This question already has answers here:
MySQL query finding values in a comma separated string
(11 answers)
Closed 2 years ago.
I have a simple comma separated string like so:
$thisusersfavorites = "12,13,34,65,11";
I have a simple query like so:
"SELECT * FROM recipes WHERE id = '$thisusersfavorites' ORDER BY name ASC";
But the result is only yielding the first ID result, not the rest.
In MySQL, you can use handy string function find_in_set() to search for a value within a comma-separated string:
select * from recipes where find_in_set(id, ?) order by name
Note that I rewrote your statement as a parameterized query rather than munging values inside the query string. You do want to use these to make your code more efficient and safer.
Also, please keep in mind that this is rather inefficient way to proceed. It would be far beter to split your list into individual values, and to use in:
where id in (12, 13, 34, 65, 11)
As a parameterized query:
where id in (?, ?, ?, ?, ?)
Related
This question already has answers here:
Can you omit PDO prepare if there's no placeholder/dynamic data in a query?
(3 answers)
Closed 4 years ago.
$sql = "select col1, col2, col3 from t1 order by date desc limit 500"
There is no place for binding anything, so do I need (and how) to make a prepared statement?
Another example:
$sql = "select col1 from t1 where col1 = 'val1' order by date desc"
If this code is placed before html output (while loading the page, without any user input values), do I need the prepared statement?
I suppose sql injection is not possible if there is no yet any interaction with users.
You don't need prepared statements if the query isn't expecting user supplied arguments.
This question already has answers here:
Query with multiple values in a column
(4 answers)
MySQL search in comma list [duplicate]
(5 answers)
Closed 7 years ago.
I'm wanting to create a sql select statement that will grab rows if a given value is in a comma separated list in one of the columns of the database table.
Example Table...
id | courses
1 | 5, 8, 15, 19
I want to do something like this
$course_num = 5;
$sql = "SELECT * FROM courses WHERE $course_num IS IN courses";
1.) I don't think the "IS IN courses" part is legit. How can I do this?
2.) For my code above, I would want to return the row because of the "5" in courses, not because of the "15". So, if $course_num = 9 no rows should be returned.
Thanks for your help.
By adding comma in searched occurrence
SELECT *
FROM courses
WHERE concat(', ',course,',') like '%, 5,%'
This question already has answers here:
How can I search within a table of comma-separated values?
(6 answers)
Closed 8 years ago.
For example, when a table has a record column named 'product' that contain value such as: 'Laptop, Desktop, Case'. How can I validate these 3 values that break down with a comma against two PHP variables value with $var1='Laptop' and $var2='Desktop' ? So that this row can be found! However, the two variables could be passed in the order of 'Desktop', 'Laptop' as well. Meanwhile, the column could have pattern of 'Case, Desktop, Laptop'. I wonder if there is a solution in MySQL for this kind of scenario that somehow, pick up each element like PHP could and match them with each var individually.
Without knowing anything about your table structure this is a quick example of what you can do.
SELECT * FROM table WHERE $var1 IN (SELECT product FROM table WHERE something = somethingelse) AND $var2 IN (SELECT product FROM table WHERE something = somethingelse)
As I understood, you want the data to be found, if the column 'product' contains 'Laptop' or 'Desktop'. Write this with the LIKE operator in your query:
"SELECT * FROM table WHERE `product` LIKE '%Desktop%' OR `product` LIKE '%Laptop%'"
If you pass the variables it would be:
"SELECT * FROM table WHERE `product` LIKE '%$var1%' OR `product` LIKE '%$var2%'"
Make sure to use the % sign before and after the searched string, so that it will match even if the keyword is anwhere inside the product content.
I'm trying to make a prepared query that can be used to select any number of users, and also filter them from a basic search functionality.
It looks like this:
$ALL_MEMBERS = $database->prepare("SELECT * FROM Users WHERE Username LIKE '%?%' LIMIT ?, ?")
But PDO doesn't seem to be picking up that first '?' inbetween the '%'s. Any idea why?
(It gives me an error when I give 3 parameters, saying there's the wrong amount, whereas it doesn't when giving two parameters)
You are likely confusing PDO there with the quotes and percentages, it is looking for a ? mark. Write it as:
$database->prepare("SELECT * FROM Users WHERE Username LIKE ? LIMIT ?, ?");
And then have the first variable as:
$database->execute(array('%'.$A.'%',$B,$C));
I believe you need to do this:
$ALL_MEMBERS = $database->prepare("SELECT * FROM Users WHERE Username LIKE ? LIMIT ?, ?")
PDO should already wrap strings for you.
I Have an array of different ids, I want to iterate this array and use these ids to be compared with a single field in DB Table
Example
classid{
0=>1,
1=>2
}
and I have table as
id name
1 myname
2 ur name
3 everyonename
Now how can i retrieve the values for both id=1 and id = 2 in just a Select query?
The query you want is:
SELECT * FROM table WHERE id IN (1,2)
To create this from PHP, you would use something like
$classid = array(1, 2);
$sql = sprintf('SELECT * FROM table WHERE id IN (%s)',
implode(',', $classid));
You should be ultra careful to prevent SQL injections if the values in $classid are coming from an external source! Normally this is achieved with prepared statements and bound parameters, but in this case (where you want to use IN) this is not possible AFAIK.
Therefore you should sanitize the values yourself, using something like
// This will convert all the values in the array to integers,
// which is more than enough to prevent SQL injections.
$classid = array_map('intval', $classid);
Read more about protecting yourself from SQL injection.