UPDATE Query in PHP/MySQL Failing with Error Code 1064, SQLState 42000
Question
When building my app, I made the create query with no trouble. However, when I copied my PHP from the create file to the update file, I've been getting this error:
UPDATE people SET firstname = 'First', lastname = 'Last', email = 'test@mail.com', phonenumber = 1234567890 WHERE id = 1'
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
Usually, when I get this error, the error gives me an accurate place to fix up. Can anyone help me find this error?
update.sql:
if (isset($_POST['submit'])) {
require "../resources/config.php";
require "../resources/common.php";
try {
$connection = new PDO($dsn, $username, $password, $options);
$id = $_GET['id'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$phonenumber = $_POST['phonenumber'];
$updated_number = array($firstname, $lastname, $email, $phonenumber);
$sql = sprintf(
"UPDATE %s SET firstname = '$firstname', lastname = '$lastname', email = '$email', phonenumber = $phonenumber WHERE id = %s",
"people",
$id
);
$statement = $connection->prepare($sql);
$statement->execute($updated_number);
header("Location: index.php");
}
catch(PDOException $error) {
echo $sql . "<br>" . $error->getMessage();
}
}
2 answers
solution1
1 ACCPTED 2018-04-08 15:11:42
You have two issues here. The first, and more important is your use of prepared statements. All values in the query itself should be bound. So your query should really be:
$updated_number = array($firstname, $lastname, $email, $phonenumber, $id);
$sql = sprintf("UPDATE %s
SET firstname = ?, lastname = ?, email = ?, phonenumber = ?
WHERE id = ?",
"people");
The second is your sprintf usage.
WHERE id = %s
The %s is a string, %d is for an integer. With correct prepared statements this isn't needed though. If "people" isn't a variable and being built dynamically I think it would be easier to just build that whole query as a normal string. eg
$sql = 'UPDATE people
SET firstname = ?, lastname = ?, email = ?, phonenumber = ?
WHERE id = ?';
solution2
1 2018-04-08 15:15:02
Don't use sprintf for building SQL statements as it opens your code up to SQL Injection attacks, it is better to use prepared statements which would looks something like this:
$sql = "UPDATE `people` SET `firstname` = :firstname, `lastname` = :lastname, `email` = :email, `phonenumber` = :phonenumber WHERE `id` = :id;"
$statement = $connection->prepare($sql);
$statement->bindParam(':firstname', $firstname);
$statement->bindParam(':lastname', $lastname);
$statement->bindParam(':email', $email);
$statement->bindParam(':phonenumber', $phonenumber);
$statement->bindParam(':id', $id);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.