0

When I run this php file shows me the error SQLSTATE [HY000]: General error. Why?

function Gethotspots($db) {
    $regId = $_GET['regId'];
    $sql = $db->prepare("INSERT INTO notificaciones (regId) VALUES ('" . $regId . "')");
    $sql->execute();

    $i = 0;

    $pois = $sql->fetchAll(PDO::FETCH_ASSOC);

    if (empty($pois)) {
        $response["productos"] = array();
    }
    else {
        foreach ($pois as $poi) {
            $poi["actions"] = array();

            $response["productos"][$i] = $poi;
            $i++;
        }
    }
    return $response["productos"];
}

$dbhost = "localhost";
$dbdata = "anuncios";
$dbuser = "root";
$dbpass = "";

try {
    $db = new PDO("mysql:host=$dbhost; dbname=$dbdata", $dbuser, $dbpass, array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));

    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $response = array();

    $response["productos"] = Gethotspots($db);

    if (empty($response["productos"])) {
        $response["errorCode"] = 20;
        $response["errorString"] = "Ningun producto encontrado.";
    } // if
    else {
        $response["errorCode"] = 0;
        $response["errorString"] = "Todo correcto";
    }

    $jsonresponse = json_encode($response);
    header('Access-Control-Allow-Origin: *');

    echo $jsonresponse;

    $db = null;
} catch (PDOException $e) {
    echo $e->getMessage();
}

Thanks all!

George Brighton
  • 5,131
  • 9
  • 27
  • 36
Adrián
  • 99
  • 3
  • 10
  • Seems like you should review the data of your database connection, something is wrong with it (database name or kind of connection). Good luck. – Reger Jan 22 '14 at 20:14
  • @tas9 All is well, works with SELECT but not INSERT :( – Adrián Jan 22 '14 at 20:16
  • Try out `var_damp($regId)` before the execution of the Query, or do something like `echo "INSERT INTO notificaciones (regId) VALUES ('".$regId."')"` and execute the sentence in your phpmyadmin utility. – Reger Jan 22 '14 at 20:18
  • @tas9 that shows -> string(1) "1" SQLSTATE[HY000]: General error – Adrián Jan 22 '14 at 20:20
  • sql injection danger detected. why concatenate values in your prepare statement when you can bindParam or bindValue? – Félix Adriyel Gagnon-Grenier Jan 22 '14 at 21:35
  • @FélixGagnon-Grenier You can show me a small example to avoid? thanks – Adrián Jan 22 '14 at 22:26
  • `$sql = $db->prepare("INSERT INTO notificaciones (regId) VALUES (:regId)");$sql->bindValue(':regId',$regId,PDO::PARAM_INT);$sql->execute();` those three lines assume `$regId`is defined and contains an integer. but the most important thing is your query will be prepared before being executed. At preparation time, there's no way :regId will show as potential malicious code. At execution time, the value fits in the field targeted by the prepared statement. – Félix Adriyel Gagnon-Grenier Jan 23 '14 at 05:21
  • 3
    PDOStatement::FetchAll() doesn't work with INSERT queries. See [sqlstatehy000-general-error-when-updating-database](http://stackoverflow.com/questions/12979510/pdo-error-sqlstatehy000-general-error-when-updating-database). Vote to close as duplicate? – Steve Almond Jun 13 '14 at 15:51

0 Answers0