0

I'm stumped. When I do the following query exactly as shown, I get an error:

    function update_rater($rater_result) {
    $pdo = new PDO('mysql:host='.DB_SERVER.'; dbname='.DB_NAME, DB_USER, DB_PASS);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->exec('SET NAMES "utf8"');

    foreach ($rater_result as $update)
    {
        $sample[] = array (
                'name'=>$rater_result['name'],
                'rating'=>$rater_result['rating'],
                'hits'=>$rater_result['hits'],
                'parkid'=>$rater_result['parkid'],
                'logname'=>$rater_result['logname'],
                'uname' =>$rater_result['uname']);
    }
    $id = $update['parkid'];
        $parkid = $update['parkid'];
        $rating = $update['rating'];
        $hits = 1;
        $uname = $update['uname'];

    $sql = "INSERT INTO stars (parkid, rating, hits, logname)
        VALUES ($parkid, $rating, $hits, $uname)";              

    $result = $pdo->query($sql);
}

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 2' in /home/ride4w5/public_html/test_site/includes/functions.php:343 Stack trace: #0 /home/ride4w5/public_html/test_site/includes/functions.php(343): PDO->query('INSERT INTO sta...') #1 /home/ride4w5/public_html/test_site/includes/rater/1.php(62): update_rater(Array) #2 {main} thrown in /home/ride4w5/public_html/test_site/includes/functions.php on line 343

However, if I do EXACTLY the same query, but change the final VALUE to either a string or a number, it works just fine. Any variable throws the error. Why is the error being thrown only for a variable and not for a value? The other variables don't cause any problem.

EDIT:

It is not ANY variable, it is just $uname that causes the problem. But if I do an 

echo $uname; 
exit();

it echos the variable properly. What does it not like?

Edit:

$uname comes from 

$user->session_begin(); 
$auth->acl($user->data); 
$user->setup(); 
$request->enable_super_globals(); 
$username = $user->data['username']; 
$uname = $username;
Drew
  • 24,851
  • 10
  • 43
  • 78
user1483042
  • 131
  • 3
  • 14
  • EDIT: It is not ANY variable, it is just $uname that causes the problem. But if I do an echo $uname; exit(); it echos the variable properly. What does it not like? – user1483042 Aug 18 '15 at 03:06
  • Does your $uname containes a '"' ? – Rachel Geller Aug 18 '15 at 03:10
  • I bet if you did an echo of $sql it will become obvious. Perhaps $update['uname'] is a problem, wherever $update is coming from. To me at least, $update[] just appears magically as if it has some meaning in some other context. – Drew Aug 18 '15 at 03:11
  • You're using PDO but not using prepared statements...that's almost as bad (*if not worse*) than just giving people access to your system.. cough...cough...[SQL Injection](https://en.wikipedia.org/wiki/SQL_injection)...cough – Darren Aug 18 '15 at 03:13
  • $uname comes from $user->session_begin(); $auth->acl($user->data); $user->setup(); $request->enable_super_globals(); $username = $user->data['username']; $uname = $username; That being the case, does $uname have quotations? – user1483042 Aug 18 '15 at 03:15
  • Where did you get the $update? – aldrin27 Aug 18 '15 at 03:19
  • foreach ($rater_result as $update) – user1483042 Aug 18 '15 at 03:21

0 Answers0