SQLSTATE[HY093]

Question

This is my code:

if (!isset($_POST['cellulare'])) $cell = "-"; else $cell = $_POST['cellulare'];
if (!isset($_POST['ufficio'])) $uff = "-"; else $uff = $_POST['ufficio'];
if (!isset($_POST['email'])) $email = "-"; else $email= $_POST['email'];

$sqlup = "UPDATE rubrica SET nome = :nm, 
            cognome = :cgm, 
            mail = :email,  
            cellulare = :cell,  
            ufficio = :office,  
            WHERE id=".$_GET['mod'];
$stmt = $pdo->prepare($sqlup);   
$stmt->bindParam(':nm', $_POST['nome'], PDO::PARAM_STR);                                   
$stmt->bindParam(':cgm', $_POST['cognome'], PDO::PARAM_STR);       
$stmt->bindParam(':email ', $email, PDO::PARAM_STR);
$stmt->bindParam(':cell', $cell, PDO::PARAM_STR); 
$stmt->bindParam(':office', $uff, PDO::PARAM_STR);   
$stmt->execute();

Apparently there is no error, but i get this:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: parameter was not defined'

Are you sure `$_GET['mod']` is not empty and contains an integer? — Legionar, Sep 05 '16 at 14:10
Why aren't you binding `$_GET['mod']`? The `email` binding has an extra space in the name. — chris85, Sep 05 '16 at 14:10
Why are you not also parameterizing and binding the `id=".$_GET['mod']` Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Sep 05 '16 at 14:20

Legionar · Accepted Answer · 2016-09-05T14:18:55.430

2

Are you sure $_GET['mod'] is not empty and contains an integer? If yes, then there is another error in your SQL - you have there , before WHERE:

$sqlup = "UPDATE rubrica SET nome = :nm, 
        cognome = :cgm, 
        mail = :email,  
        cellulare = :cell,  
        ufficio = :office,  /* <== here */
        WHERE id=".$_GET['mod'];

Change it to this:

$sqlup = "UPDATE rubrica SET nome = :nm, 
        cognome = :cgm, 
        mail = :email,  
        cellulare = :cell,  
        ufficio = :office
        WHERE id=".$_GET['mod'];

Also there is error in your binding email, there is extra space as @chris85 mentioned.

$stmt->bindParam(':email', $email, PDO::PARAM_STR);

edited Sep 05 '16 at 14:18

answered Sep 05 '16 at 14:14

Legionar

7,472
2
41
70

1

AND if you are using PDO dont put the value from GET in the SQL string! – cmnardi Sep 05 '16 at 14:16
1

Yes, that's my comment above. – Legionar Sep 05 '16 at 14:17
1

Thank you, i literally didn't see the comma before WHERE statement. This happens when you work for some consecutive hours ... :D also changed WHERE id = :id , as @cmnardi suggested – Tony33 Sep 05 '16 at 14:32

SQLSTATE[HY093]

1 Answers1