3

Well I dont understand why dont execute correctly this line:

try {
    $sql = "UPDATE t_perfiles_permisos 
        SET :tipo = :valor
            WHERE Area_Permiso = :area AND Id_Perfil = :idp";
    $result = $this->dbConnect->prepare($sql) or die ($sql);
    $result->bindParam(':tipo',$this->tipo,PDO::PARAM_STR);
    $result->bindParam(':valor',$this->valor,PDO::PARAM_INT); 
    $result->bindParam(':area',$this->area,PDO::PARAM_STR);
    $result->bindParam(':idp',$this->idp,PDO::PARAM_INT);

    $result->execute();
} catch (PDOException $e) {
    echo "Error!! No se puede establecer el permiso: ".$e->getMessage()."<br/>";
    return false;
}

Error:

Error!! No se puede establecer el permiso: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Buscar' = '1' WHERE Area_Permiso = 'Perfiles' AND Id_Perfil = '4'' at line 2
Improve this question

2 Answers 2

Reset to default
2

The problem is:

SET :tipo = :valor

You can only use bound parameters for values, not for column names.

What you need to do in this case, is use a normal variable in your sql statement and check that variable against a white-list of allowed column names.

SET `{$checked_against_whitelist_column_name}` = :valor
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You shouldn't be "binding" column names. Where you have

SET :tipo = :valor

this is not proper sytnax. Instead do

SET tipo=:valor

and there you have it

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.