Hello i have this simple query
$query = "SELECT id FROM `client` where name= ".$user_name;
Now the query is printed
select id from client where name = Bob;
when in fact it should be
select id from client where name = 'Bob';
how can i add single quotes in the php variable?
I warned you and you are fine to sql injection then just try this.
$query = "SELECT id FROM `client` where name= '".$user_name."'";
Related
I am trying to get a value from database using the code below. I want to save the value in the variable category so I can give this as parameter to a function. The id is dynamically given. Is the code below correct? because when trying this nothing works...
$thecategory = mysql_query("SELECT TYPE FROM lists WHERE id =" . this.id);
The use of '$id' provides a little security against sql injection
$thecategory = mysql_query("SELECT `TYPE` FROM `lists` WHERE `id` ='$id'");
$associate = mysql_fetch_assoc($thecategory);
$TYPE = $associate['TYPE'];
Use mysql_result:
$thecategory = mysql_query("SELECT TYPE FROM lists WHERE id =" . $id); // changed $id
$type = mysql_result($thecategory, 0);
I suggest that you use PDO instead of mysql_* functions, they are deprecated.
Try:
$thecategory = mysql_query("SELECT TYPE FROM lists WHERE id =" . this->id);
Hello I have 3 fields on input form which are set via POST method to external php
$id=$_POST['id'];
$nombre=$_POST['nombre'];
$cedula=$_POST['cedula'];
where I would like to make a search option depending on which field have data inside it or if a user put data in all 3 or in only 2 fields to search from the input fields which are not NULL fields in the same table where there is a result.
my sql query is something like that $sql = "SELECT * FROM users WHERE userID = $id AND nombre = $nombre AND cedula = $cedula) ";
obviosly which is not working, what should I do to make it work. Do I need to change only the query or I need to put something before it to check first what is not NULL. Thanks
Firstly, your SQL statement should be updated to have enclosed ' (commas) around string values.
So, modify it to:
$sql = "SELECT * FROM users WHERE userID = '$id' AND nombre = '$nombre' AND pass = '$pass'";
// ----------------------------------------^---^--------------^-------^------------^-----^
Second thing is that you should search a field only when it has a value otherwise, it of no use.
So, your modified PHP code should be:
$sql = "SELECT * FROM users WHERE 1 ";
if (!empty($id)) {
$sql .= " AND userID = '$id' ";
}
if (!empty($nombre)) {
$sql .= " AND nombre= '$nombre' ";
}
if (!empty($pass)) {
$sql .= " AND pass= '$pass' ";
}
And your Database will be searched for the fields only if they have data filled in the form.
Try to add quote:
$sql = "SELECT * FROM users WHERE userID = ".$id." AND nombre = ".$nombre." AND pass = '".$pass."' ";
Yes, you will need to put a check before which will ignore the fields which are null.
Also, you would need to put the $variable inside single quotes ' if they are VARCHAR or CHAR types.
How make mysql search defined just by what is written in html form, by user, and if some form box is stayed empty, mysql should ignore it. For example:
$sql = "SELECT * FROM catalog WHERE name= '".$name."' AND publisher = '".$publisher."' ";
mysql_query($sql);
This query will display all rows where name and publisher are together. Now, what if user insert just name, and left publisher box empty. The idea is that php/mysql ignore empty form box, and display every row with inserted name. But it will not do that because $publisher will be undefined, and error emerges. How to tell musql to ignore $publisher? More generally, the question is: how to generate query that make searching defined by certain criteria if they exists, and if they don't how to just ignore it?
You can build up the sql programmatically. I am assuming you have escaped the values properly.
$sql = "SELECT * FROM catalog";
$wheres = array();
if (!empty($name)) {
$wheres[] = " name = '$name'";
}
if (!empty($publisher)) {
$wheres[] = " publisher = '$publisher'";
}
if (count($wheres)) {
$sql .= " WHERE " . implode (' AND ', $wheres);
}
//RUN SQL
Also have a read through this, you are using a deprecated mysql library.
