PDO fetch statement issues

Question

I have the below PHP for my book keeping application. It uses PDO.

if (isset($_POST['lesson'])AND isset($_POST['page']))
{
   try {
      $options_pdo[PDO::ATTR_ERRMODE]=PDO::ERRMODE_EXCEPTION ;
      $DB= new PDO('mysql:host=localhost;dbname=mydb','jamie','admin',$options_pdo);
      $statement=$DB->query("SELECT data FROM teach_books where lesson=".$_POST['lesson']."AND page=".$_POST['page'] );

      while($results = $statement->fetch()){
         $results['data'];
         echo "<br>";
      }

   } catch(Exception $e) {
    die ('ERROR: '.$e->getMessage());
    exit;
  }

}

However when I run the code it displays the below error:

ERROR: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'page=dsas' at line 1

Could anybody help please?

Answer 1

A couple of things:

1) DO NOT INSERT RAW QUERY STRINGS:
This code is extremely suseptable to SQL Injection. PDO has a feature called 'prepared statements'. This is waht you should be using for you SQL queries. Do not just inject some POST parameters into the query string as the result will be a security hole. The quotes you have accidentally inserted into the query may well have come from a malicious user trying a SQL attack.

2) MISSING SPACE:
You have a missing space right before the AND. The parser does not know what to make of the term 2AND and so produces the error. The SQL by iteslf expands to something like.

SELECT data FROM teach_books where lesson=2AND page=24;

3) MISSING QUOTE MARKS:
If you were to use something like the above you will need to add some closing quote marks at the end of the query. You also need quotes around the string params that you give inside the select.

4) ECHO DATA:
You are not actually printing out anything in the loop. Simply having a statement sitting inside PHP will not print it out. You need echo command.

echo $results['data'];

5) ITERATE OVER OBJECT:
You do not need to keep calling fetch(), you could use fetchAll() and then iterate over that result set. Really you should not call any "fetch" method unless you just need the rows in an array. The result set object is iterable and can be looped over.

$statement->execute(); 
foreach ($statement as $row) { 
    ... 
}  

6) TRY-CATCH:
You could probably remove the 'try-catch' code because what you are doing inside there is what the exception would do anyway.

Additionally I hope 'admin' is not your actual password.

Sorry to have kept adding to my answer. Just wanted to post the 6 points by themselves and then expand on them.

Hope that helps

Answer 2

Your SQL are wrong, try it:

$statement=$DB->query("SELECT data FROM teach_books where lesson='".$_POST['lesson']."'AND page='".$_POST['page']."'" );

You'r comparing string values, so you need to use '' on sql query.

Answer 3

ERROR: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'page=dsas' at line 1

The problem is probably becaus you didn't add quotes for the value:

".... page='".$_POST['page']."'"

Strings ALWAYS need quotes around them.