PHP 500 Internal Server Error

Hey! This code is giving me a 500 error in php.


$con = new PDO("mysql:host=localhost;dbname=img",'redacted','redacted');

if (isset($_POST["submit"])) {
	$str = $_POST["search"];
	$sth = $con->prepare("SELECT * FROM `searchv2` WHERE Name = '$str'");

	$sth->setFetchMode(PDO:: FETCH_OBJ);
	$sth -> execute();
    $path = $row->Path;
	if($row = $sth->fetch())
		echo "<br><br><br>";
        echo "<a href='${path}'>";
        echo '    <div class="siimple-box">';
                echo '<div class="siimple-box-title">${row->Name}</div>';
               echo ' <div class="siimple-box-detail">${row->Description}</div>';
            echo "</div>";
       echo "</a>";
			echo "No results. Maybe try another search?";

    echo "Please enter a search term.";


Any idea what is wrong? I ran this through a few online checkers and nothing seemed to be wrong.


 $path = $row->Path;
	if($row = $sth->fetch())

$row doesn’t exist yet when you call $row->Path
You define row on the next line.

Also, watch out with your SQL injection, it doesn’t look like you’re using the parameterized queries that come with PDO, unless I’ve misunderstood the syntax ("SELECT * FROM searchv2 WHERE Name = '$str'") I think $str should be ? and then you use arguments to pass in the value.


Ok, I’ll check that out. I though PDO prevented SQL injections? Not sure.

Yes it does, if you use the parameter binding, as @SteGriff says. For example (untested)

	$sth = $con->prepare("SELECT * FROM `searchv2` WHERE Name = ?");
	$sth -> execute($str);

EDIT - might need to pass an array …

	$sth -> execute(array($str));