Pdo->prepare problem

I’m having a problem with a pdo->prepare statement giving me an error. Here’s the statement:

<?php

$srcs = glob(‘download/.tar.’);
$src = $srcs[count($srcs) - 1];
$srcname = basename($src);
$md5src = md5_file($src);

print_r ($srcname);
print_r ($md5src);

$php_scripts = ‘…/php/’;
require $php_scripts . ‘PDO_Connection_Select.php’;

if (!$pdo = PDOConnect(“foxclone_data”))
{
$chk=0;
}

$stmt = $pdo->prepare(“UPDATE files SET filename = ‘$srcname’, md5 = ‘$md5src’, logtime=now() WHERE id = 4”);
$stmt->execute() ;

I know it’s probably obvious, but I’ve been looking at this code for days and just not seeing it.

Thanks for your help.

And…the error is?

Also doesnt look like you are binding any params? (and just using variables?)

Yes, just using variables.

Error: Fatal error : Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '‘files’ SET filename = ‘foxclone46-src.tar.gz’, md5 = ‘7618f1e564b4ee3556a9af28bc…’ at line 1 in /home/foxclo98/public_html/update.php:118 Stack trace: #0 /home/foxclo98/public_html/update.php(118): PDO->prepare(‘UPDATE ‘files’ …’) #1 {main} thrown in /home/foxclo98/public_html/update.php on line 118

MariaDb may consider files or md5 to be functions, and may be trying to parse them as such. I think it’s good practice to use less generic column names to avoid this kind of problem. Try adding backticks ` around `files` and `md5` and see if that helps.

As an aside - injecting parameters into your query in that way is incredibly insecure and you should get out of the habit. Use parameter binding instead:

$stmt = $pdo->prepare(
    "UPDATE files SET filename = ?, md5 = ?, logtime=now() WHERE id = ?"
);

$stmt->execute([$srcname, $md5src, 4]) ;

Easy as that.

Reformatted prepare statements as suggested and added backticks to table name and column names, still getting same error.

Can you manually recreate the query you’re running, then see if that runs directly on your DB server?

When run in phpmyadmin on my web host, this works:

UPDATE `files` SET `filename`="Sources",`md5`= "ddddeeed",`logtime`= Now() WHERE `id` = 4;

NOTE: in phpmyadmin, table name and field names have backticks.

What is the current code you have showing the modifications?

That says files is in quotes, not backticks

That’s probably * the syntax of the error message calling attention to the syntax problem found near the ‘files’ part of the sql statement.

* between OPs posting code/errors as text or quotes and the forum software formatting/beautifying it, cannot trust what you see anymore (I have had to click on the edit post icon regularly to see what the raw information actually is.)

Doesn’t look like it… the first quote yes, not the second

I added a qualifier in my reply above…

Sponsor our Newsletter | Privacy Policy | Terms of Service