Jump to content

Recommended Posts

When I'm doing this it can't handle the query line. When I change the :count to a number it works correctly.

So I want to know how can I use a string to determine a number for the mysql request.

 

 

Thank you!

 

 

<?php

// Error report

ini_set('display_errors', 1);

error_reporting(~0);

 

// Getting video ID from URL

$video = $_GET['v'];

 

// Including database connection

include 'db.php';

 

//$query = "SELECT file_name, videos FROM videos  ORDER BY RAND() LIMIT 1;";

$query = "SELECT file_name, videos FROM videos LIMIT :count,1;";

 

// Prepare

$statement = $handler->prepare($query);

$statement->bindParam(":count",$video);

 

// Execute

$statement->execute();

 

// Fetch

$videos = $statement->fetch(PDO::FETCH_ASSOC);

$comment = $videos["file_name"];

$videos = $videos["videos"];

echo $comment;

echo $videos;

?>

Here's what I see when I go to the page:

 

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'NULL,1' at line 1' in FILE_LOCATION/test.php:21 Stack trace: #0 FILE_LOCATION/test.php(21): PDOStatement->execute() #1 {main} thrown in FILE_LOCATION/test.php on line 21

You have an entire collection of errors.

 

First, you're obviously accessing the script without a v parameter in the URL, because the value of $video is null. You have no check for that case either; you just assume that the parameter is always present (which it isn't, as you can see).

 

Then you're using emulated prepared statements (which is the default) instead of real ones. This means the parameters are literally inserted into the query string instead of getting sent to the database. Since your parameter is null, you end up with a LIMIT of NULL -- which is syntactically wrong.

 

The query itself is also fishy. Why are you doing an offset search when you want to look up a particular ID? This will give you nonsense results. You don't even have an ORDER BY clause, so the offset could start absolutely anywhere.

 

Long story short:

  • Validate the user input and handle missing parameters; don't just assume that you get what you expect
  • Disable statement emulation
  • Fix the query. You probably want a WHERE clause.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.