0

I'm trying to insert variables into my database where the user data comes from $_SESSION['user']. 

<?php

require("common.php");

if(empty($_SESSION['user']))
{
    header("Location: login.php");

    die("Redirecting to Login");
}

$user = $_SESSION['user'];

~calculations done~

$query = "INSERT INTO db (role,rolesub) VALUES ('$varRole','$varRoleSub') WHERE user = $user";

    $query_params = array(
        ':role' => $varRole,
        ':roleSub' => $varRoleSub
    );
    try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);

    }
    catch(PDOException $ex)
    {
        die("Failed to run query 3: " . $ex->getMessage());
    }

I keep getting this error:

Failed to run query 3: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE user = Array' at line 1

I can not see where my WHERE clause is failing on me.

Any help would be greatly appreciated!!!

Improve this question
3
  • as the error message clearly shows $_session['user'] is an array. You need to find out which value inside that array is the one you want and use the appropriate key to extract it. Commented May 2, 2014 at 18:10
  • You are vulnerable to SQL injection attacks. Your placeholders are utterly useless since you don't actually HAVE any actual placeholders in the query. Commented May 2, 2014 at 18:29
  • Thank you! I completely spaced when I was working the placeholders in. Got it working with the UPDATE. When I check the database, the data inputted into my two fields come up :role and :ro...not the data it should have. Commented May 2, 2014 at 22:27

3 Answers 3

Reset to default
1

You cannot have a WHERE clause in an INSERT statement.

You're either looking for:

UDPATE db SET role = '$varRole', rolesub = '$varRoleSub' WHERE user = $user

Or:

INSERT INTO db (role,rolesub,user) VALUES ('$varRole','$varRoleSub',$user)

Or if you're feeling extra saucy, and user is your PK:

INSERT INTO db (role,rolesub,user) VALUES ('$varRole','$varRoleSub',$user)
  ON DUPLICATE KEY UPDATE role = '$varRole', rolesub = '$varRoleSub'
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

"You cannot have a WHERE clause in an INSERT statement." --- True, but not entirely true. The only time you will find INSERT that has a WHERE clause is when you are using an INSERT INTO...SELECT statement.
1

INSERT queries do not and can not have a WHERE clause. This is the cause of the MySQL syntax error. If you need to insert based on some condition, you need to do that logic before the INSERT query.

If you want to do an UPDATE query then you can use the WHERE clause, however, the MySQL error shows $_SESSION['user'] is an array, which can't be put directly into SQL, so you'll need to access one of its elements such as $_SESSION['user']['id'].

Improve this answer

Comments

0

First of all, IF you could have a WHERE in the same query as an INSERT, variables need to be separate from the string (outside of the quotes). BUT you CANT put a where clause into an INSERT.

So you could change this line:

$query = "INSERT INTO db (role,rolesub) VALUES ('$varRole','$varRoleSub') WHERE user = $user";

to:

$query = "INSERT INTO db (role,rolesub) VALUES (" . $varRole . ", " . $varRoleSub . ")";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.