Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") VALUES ()' at line 1' in C:\xampp\htdocs\PhpProject1\userv2.php:120 Stack trace: #0 C:\xampp\htdocs\PhpProject1\userv2.php(120): PDOStatement->execute() #1 C:\xampp\htdocs\PhpProject1\create.php(41): User->Save() #2 {main} thrown in C:\xampp\htdocs\PhpProject1\userv2.php on line 120
we used back tick for the column name as it was suggested in few of the post here but it doesn't solve the error completely. i read similar post but couldn't find the solution so i am poting the error and code for your help. thanks in advance.
<?php
/*
* mmber variable decleration...
*/
class User {
private $ID;
private $objPDO;
private $strTableName;
private $arRelationMap;
private $blForDeletion;
private $FirstName;
private $LastName;
private $Username;
private $Password;
private $EmailAddress;
private $DateLastLogin;
private $TimeLastLogin;
private $DateAccountCreated;
private $TimeAccountCreated;
//constructor is use for initialisation for the object
public function __construct(PDO $objPDO, $id = NULL) {
$this->strTableName = `system_user`;
$this->arRelationMap = array(
`id` => "ID",
`first_name` => "FirstName",
`last_name` => "LastName",
`username` => "Username",
`md5_pw` => "Password",
`email_address` => "EmailAddress",
`date_last_login` => "DateLastLogin",
`time_last_login` => "TimeLastLogin",
`date_account_created` => "DateAccountCreated",
`time_account_created` => "TimeAccountCreated");
$this->objPDO =$objPDO;
if (isset($id)) {
$this->ID = $id;
$strQuery = "SELECT ";
foreach ($this->arRelationMap as $key => $value) {
$strQuery .= "\"" . $key . "\",";
}
$strQuery = substr($strQuery, 0, strlen($strQuery)-1);
$strQuery .= "FROM" . $this->strTableName . " WHERE \"id\" = :eid";
$objStatement = $this->objPDO->prepare($strQuery);
$objStatement->bindparam(' :eid', $this->ID, PDO::PARAM_INT);
$objStatement->execute();
$arRow = $objStatement->fetch(PDO::FETCH_ASSOC);
foreach($arRow as $key => $value) {
$strMember = $this->arRelationMap[$key];
if(property_exists($this, $strMember)) {
if (is_numeric($value)) {
eval('$this->' . $strMember . ' = ' . $value . ';');
}
else
{
eval('$this->' . $strMember . ' = "' . $value . '";');
};
};
};
};
}
public function Save() {
if (!isset($this->ID)) {
$strValueList = "";
$strQuery = 'INSERT INTO "' . $this->strTableName . '"(';
foreach ($this->arRelationMap as $key => $value) {
eval('$actualVal = &$this->' . $value .';');
if(isset($actualVal)){
var_dump($actualVal);
$strQuery .= '"' . $key . '", ';
$strValueList .= ":$value, ";
} ;
}
$strQuery = substr($strQuery, 0, strlen($strQuery) - 2);
$strValueList = substr($strValueList, 0, strlen($strValueList) - 2);
$strQuery .= ") VALUES (";
$strQuery .= $strValueList;
$strQuery .= ")";
unset($objStatement);
$objStatement = $this->objPDO->prepare($strQuery);
foreach ($this->arRelationMap as $key => $value){
eval('$actualVal = &$this->' . $value . ';');
if (isset($actualVal)){
if ((is_int($actualVal)) || ($actualVal == NULL)) {
$objStatement->bindValue(':' . $value, $actualVal, PDO::PARAM_INT);
}
else
{
$objStatement->bindValue(':' . $value, $actualVal, PDO::PARAM_STR);
};
};
}
$objStatement->execute();
$this->ID = $this->objPDO->lastInsertId($this->strTableName . "_id_seq");
}
}
$strQueryjust prior to the prepare statement?eval()is evil! And in the context you are using it, it is completely unnecessary, you can simply do$this->$strMember = $value;and it will work fine. Secondly, using backticks is a good idea, but you have done it wrong. The backticks should be part of the PHP string, not used to quote it. e.g.`name`becomes'`name`'You have also not used it to quote the field names in statements, e.g.$strQuery .= "\"" . $key . "\",";should be$strQuery .= "`" . $key . "`,";and" WHERE \"id\" = :eid"should be" WHERE `id` = :eid"