1

So I'm trying to use PDO objects on my site instead of the old method (especially since I heard it is better for and am in the process of updating a bunch of queries. But for some reason, I can not get prepare/execute to work no matter what I do.

dbconnect.php:

try {
    $main = new PDO("mysql:dbname=$dbmain;host=$dbhost", $dbuser, $dbpassword);
    $tracker = new PDO("mysql:dbname=$dbtracker;host=$dbhost", $dbuser, $dbpassword);
} catch (PDOException $ex) {
    echo "Connection failed: " . $ex->getMessage();
}

tracker.php

include 'dbconnect.php';

$page = $_SERVER['PHP_SELF']; //Get page name
$ip = $_SERVER['REMOTE_ADDR'];   //Get the IP address
$browser = $_SERVER['HTTP_USER_AGENT']; //Get the browser name

if(isset($_SERVER['HTTP_REFERER'])) {
    $referer = $_SERVER['HTTP_REFERER']; //Get the page the visitor came from
}
else { //If not refered from any page, referer should be blank or error occurs
    $referer = "";
}

$result = $tracker->prepare("INSERT INTO 'pages' ('page', 'ip', 'browser', 'referer') VALUES (:page, :ip, :browser, :referer)");
$result->execute(
            array(
                ':page' => $page,
                ':ip' => $ip,
                ':browser' => $browser,
                ':referer' => $referer
                )
            );

Secondly, could someone explain to me why I shouldnt use query() for everything? Right now I see that I should use query for non-dynamic queries, and prepare/execute for dynamic, but query works for both.

Thanks!

Improve this question
10
  • 3
    Any errors? What's wrong? Commented Apr 23, 2013 at 1:22
  • The whole point of using prepared/parameterized queries is so that you separate the data from the command. This makes SQL injection attacks impossible. If you use PDO::query() with arbitrary data, you don't have this separation, and SQL injection can occur. Commented Apr 23, 2013 at 1:24
  • @JohnVanDeWeghe, well, there are no errors showing, but the table is not being updated. Commented Apr 23, 2013 at 1:26
  • @Brad, oh! Okay, so that would be the equivalent of me using my previous method. Thanks. Commented Apr 23, 2013 at 1:26
  • 1
    @AndyLester, oh my god, I can't believe I forgot to look at my error logs. I was looking at the folder where my includes are, instead of where they were actually being executed which is the main folder. It says it was a syntax error. that makes so much more sense. Commented Apr 23, 2013 at 1:40

1 Answer 1

Reset to default
2

The problem I see (may could have other problem) is you are wrapping column names with single quotes. Column names and Table names are identifiers not string literals. If ever you have used a reserved keyword on them or the column name as well as table names contains spaces around them, they should be escaped with backtick not with single quote,

INSERT INTO pages (page, ip, browser, referer) VALUES (...)
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This worked! I honestly didn't know the difference between a backtick and single quote until I googled it. Can't believe it was that easy.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.