绑定参数错误：致命错误：未捕获的 PDOException：SQLSTATE[HY093]：无效的参数号：未定义参数

Question

I have a very simple form with the php code to insert there data into a database. If I run it without binding the parameters, it works perfectly, but as soon as I bund them, I get an error: Fatal error: Uncaught PDOException: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in.

my code is as follows:

<?php
include('../../functions/database.php');

$conn = create_connection();

$id = $_POST['id'];
$intId = intval($id);
$name = $_POST['name'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$address3 = $_POST['address3'];
$address_town = $_POST['address-town'];
$address_country = $_POST['address-country'];

$stm = "INSERT INTO company_address (name, company_id, address_1, address_2, address_3, address_town, address_country) values(:name, $intId, :address1, :address2, :address3, :address-town, :address-country)";

$query = $conn->prepare($stm);
$query->bindValue(':name',htmlspecialchars($name, ENT_QUOTES));
$query->bindValue(':address1',htmlspecialchars($address1, ENT_QUOTES));
$query->bindValue(':address2',htmlspecialchars($address2, ENT_QUOTES));
$query->bindValue(':address3',htmlspecialchars($address3, ENT_QUOTES));
$query->bindValue(':address-town',htmlspecialchars($address_town, ENT_QUOTES));
$query->bindValue(':address-country',htmlspecialchars($address_country, ENT_QUOTES));
var_dump($query);
$query->execute();
header('Location: ' . $_SERVER['HTTP_REFERER']);
?>

can anyone see the error?

Answer 1

Hyphen "-" is a reserved character for pdo sql parser, so it must not be used in placeholder names, hence address-town and address-country are invalid names and cause the mentioned error.

Use alphanumeric characters and underscore only.

a-zA-Z0-9_

Reserved characters:

:?"'-/

See the docs https://github.com/php/php-src/blob/master/ext/pdo/pdo_sql_parser.re