SoldierCorp
Reputation: 7700
PHP PDO: Why cause this error in sql statement?
Well I dont understand why dont execute correctly this line:
try {
$sql = "UPDATE t_perfiles_permisos
SET :tipo = :valor
WHERE Area_Permiso = :area AND Id_Perfil = :idp";
$result = $this->dbConnect->prepare($sql) or die ($sql);
$result->bindParam(':tipo',$this->tipo,PDO::PARAM_STR);
$result->bindParam(':valor',$this->valor,PDO::PARAM_INT);
$result->bindParam(':area',$this->area,PDO::PARAM_STR);
$result->bindParam(':idp',$this->idp,PDO::PARAM_INT);
$result->execute();
} catch (PDOException $e) {
echo "Error!! No se puede establecer el permiso: ".$e->getMessage()."<br/>";
return false;
}
Error:
Error!! No se puede establecer el permiso: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Buscar' = '1' WHERE Area_Permiso = 'Perfiles' AND Id_Perfil = '4'' at line 2
Upvotes: 3
Views: 92
Answers (2)
Francis Bailey
Reputation: 63
You shouldn't be "binding" column names. Where you have
SET :tipo = :valor
this is not proper sytnax. Instead do
SET tipo=:valor
and there you have it
Upvotes: 0
jeroen
Reputation: 91734
The problem is:
SET :tipo = :valor
You can only use bound parameters for values, not for column names.
What you need to do in this case, is use a normal variable in your sql statement and check that variable against a white-list of allowed column names.
SET `{$checked_against_whitelist_column_name}` = :valor
Upvotes: 2
Related Questions
- Getting error when executing a PDO query
- SQL syntax error near
- error using pdo in php
- Getting Error in the following php code
- SQL Syntax error in PDO Query
- php pdo statement error
- I'm receiving an error when running this code in PHP
- What is the error in my PDO syntax
- Why am I receiving a PDO query error?
- Error on PDO Statement