I have a SQL Query that uses MySQL database to get information from. The table names are first constant with a different IMEI number as it's end.
gs_object_data_12345678
The 12345678 is identified as $_GET in my script but when I try change table name it does not show the data in that table
$imei = $_GET['imei'];
$result = $db->query("SELECT * FROM gs_object_data_'$imei' LIMIT 200 ");
If I use the string as below it works
$result = $db->query("SELECT * FROM gs_object_data_12345678 LIMIT 200 ");
I need to change the table name with the $_GET information
The URL alarm_action.php?id=58543®=****&imei=862202228007105 has IMEI in it so the information should pull thru
use like this
$imei = $_GET['imei'];
$result = $db->query("SELECT * FROM gs_object_data_" . $imei . " LIMIT 200 ");
or
$result = $db->query("SELECT * FROM gs_object_data_{$imei} LIMIT 200 ");
Be Aware How does the SQL injection from the "Bobby Tables" XKCD comic work?
In protected way
$imei = $_GET['imei'];
$stmt = $db->prepare("SELECT * FROM gs_object_data_? LIMIT 200");
$stmt->bind_param("s", $imei);
$stmt->execute();
$result = $stmt->get_result();
Related
I have a SQL query that is based on user input.
However, in the table, theres a "-1" at the end of every word that you search for.
For example if you want to get the sql result of car, it's actually named car-1 in the database, but the user should only be able to search for car.
This is how its setup:
$sql = "SELECT * FROM that WHERE this = ?";
$stmt = $conn->prepare($sql);
$search_query = $_POST['this'];
$stmt->bind_param('s', $search_query);
$stmt->execute();
$result = $stmt->get_result();
What I want, is that the select query should be like:
$sql = "SELECT * FROM that WHERE this = ? + '-1'";
But ^^ doesn't work.
$sql = "SELECT * FROM test WHERE NAME='car' & -1";
test = that
NAME= table name
'car' = this
Why don't you just concat -1 to search_query :
$sql = "SELECT * FROM that WHERE this = ?";
$stmt = $conn->prepare($sql);
$search_query = $_POST['this'];
$stmt->bind_param('s', $search_query.'-1');
$stmt->execute();
$result = $stmt->get_result();
Using MySQL:
$sql = "SELECT * FROM that WHERE this = CONCAT(?, '-1')";
Using PHP:
$stmt->bind_param('s', $search_query . "-1");
I'm trying to make a login page in PHP, and I'm trying to construct the query here:
$q = 'SELECT * FROM users WHERE userid="'+$username+'"';
When I echo it out with
echo $q
I get 0. When I do
$q = 'SELECT * FROM users WHERE userid="'+"test"+'"';
I get 0. When I do
$q = 'SELECT * FROM users WHERE userid="michael"';
I get my expected result of the string being printed out
Use a . for concatenation, also don't forget to clean the data to prevent mysql injection.
$user_id = 'test';
$q = 'SELECT * FROM users WHERE userid="' . $user_id . '"';
Try using a PDO Prepared statement to protect yourself from SQL injection.
$q = 'SELECT * FROM users WHERE userid = ?';
$stmt = $dbh->prepare($q);
if ($stmt->execute(array($username))) {
while ($row = $stmt->fetch()) {
print_r($row);
}
}
http://php.net/manual/en/pdo.prepared-statements.php
you can use .
$user_id = 'michael';
$q = 'SELECT * FROM users WHERE userid="'.$user_id.'"';
or use double quotes for the expression and use single quotes for the variables
$user_id = 'michael';
$q = "SELECT * FROM users WHERE userid='$user_id'";
im Believe the second option is smallest and easiest to remember
I want to fetch all users but not this user (id = 12) how to make this ?
$MyID = '12';
$sql_query = mysqli_query($Conn, "SELECT * FROM users WHERE country='$MyCountry'");
while ($fetch_data = mysqli_fetch_array($sql_query)) {
$firstname = $fetch_data['firstname'];
echo $firstname;
}
Well in it's simplest form:
$sql_query = mysqli_query($Conn, "SELECT * FROM users WHERE country='$MyCountry' and userid <> $MyID");
But this is inadvisable because your values are not being escaped properly. Better to use prepared statements or mysqli_real_escape_string
$stmt = $mysqli->prepare("SELECT * FROM users WHERE country = ? and userId <> ?")
