "If the database server cannot successfully prepare the statement, PDO::prepare() returns FALSE or emits PDOException (depending on error handling)."
For more informations, check the documentation
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
when i try to add a new studio in my php application in this example i use newstudio as a name i get this error i think that it read the name i give as a row in the database table
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Champ 'newstudio' inconnu dans field list'
private $conn;
public function __construct()
{
$database = new Database();
$db = $database->dbConnection();
$this->conn = $db;
}
public function addStudio($sname,$sdes,$sidusr)
{
$stmt = $this->conn->prepare("INSERT INTO studio (name,des,idusr) VALUES ($sname,$sdes, $sidusr)");
$stmt->execute();
}
if you have string value you should use single quote around these vars
public function addStudio($sname,$sdes,$sidusr)
{
$stmt = $this->conn->prepare("INSERT INTO studio (name,des,idusr)
VALUES ('$sname','$sdes', '$sidusr')");
$stmt->execute();
}
or you could use a parametrized query
public function addStudio($sname,$sdes,$sidusr)
{
$stmt = $this->conn->prepare("INSERT INTO studio (name,des,idusr)
VALUES (:sname,:sdes, ':sidusr)");
$stmt->bindParam(':sname', $sname);
$stmt->bindParam(':sdes', $sdes);
$stmt->bindParam(':sidusr', $sidusr);
$stmt->execute();
}
Values require a ' wrapped around it, but don't add it yourself.
You are already using prepare(), make use of it.
public function addStudio($sname,$sdes,$sidusr){
$stmt = $this->conn->prepare("INSERT INTO studio (name,des,idusr) VALUES (?,?,?)");
$stmt->execute([$sname, $sdes, $sidusr]);
}
Also, you should actually check the value of $stmt and verify if execute() did its job correctly.
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
Is it possible to bind a table name?
I want to make a class to read the columns from a tables and, depending on field type, generate the form inputs for me. When I do $form = new form("users");, the constructor is supposed to start with getting the field names from the table with the following code:
class form{
public function __construct($table, $skip = array("id")){
$pdo = new PDO('mysql:host=localhost;dbname=site;',USER,PASS);
$query = $pdo->prepare("DESCRIBE :table");
$query->bindValue(':table', $table, PDO::PARAM_STR, strlen($table));
$query->execute();
while($field = $query->fetch(PDO::FETCH_NUM)){
var_dump($field);
echo "<br /><br />";
}
unset($pdo);
}
}
This works just fine when I specify "users" instead of ":table" in the prepare statement, but the bind it's working, and I'm pretty sure it's because it's trying to bind a table name. Also, this needs to be binded because I'd like to have the ability to pass my table names through $_GET and the such.
Is it possible to bind a table name?
No.
You have to whitelist table names. I doubt you want to let a user to browse any table from your database.
Given you are using a class, it will be no-brainer to add a table name as a property. It will be simple, elegant and safe. Create an abstract parent class first
abstract class abstractTable {
private $table;
private $db;
public function __construct($pdo){
$this->db = $pdo;
}
public function describe() {
return $db->query("DESCRIBE `$this->table`")->fetchAll();
}
}
Then create a specific class for your table
class someTable extends abstractTable {
private $table = 'sometable';
}
and so you will be able to get the required list of columns
$pdo = new PDO(...);
$table = new someTable($pdo);
$fields = $table->describe();
simple, concise, powerful, safe.
There is a PDO wrapper class at - http://www.phpclasses.org/package/5997-PHP-Database-access-abstraction-layer.html that lets you do this (though I am new to PDO so maybe it isnt using prepared statements)
His suggested usage is:
$db = new DatabaseConnection('someMysqlServer', 'user', 'pass', 'database');
$result = $db->exec($db->filterForSql('SELECT * FROM '.$tableName.';'));
I would interested if others think this is a 'safe' way of using PDO or not.
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
Is it possible to bind a table name?
I want to make a class to read the columns from a tables and, depending on field type, generate the form inputs for me. When I do $form = new form("users");, the constructor is supposed to start with getting the field names from the table with the following code:
class form{
public function __construct($table, $skip = array("id")){
$pdo = new PDO('mysql:host=localhost;dbname=site;',USER,PASS);
$query = $pdo->prepare("DESCRIBE :table");
$query->bindValue(':table', $table, PDO::PARAM_STR, strlen($table));
$query->execute();
while($field = $query->fetch(PDO::FETCH_NUM)){
var_dump($field);
echo "<br /><br />";
}
unset($pdo);
}
}
This works just fine when I specify "users" instead of ":table" in the prepare statement, but the bind it's working, and I'm pretty sure it's because it's trying to bind a table name. Also, this needs to be binded because I'd like to have the ability to pass my table names through $_GET and the such.
Is it possible to bind a table name?
No.
You have to whitelist table names. I doubt you want to let a user to browse any table from your database.
Given you are using a class, it will be no-brainer to add a table name as a property. It will be simple, elegant and safe. Create an abstract parent class first
abstract class abstractTable {
private $table;
private $db;
public function __construct($pdo){
$this->db = $pdo;
}
public function describe() {
return $db->query("DESCRIBE `$this->table`")->fetchAll();
}
}
Then create a specific class for your table
class someTable extends abstractTable {
private $table = 'sometable';
}
and so you will be able to get the required list of columns
$pdo = new PDO(...);
$table = new someTable($pdo);
$fields = $table->describe();
simple, concise, powerful, safe.
There is a PDO wrapper class at - http://www.phpclasses.org/package/5997-PHP-Database-access-abstraction-layer.html that lets you do this (though I am new to PDO so maybe it isnt using prepared statements)
His suggested usage is:
$db = new DatabaseConnection('someMysqlServer', 'user', 'pass', 'database');
$result = $db->exec($db->filterForSql('SELECT * FROM '.$tableName.';'));
I would interested if others think this is a 'safe' way of using PDO or not.