PDO Update not working

Question

Im trying to do a PDO update to mySql database. Its not showing any errors, but neither is it updating the table.

here is the code that im using. The user selects the POST value from a drop down list.

 if (isset($_POST['changeLearningStyle'])){
 if (isset($_POST['learning'])){
 $var6 = $_POST['learning'];
 $stmt8 = $db->prepare("UPDATE users SET learningStyle = $var6 WHERE username = ?  AND     learningStyle = ?");
 $stmt8->execute(array($id, $learningStyle));
 $alert = '<div id="title1">Your learning style have been successfully updated</div>';
 }
} /**And the HTML looks  like this: **/
<form name="changeStyle" method="POST">
<div id="resetLearningStyle">
<div id="tab6">
 <h4 id="black">Learning Style</h4>
 <h5>Current Style: <?php echo($learningStyle) ?></h5>
 <select id="learning" name="learning" class="span3">
  <option value="">Select Style</option>
  <option value="Auditory">Auditory</option>
  <option value="Visual">Visual</option>
  <option value="Persuasive">Persuasive</option>
  <option value="Active">Active</option>    
  </select>
  </div>
  <input class="btn btn-inverse" type="submit" name="changeLearningStyle" value="Reset    Learning Style">
  </form>
 /**Table Structure **/

-- Table structure for table `users`

  CREATE TABLE `users` (
 `id` int(20) NOT NULL auto_increment,
 `fname` varchar(200) NOT NULL,
 `lname` varchar(200) NOT NULL,
 `username` varchar(200) NOT NULL,
 `password` varchar(200) NOT NULL,
 `country` varchar(200) NOT NULL,
 `rootLanugage` varchar(200) NOT NULL,
 `learningStyle` varchar(200) NOT NULL,
 `language` varchar(200) NOT NULL,
 `icon` varchar(200) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=31 ;

Thank You in advance!

While you are using PDO, which is good, you have SQL injection vulnerabilities. Do not insert `$_POST` variables directly in your query, use prepared statements instead. See [PHP PDO prepared statements](http://stackoverflow.com/q/1457131) — Madara's Ghost, May 14 '13 at 07:39
No, I a malicious user, can easily insert whatever value I want there, even if it isn't part of your original `select` options. I urge you to read on prepared statements, it's the only bulletproof way to counter SQL injection. — Madara's Ghost, May 14 '13 at 07:42
No, not ok. The HTML can be easily modified on the client side. Do what @MadaraUchiha suggested. When you have added it directly, you are not properly adding quotes either. The query will be wrong if `$var6` is not an integer. — dakdad, May 14 '13 at 07:43
@dakdad you actually solved the issue along with silkfire. Once i found where the error was, i used the proper quotation to fix it. — Thelson Richardson, May 14 '13 at 07:50

score 3 · Accepted Answer · answered May 14 '13 at 07:40

3

To make it show errors, add this line of code right after connecting to the DB:

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

answered May 14 '13 at 07:40

silkfire

24,585
15
82
105

Ok, I get Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column 'Visual' in 'field list'' in /home/content/23/10985223/html/settings.php:110 Stack trace: #0 /home/content/23/10985223/html/settings.php(110): PDOStatement->execute(Array) #1 {main} thrown in /home/content/23/10985223/html/settings.php on line 110 – Thelson Richardson May 14 '13 at 07:44
Then there's no such column in your table; do you know how to fix this? – silkfire May 14 '13 at 07:49
Yes, actually the error was quotations in the MySql statement. – Thelson Richardson May 14 '13 at 07:52
In his original query if `$var6` is not an integer, it will be wrong because it does not use quotes to wrap the string. – dakdad May 16 '13 at 07:24

PDO Update not working

-- Table structure for table users

1 Answers1

-- Table structure for table `users`