Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;

Question

I get this error

(Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;)

I know it's regarding the code below as I get this error code in my console

([Tue Jan 21 21:32:11.564497 2020] [proxy_fcgi:error] [pid 14681:tid 140542562248448] [client 81.226.126.93:39132] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE rakel IN ('3 31-1710')' at line 1 in /var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/assets/includes/utl/larm.php:144\nStack trace:\n#0 /var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/assets/includes/utl/larm.php(144): PDOStatement->execute(Array)\n#1 /var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/sos/index.php(37): include('/var/www/vhosts...')\n#2 {main}\n thrown in /var/www/vhosts/stockholmblaljusklan.se/httpdocs/cad/assets/includes/utl/larm.php on line 144', referer: https://stockholmblaljusklan.se/cad/sos/index.php)

Someone that knows how to solve this problem? Much appreciated!

if(isset($_POST['submit_units'])){
$units = $_POST['enheter'];
$units_2 = implode(", ", $units);

$query_3 = "UPDATE larm SET enheter=:enheter WHERE id=:id";
$stmt = $db->prepare($query_3);
$stmt->bindparam(":enheter",$units_2);
$stmt->bindparam(":id",$id);
$stmt->execute();

$enheter_3 = explode(", ", $units_2);
$count_2 = str_repeat('?,', count($enheter_3) - 1) . '?';

$query_4 = "UPDATE fordon SET on_call=$id WHERE rakel IN ($count_2)";
$stmt = $db->prepare($query_4);
$stmt->execute($enheter_3);
}

You should use a parameter instead of substituting the `$id` variable. — Barmar, Jan 21 '20 at 21:47
Why are you creating `$units_2` by imploding `$units` and then creating `$enheter_3` by exploding that? Just do `$enheter_3 = $units;` — Barmar, Jan 21 '20 at 21:48
Why did you use parameters in the first query (which is good) but not in the second (which is not so good)? You obviously know how to do it right. — sticky bit, Jan 21 '20 at 21:53

Amanjot Kaur · Answer 1 · 2020-01-22T07:21:50.040

I was not sure how to add all the below points in readable form in comments, so I am adding it here in the Answer section. Have a look at the below points:

$id not set
$stmt not closed after completing the query
You did not set $id for 2nd query
Comment out $enheter_3 = explode(", ", $units_2); $count_2 = str_repeat('?,', count($enheter_3) - 1) . '?'; and you can directly use $count_2 = str_repeat('?,', count($_POST['enheter']) - 1) . '?';
Your last query is susceptible to the SQL injection attack

Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;

1 Answers1