0

Trying to update table values using a dropdown. I'm getting number of bound variables does not match number of tokens whenever I make a selection from the dropdown. I think I've already bound all the variables.

Here's my code:

<?php

 $hostname = "localhost";
 $username = "root";
 $password = "";
 $databasename = "companydb";
 
 try
 {
  $conn = new PDO("mysql:host=$hostname;dbname=$databasename",$username, $password);
  $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  
  if(isset($_POST["status"]))
  {
   $query = "UPDATE tickets SET status = ':status' WHERE ticketno = :ticketno";
   $statement = $conn->prepare($query);
   $statement->execute(array(':status' => $_POST["status"],':ticketno' => $ticketno));
 
   $count = $statement->rowCount();
   if($count > 0)
   {
    echo "Data Inserted Successfully..!";
   }
    else
   {
    echo "Data Insertion Failed";
   }
  }
   else
  {
   echo "unknown index: 'status'";
  }
 }

 catch(PDOException $error)
 {
  echo $error->getMessage();
 }
?>
  • `':status'` is wrong: it is treated as SQL string literals. String literals are not placeholders. Thus there is only one placeholder, but two values supplied.. (Proper placeholders are more than "string replacement" values; don't quote them in SQL queries.) – user2864740 Feb 17 '18 at 07:26
  • @user2864740 So should I change it back to `'$status'`? –  Feb 17 '18 at 07:28
  • `'$status'` is wrong because it's **SQL STRING INJECTION** and not using placeholders. Don't dodge the problem. Fix the problem. See first comment. – user2864740 Feb 17 '18 at 07:29
  • @user2864740 I can't quite understood it sorry. I'm new to PHP. I think I'm gonna need a more specific help using my codes –  Feb 17 '18 at 07:39
  • Use `"UPDATE tickets SET status = :status .."` - the point of using *SQL placeholders* is then code *doesn't* have to use quotes (or worry about nasties with invalid quotes or unexpected data breaking through quotes). A SQL placeholder represents a value - any valid SQL primitive value. If a *string* is supplied, a *string* will be bound. If a number was supplied then.. – user2864740 Feb 17 '18 at 07:40
  • 1
    @user2864740 Ohh I see! Thank you so much. I understand it clearly now :) –  Feb 17 '18 at 07:45

0 Answers0