$stmt->bind_param("sd",$MyCountry, $MyId);
$stmt->execute();
select * from user WHERE ID!=$mycountry;
You can do it easily like that
lets say your field is an id = 12
then
SELECT * FROM your_table WHERE id <> 12
I'm trying to input a PHP variable (in this case $beg) into a mySQL query but it returns an empty array result. The type of the field in the database is an integer. When I type in an actual value instead of the variable I get the correct result. What's wrong?
$beg = time()-5000;
settype($beg, "integer");
$result = mysql_query('SELECT * FROM records WHERE time>=$beg ORDER BY time ASC');
$statusdata = array();
while ($row = mysql_fetch_array($result)) {
array_push($statusdata, $row["status"]);
}
Make sure you use double quotes when using $variables inside the string.
$result = mysql_query("SELECT * FROM records WHERE time>= $beg ORDER BY time ASC");
You should use prepared statements instead of mysql_query.
$beg = time()-5000;
settype($beg, "integer");
$db = new mysqli("host","user","pw","database");
$stmt = $db->prepare("SELECT status FROM records WHERE time>=? ORDER BY time ASC");
$stmt->bind_param('i', $beg);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($status);
$statusdata = array();
while($stmt->fetch())
{
array_push($statusdata, $status);
}
$stmt->close();
Change the line
$result = mysql_query("SELECT * FROM records WHERE time>=$beg ORDER BY time ASC");
You must use double quote strings to put variables.
Change your query
$result = mysql_query(" SELECT * FROM records WHERE time >= $beg ORDER BY time ASC ");
You cannot use variable inside single quotes.
try this method, I use a lot:
$beg = time() - 5000;
$query = sprintf("SELECT * FROM %s WHERE time >= '%o' ORDER BY %s ASC", "records", $beg, "time");
$result = mysql_query($query);
remeber, time() result is Integer, you don't need set him in to an Integer
I have a DB table. I want to make a text input where the user can input the "uid" and the query will return the row associated with that uid.
So let's say I have something like this:
$query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1";
$result = mysql_query($query);
$res = mysql_fetch_assoc($result);
echo $res["age"];
how would I modify that query to something like..
SELECT name, age
FROM people
WHERE uid = $_POST['blahblah'] LIMIT 0,1
Thanks in advance for your help!
In reality...
// Read input from $_POST
$uid = (isset($_POST['uid']) ? $_POST['uid'] : '');
// Build query. Properly escape input data.
$query =
"SELECT name,age " .
"FROM people " .
"WHERE uid = '" . mysql_real_escape_string($uid) . "' " .
"LIMIT 0,1";
Its advisable to escape characters in the variable for security reasons. Take a look at this document for some of the reasons:
http://en.wikipedia.org/wiki/SQL_injection
To save from SQL injection attack, use:
$search_query = mysql_real_escape_string($_POST['blahblah']);
$query = "SELECT name, age FROM people WHERE uid = '".$search_query."' LIMIT 0 , 1";
There are so many ways to do the same
But first escape it and store it in one variable
$blahblah = mysql_real_escape_string($_POST['blahblah']);
And then There are
First:
As #Mett Lo mentioned:
$query = "SELECT name,age FROM people WHERE uid = '" . $blahblah . "' LIMIT 0,1";
Second:
$query = "SELECT name,age FROM people WHERE uid = '{$blahblah}' LIMIT 0,1";
Third:
$query = "SELECT name,age FROM people WHERE uid = '$blahblah' LIMIT 0,1";
and if blahblah is an int value in db table then Fourth:
$query = "SELECT name,age FROM people WHERE uid = $blahblah LIMIT 0,1";
You may use the sprintf function to create the query.
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
$_POST['blahblah'] );
The rest will be the same. It is highly recommended that you escape the $_POST data before running the query to prevent SQL attacks. You may re phrase the query as follows.
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
mysql_escape_string($_POST['blahblah']) );