Jump to content

Update Statement Using Pdo

SigglesMFC

By SigglesMFC
in PHP Coding Help

 Share

Recommended Posts

SigglesMFC Newbie

SigglesMFC

Posted
Posted

Hi, I have a few INSERT and SELECT statements using a similar format that all work but I cannot get this UPDATE statement to work..

 

  function updateUserField($username, $field, $value){
  $query = "UPDATE ".TBL_USERS." SET :field = :value WHERE username = :username";
  $stmt = $this->connection->prepare($query);
  return $stmt->execute(array(':username' => $username, ':field' => $field, ':value' => $value));
  }

 

The error is:

 

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''userid' = '4bb2239345sdc16d5424sb997ad3' WHERE username = 'tom'' at line 1' in /home/ddddd/public_html/login/include/database.php:223 Stack trace: #0 /home/ddddd/public_html/login/include/database.php(223): PDOStatement->execute(Array) #1 /home/ddddd/public_html/login/include/session.php(184): MySQLDB->updateUserField('tom', 'userid', '4bb2239345f02dc...') #2 /home/ddddd/public_html/login/process.php(60): Session->login('tom', 'sempes', false) #3 /home/ddddd/public_html/login/process.php(21): Process->procLogin() #4 /home/dddddy/public_html/login/process.php(236): Process->Process() #5 {main} thrown in /home/ddddd/public_html/login/include/database.php on line 223

 

Any ideas where I am going wrong?

Link to comment
https://forums.phpfreaks.com/topic/270675-update-statement-using-pdo/
Share on other sites
SigglesMFC Newbie

SigglesMFC

Posted
  • Author
Posted

Hi you are right, the function might be used elsewhere in the script like so:

 

$database->updateUserField($subuser,"password",$newpass);

 

What actually causes the problem? If I echo the query it looks like this:

 

UPDATE users SET :field = :value WHERE username = :username

SigglesMFC Newbie

SigglesMFC

Posted
  • Author
Posted

Okay thanks.I can get it to work by doing...

 

function updateUserField($username, $field, $value){
  $query = "UPDATE ".TBL_USERS." SET ".$field." = :value WHERE username = :username";
  $stmt = $this->connection->prepare($query);
return $stmt->execute(array(':username' => $username, ':value' => $value));

 

but by doing this I am not checking the $field variable for injection. Any ideas?

SigglesMFC Newbie

SigglesMFC

Posted
  • Author
Posted

Why do you need to make this field dynamic? And why on earth would that be coming from user submitted data?

 

It's not user submitted data. It gets called by admin functions carried out on the website. The $field parameter that is passed is always hard coded somewhere else in the script. For example...

 

$database->updateUserField($subusertoedit,"userlevel",$subuserlevel);
$database->updateUserField($this->username,"email",$subemail);

 

But you have sort of answered my own question. As there is no user input for that parameter I dont need to worry about SQL injection.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.