0

Sorry am getting this errors in my errors logs

PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1' in /home/payassur/public_html/admin/index.php:13
Stack trace:
#0 /home/payassur/public_html/admin/index.php(13): PDO->query('SELECT * FROM u...')
#1 {main}
  thrown in /home/payassur/public_html/admin/index.php on line 13

below is line 13

  $query = $db->query("SELECT * FROM users WHERE id = $u_id");
Jens
  • 60,806
  • 15
  • 81
  • 95
Abiodun Victor
  • 9
  • 1

1 Answers1

0

You're query is open to SQL injection, people have figured this out and thus are trying to inject the database. That is why you having those errors in your error log. You should start using prepared statements to prevent SQL injections

if (isset($u_id) && trim($u_id) != '') {
    $stmt = $db->prepare('SELECT * FROM users WHERE id = :u_id');
    $stmt->exectue(array('u_id' => $u_id,));
    $result = $stmt->fetchAll();
}else{
    $results = [];
}
DarkBee
  • 13,798
  • 5
  • 41
  • 53
  • That wan't help, if $_id is blank as in the case of OP – Jens Jun 08 '17 at 09:14
  • Why should it be blank? Someone could have changed a querystring to `www.example.com?u_id='`. OP is stating he/she finds this error in the error log, so sure it's not because OP is still testing his/her own code? – DarkBee Jun 08 '17 at 09:18
  • see the comment of op: *No, $u_id not have value* – Jens Jun 08 '17 at 09:19
  • Well OP said `$u_id` was holding an id, not a value, `$u_id not have value but id`, thats does not makes it empty – DarkBee Jun 08 '17 at 09:28