SQLSTATE[HY000]: General error with PHP and PDO

Question

I have a little login script.

function login($sql) {
try {                   
    $fbhost = "localhost";
    $fbname = "foodbank";
    $fbusername = "root";
    $fbpassword = "";
    $DBH = new PDO("mysql:host=$fbhost;dbname=$fbname",$fbusername,$fbpassword);
    $DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $STH = $DBH->query($sql);       
    $STH->setFetchMode(PDO::FETCH_ASSOC);

    session_start();        
    if ($row = $STH->fetch()) {
        $_SESSION['username'] = "$row[username]";
        header("Location:index.php");   
    }
} catch(PDOException $e) {
    echo $e->getMessage();
}
}

EDITS:

index.php

$sql = "SELECT username from users where username = ". $_POST['username'] ." AND password = ". $_POST['password'] ."";
login($sql);

Changed above from insert to select query. Now I get new error: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'pvtpyro' in 'where clause'

Answer 1

Based on your latest edit: You can't fetch results with PDO after executing an INSERT query. See here: http://www.php.net/manual/en/pdostatement.fetch.php#105682

Edit: I suppose, since the function's called "login", you want to have something like this as $sql: "SELECT password FROM users WHERE username = :username", and then iterate over the results with the while loop, and then log in the user if the password matches?

Edit2: Based on your edit to provide a SELECT query: DO NOT USE THIS QUERY. What you are doing is NOT SQL injection proof. Never ever use variables from user input (i.e. $_POST, $_GET et al) and put them unfiltered into an SQL query. Please look up the term "prepared statements" here at SO or Google. As you can see, since you forgot to put single ticks (apostrophes) before and after the double quotes, MySQL thinks that your input refers to another column ("pvtpyro") instead of comparing the value in the column against a string. ALWAYS use the ":username", ":password" syntax (the one with prepended colons) or your queries will be unsafe and enormously dangerous to your application.

Answer 2

If I undestand correctly, $data $STH->execute($data); should be an array, even if value is one. So, you may try replacing that query with $STH->execute(array($data));

edited:

Change your lines to this:

$data = array($_POST["username"], $_POST["password"]);
$sql = "INSERT INTO users (username, password) value (?, ?)";


$STH = $DBH->prepare($sql);
$STH->execute($data);

Answer 3

The constructor of PDO uses 2 variables which are not defined in the code you supplied - $fbhost and $fbname.

EDIT:
You're calling session_start() inside the while loop, which can cause errors. Take it out of the loop.

EDIT 2:
You should really debug the code. Either via putting die in different parts of the code, outputting some helpful information just before (which is the less preferred way) OR by using xdebug and an IDE, which will allow you to run line by line, and see the exact state of each variable and such.

Answer 4

Seems to me that you're not connected to your database properly... I had this error earlier today and it was for that reason. Either that or you have an incorrect string