-2

Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?

if($_POST['ourstory']) {
    foreach($_POST['ourstory'] as $id => $ourstory) {
        $sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
        $q = $db->prepare($sql);
        $q->execute(array($id,$ourstory));
    }
}
robjohncox
  • 3,639
  • 3
  • 25
  • 51
User_coder
  • 477
  • 1
  • 7
  • 21
  • 5
    You should be binding the variables, rather than adding them right into the SQL string. – andrewsi Jul 22 '13 at 17:21
  • 1
    ? This question mark is actually an answer.. :P – Manu Jul 22 '13 at 17:22
  • You're vulnerable to SQL injection attacks. you're using prepared statements, so you **SHOULD** be using placeholders. e.g. `... content = ? WHERE id = ?`, – Marc B Jul 22 '13 at 17:24
  • 1
    `$sql = "UPDATE our_story SET content = ? WHERE id = ?";` since you are using `execute(array())`, use question mark placeholders – Sean Jul 22 '13 at 17:24
  • 1
    *Punctuation*, not grammar. You'd hope sentences do not need to be ungrammatical to be inserted into a database. Also: [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Jul 22 '13 at 17:28
  • 1
    Also http://php.net/manual/en/pdo.prepared-statements.php – deceze Jul 22 '13 at 17:30
  • 1
    I come here for a solution, people downvote the post. Can some moderator close the post, I don't want to get banned. – User_coder Jul 22 '13 at 17:31
  • You can delete it. I flagged it any I'm sure many others have also. – jdero Jul 22 '13 at 17:37
  • 1
    This is a valid question, but it has been answered in various forms before. This is just the basics of [using PDO](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). – tadman Jul 22 '13 at 18:22

1 Answers1

1

That's not how you use prepared statements. You want to use a ? in your query.

$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));
gen_Eric
  • 223,194
  • 41
  • 299
  • 337