0

This is the code that makes the error:

$sql = 'INSERT INTO pedidos (pagado, instalado) VALUES ("'.$_POST['email'].'", "'.$_POST['b'].'") WHERE email="'.$_POST['2'].'"';
$stm = $conn->prepare($sql);
$conn->exec($stm);
Dave Chen
  • 10,887
  • 8
  • 39
  • 67
Juan Perez
  • 21
  • 4
  • 1
    See also [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/q/60174) (which is not just about security, but about getting things to work correctly). – mario Jul 04 '15 at 22:21

2 Answers2

1

That's not the proper way to use prepare and execute. The reason this was created was so that you wouldn't need to put logic and data together and put yourself at risk of an SQL injection attack.

$sql = 'INSERT INTO pedidos (pagado, instalado) VALUES (:pagado, :instalado)';
$stm = $conn->prepare($sql);
$stm->bindParam(':pagado', $_POST['email']);
$stm->bindParam(':instalado', $_POST['b']);
$stm->execute();

It also doesn't make sense to put a WHERE in an INSERT query. You're inserting into your table, you're not getting data.

However, if you're updating data based on other data, then you should use an UPDATE query.

UPDATE pedidos SET pagado=?, instalado=? WHERE email=?

An example of this would be:

$sql = 'UPDATE pedidos SET pagado=:padago, instalado=:instalado WHERE email=:email';
$stm = $conn->prepare($sql);
$stm->bindParam(':pagado', $_POST['email']);
$stm->bindParam(':instalado', $_POST['b']);
$stm->bindParam(':email', $_POST['2']);
$stm->execute();
Dave Chen
  • 10,887
  • 8
  • 39
  • 67
0

UPDATE - 2: 

$sql = 'INSERT INTO pedidos SET pagado = ?, instalado = ? WHERE email = ?';
$stm = $conn->prepare($sql);
$stm->bindParam(1,$_POST['email']);
$stm->bindParam(2,$_POST['b'] );
$stm->bindParam(3,$_POST['2'] );

$stm->execute(); // here your code generate error

Reason: You put $stm in execute() , which makes an error.

Shahzad Barkati
  • 2,532
  • 6
  • 25
  • 33