This will allow either the name or the publisher to be NULL.
<?php
$sql = "SELECT * FROM catalog WHERE (name= '".$name."' OR name IS NULL) AND (publisher = '".$publisher."' OR publisher IS NULL)";
mysql_query($sql);
Try like
$my_var = " ";
if($publisher) //if(!empty($publisher))
$my_var = " AND publisher = '".$publisher."' ";
$sql = "SELECT * FROM catalog WHERE name= '".$name."' ".$my_var;
if the publisher is empty then you need to pass the NULL value and PLZ note that it is a bad practise.It will causes many sql injection issues.Try to put validations for the things
I am using this code for fetching data from database , I am getting $data fetched properly but i am not getting data properly in this variable $seldata why is it so
<?php
include_once("includes/connection.php");
include_once("includes/session.php");
//echo $_SESSION['uid'];
$sql="SELECT * FROM employee WHERE eid = '{$_GET['id']}'";
$result=mysql_query($sql);
$data=mysql_fetch_array($result);
echo "data".$data;
$sel_valsql="select * FROM selected_candidate WHERE eid = '{$_GET['id']}'";
$sresult=mysql_query($sel_valsql);
$seldata=mysql_fetch_array($sresult);
echo "seledata".$seldata;
?>
<?php
include_once("includes/connection.php");
include_once("includes/session.php");
//echo $_SESSION['uid'];
$sql="SELECT * FROM employee WHERE eid = '".$_GET['id']."'";
$result=mysql_query($sql);
$data=mysql_fetch_array($result);
echo "data".$data;
$sel_valsql="select * FROM selected_candidate WHERE eid = '".$_GET['id']."'";
$sresult=mysql_query($sel_valsql);
$seldata=mysql_fetch_array($sresult);
echo "seledata".$seldata;
?>
Note: mysql_fetch_array() returns an array of results so you need to do print_r($seldata) in order to view the results.
try this,
$sql = "SELECT * FROM employee WHERE eid = '" . $_GET['id'] . "'";
As a sidenote, the query is vulnerable with SQL Injection if the value(s) came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
Remove the single quote form the where condition i.e.
$sql="SELECT * FROM employee WHERE eid = {$_GET['id']}";
or do like this:
$sql = "SELECT * FROM employee WHERE eid = '" . $_GET['id'] . "'";
I need to copy the value in a column named TEAM from one row into another row. Both rows need to have the same team name. This is my query that doesn't work:
$query = "UPDATE profiles SET team = (SELECT team FROM profiles WHERE id = '$coach_id') WHERE id = '$player_id'";
I have tried removing single quotes, removing "FROM profiles", changing value to table.value, tried to give a newdata.clan alias, and I have even tried changing the values to integers instead of parameters. Nothing works, and this is what I get:
Error: You have an error in your SQL
syntax; check the manual that
corresponds to your MySQL server
version for the right syntax to use
near 'WHERE id = '') WHERE id = ''' at
line 3
$query1 = "SELECT team FROM profiles WHERE id = '$coach_id'";
/* get the value of the first query and assign it to a variable like $team_name */
$query2 = "UPDATE profiles SET team = '$team_name' WHERE id = '$player_id'";
Also, you should surround your PHP variables in curly braces:
$query = "UPDATE profiles SET team = \"(SELECT team FROM profiles WHERE id = '{$coach_id}')\" WHERE id = '{$player_id}'";
From the MySQL manual:
"Currently, you cannot update a table
and select from the same table in a
subquery."
Source: http://dev.mysql.com/doc/refman/5.0/en/update.html
Use the method that FinalForm wrote:
<?
$coach_id = 2;
$player_id = 1;
$query1 = "SELECT team FROM profiles WHERE id = '$coach_id'";
$rs = mysql_query($query1);
if ($row = mysql_fetch_array($rs)) {
$team_name = $row['team'];
$query2 = "UPDATE profiles SET team = '$team_name' WHERE id = '$player_id'";
mysql_query($query2);
// Done, updated if there is an id = 1
} else {
// No id with id = 2
}
?>