0

I have been refered before to the general answered question "How can I prevent SQL injection in PHP?". The advantages to use prepared queries are clearly illustrated. The simple SELECT...WHERE query is mostly used as illustration:

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

I am trying to use it ("cloning" it as far as I can) in an UPDATE...SET...WHERE with the following query:

$stm = $pdo->prepare("UPDATE `$databasetable_final` SET `Id_1`= :name
WHERE Id_S BETWEEN $Row_From AND $MaxId) ");
$stm->execute(['name'=>$Id_SB]);

I get a fatal error with the message:

execute( $bound_input_params = ['name' => 11] )

refering to a problem with the parameters specification (although the desired value (11) of $Id_SB seems to be correctly retrieved).

Evidently, I do not understand the parameters structures to be used. In particular should I declare an Array for the 'name' parameter? Detailed basic explanations would be appreciated. Thanks in advance.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
JCRCAN
  • 5
  • 4
  • execute( $bound_input_params = ['name' => 11] ) doesn't look like an error message, let alone a fatal one – Your Common Sense Jul 23 '22 at 11:11
  • the main question, why don't you substitute $Row_From and $MaxId with parameters as well? – Your Common Sense Jul 23 '22 at 11:13
  • I did not report the full message but there is effectively a Fatal error declaration at the execute line without detailed clues. For the time beeing these 2 parameters seem to be used with their proper values I tested it by putting an explicit value in SET = and the right rows have been correctly updated. Do you think that could be the cause the problem? If yes I could try (I have tried already so many combinations!). – JCRCAN Jul 23 '22 at 14:20
  • Without the full and complete error message nobody could think anything. – Your Common Sense Jul 23 '22 at 14:43
  • I got this message not very explicit: ( ! ) Fatal error: in C:\Users\Jean Claude\Documents\ADNA06\Développements\FormationWamp\Transfert_Survols_Boucle_Date_Jour_Comptage_Id_S.php on line 113 ( ! ) PDOException: in C:\Users\Jean Claude\Documents\ADNA06\Développements\FormationWamp\Transfert_Survols_Boucle_Date_Jour_Comptage_Id_S.php on line 113 – JCRCAN Jul 23 '22 at 14:59
  • I think that I do not have a proper Exception set up to get more detailed diagnostic. This is my set up: PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION. What would be a better way? – JCRCAN Jul 23 '22 at 15:01
  • No, this way is OK. Most likely it's some software of yours impeding with error reporting. Without the extra code, the error is clear: [looks like you have an extra brace in SQL](https://phpize.online/sql/mysql57/undefined/php/php81/ba52f1fdb8ee1ee18230b404abee6485/) – Your Common Sense Jul 23 '22 at 15:04
  • Note: I do not have the credit for a chat session. Therefore I go on with comments. Are you proposing to use PHPize as a debugging tool? – JCRCAN Jul 23 '22 at 15:43
  • Well, personally I am debugging on my PC. I am using phpize to share the code – Your Common Sense Jul 23 '22 at 15:45
  • I got it. The diagnostic of the code you installed issues an error at line 7 around ')'. Sincerely I do not see the problem. – JCRCAN Jul 23 '22 at 15:59
  • How you cannot see that? the only brace in the query? It's hard to spot when you don't know were to look, but since it was pointed at? – Your Common Sense Jul 23 '22 at 16:10
  • I still have the error message at line 7. $stm->execute(['name'=>1]); – JCRCAN Jul 23 '22 at 16:28
  • Just in case, did you fix that extra brace? – Your Common Sense Jul 23 '22 at 16:38
  • No because I never could locate the extra brace . A brace is that symbol [] isn'it? If you found a code that works... – JCRCAN Jul 23 '22 at 16:49
  • Just curious, did you even see the error message? You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for **the right syntax to use near ')'** – Your Common Sense Jul 23 '22 at 16:50
  • Once removing the braces I got unexpected token "=>", expecting ")" in at line: 7. ??? – JCRCAN Jul 23 '22 at 16:51
  • Look. It seems you just need to get yourself a book on PHP and start learning it chapter after chapter. One cannot just pop out of nowhere and start to program. Programming is the same trade as any other - biology, surgery, accounting. Do you think you can cut out the appendicitis after asking a question on the internet? SAME HERE – Your Common Sense Jul 23 '22 at 16:59
  • I got it. Thanks for your patience. – JCRCAN Jul 23 '22 at 17:03
  • I agree with you: we, beginners, have a tendency to shortcut the basis. No excuse for me, except that the terminology between brace, brackets, square brackets, parenthesis has created some confusion. Is there a standard terminology? Again, thanks a lot for your patiebt attention. – JCRCAN Jul 23 '22 at 18:06

0 Answers0