Pdo->prepare problem

General PHP Help
#1

I’m having a problem with a pdo->prepare statement giving me an error. Here’s the statement:

<?php

$srcs = glob(‘download/.tar.’);
$src = $srcs[count($srcs) - 1];
$srcname = basename($src);
$md5src = md5_file($src);

print_r ($srcname);
print_r ($md5src);

$php_scripts = ‘…/php/’;
require $php_scripts . ‘PDO_Connection_Select.php’;

if (!$pdo = PDOConnect(“foxclone_data”))
{
$chk=0;
}

$stmt = $pdo->prepare(“UPDATE files SET filename = ‘$srcname’, md5 = ‘$md5src’, logtime=now() WHERE id = 4”);
$stmt->execute() ;

I know it’s probably obvious, but I’ve been looking at this code for days and just not seeing it.

Thanks for your help.

#2

And…the error is?

Also doesnt look like you are binding any params? (and just using variables?)

#3

Yes, just using variables.

Error: Fatal error : Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '‘files’ SET filename = ‘foxclone46-src.tar.gz’, md5 = ‘7618f1e564b4ee3556a9af28bc…’ at line 1 in /home/foxclo98/public_html/update.php:118 Stack trace: #0 /home/foxclo98/public_html/update.php(118): PDO->prepare(‘UPDATE ‘files’ …’) #1 {main} thrown in /home/foxclo98/public_html/update.php on line 118

#4

MariaDb may consider files or md5 to be functions, and may be trying to parse them as such. I think it’s good practice to use less generic column names to avoid this kind of problem. Try adding backticks ` around `files` and `md5` and see if that helps.

As an aside - injecting parameters into your query in that way is incredibly insecure and you should get out of the habit. Use parameter binding instead:

$stmt = $pdo->prepare(
    "UPDATE files SET filename = ?, md5 = ?, logtime=now() WHERE id = ?"
);

$stmt->execute([$srcname, $md5src, 4]) ;

Easy as that.

#5

Reformatted prepare statements as suggested and added backticks to table name and column names, still getting same error.

#6

Can you manually recreate the query you’re running, then see if that runs directly on your DB server?

#7

When run in phpmyadmin on my web host, this works:

UPDATE `files` SET `filename`="Sources",`md5`= "ddddeeed",`logtime`= Now() WHERE `id` = 4;

NOTE: in phpmyadmin, table name and field names have backticks.

#8

What is the current code you have showing the modifications?

#9

That says files is in quotes, not backticks

#10

That’s probably * the syntax of the error message calling attention to the syntax problem found near the ‘files’ part of the sql statement.

* between OPs posting code/errors as text or quotes and the forum software formatting/beautifying it, cannot trust what you see anymore (I have had to click on the edit post icon regularly to see what the raw information actually is.)

#11

Doesn’t look like it… the first quote yes, not the second

#12

I added a qualifier in my reply above…

Sponsor our Newsletter | Privacy Policy | Terms of Service