I need to execute this query in my php code. My issue is that I have never run a query that uses a variable as part of it. This is my code, i do not get any results returned or an error. Where did I miss up?
$userID = getFields('users', JFactory::getUser(), true);
$db->setQuery("SELECT rep_id, inventory_id, value
FROM #data
WHERE inventory_id_id = 1
AND rep_id = " $userID ");
$results = $db->loadObjectList();
You use a period to concatenate strings in PHP.
$db->setQuery("SELECT rep_id, inventory_id, value
FROM #data
WHERE inventory_id_id = 1
AND rep_id = " . $userID);
Also, please note that your code is open to SQL Injection Attacks. I'd highly recommend switching to Prepared Statements.
Related
I am trying to update varchar cell in SQL users table. Now the value of groups_id is 3. $last_id = 4. I want to change it to 3, 4. Could you please tell me what I am doing wrong?
With this code the value remains the same
$sql = "UPDATE registration.users SET groups_id = groups_id+', $last_id' WHERE username = '$user_name'";
$update_groups_id = $db->query($sql);
$val = $groups_id . ", ".$last_id;
$sql = "UPDATE registration.users SET `groups_id` = '$val' WHERE username = '$user_name'";
$update_groups_id = $db->query($sql);
your SQL query is wrong, you are not concatenating variables properly, try doing this way, I think it should help you
There is a syntax fault in your $sql object as you use +', $last_id'. If you want to append in PHP you can use . in string context
Also I'm pretty sure you can leave the '' from the variables so '$last_id' will become $last_id
But more important is that you do not check for any security issues. I hope $user_name and $last_id are not just taken from the input as SQL injections are possible.
I recommend you to look at mysqli_prepare and mysqli_bind
I'm having some trouble using a variable declared in PHP with an SQL query. I have used the resources at How to include a PHP variable inside a MySQL insert statement but have had no luck with them. I realize this is prone to SQL injection and if someone wants to show me how to protect against that, I will gladly implement that. (I think by using mysql_real_escape_string but that may be deprecated?)
<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'hospital_name' AND value = '$q'";
$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
echo $row['value'];
}
?>
I have tried switching '$q' with $q and that doesn't work. If I substitute the hospital name directly into the query, the SQL query and PHP output code works so I know that's not the problem unless for some reason it uses different logic with a variable when connecting to the database and executing the query.
Thank you in advance.
Edit: I'll go ahead and post more of my actual code instead of just the problem areas since unfortunately none of the answers provided have worked. I am trying to print out a "Case ID" that is the primary key tied to a patient. I am using a REDCap clinical database and their table structure is a little different than normal relational databases. My code is as follows:
<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'case_id' AND record in (SELECT distinct record FROM database.table WHERE field_name = 'hospital_name' AND value = '$q')";
$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
echo $row['value'];
}
?>
I have tried substituting $q with '$q' and '".$q."' and none of those print out the case_id that I need. I also tried using the mysqli_stmt_* functions but they printed nothing but blank as well. Our server uses PHP version 5.3.3 if that is helpful.
Thanks again.
Do it like so
<?php
$q = 'mercy_west';
$query = "SELECT col1,col2,col3,col4 FROM database.table WHERE field_name = 'hospital_name' AND value = ?";
if($stmt = $db->query($query)){
$stmt->bind_param("s",$q); // s is for string, i for integer, number of these must match your ? marks in query. Then variable you're binding is the $q, Must match number of ? as well
$stmt->execute();
$stmt->bind_result($col1,$col2,$col3,$col4); // Can initialize these above with $col1 = "", but these bind what you're selecting. If you select 5 times, must have 5 variables, and they go in in order. select id,name, bind_result($id,name)
$stmt->store_result();
while($stmt->fetch()){ // fetch the results
echo $col1;
}
$stmt->close();
}
?>
Yes mysql_real_escape_string() is deprecated.
One solution, as hinted by answers like this one in that post you included a link to, is to use prepared statements. MySQLi and PDO both support binding parameters with prepared statements.
To continue using the mysqli_* functions, use:
mysqli_prepare() to get a prepared statement
mysqli_stmt_bind_param() to bind the parameter (e.g. for the WHERE condition value='$q')
mysqli_stmt_execute() to execute the statement
mysqli_stmt_bind_result() to send the output to a variable.
<?php
$q = 'Hospital_Name';
$query = "SELECT value FROM database.table WHERE field_name = 'hospital_name' AND value = ?";
$statement = mysqli_prepare($conn, $query);
//Bind parameter for $q; substituted for first ? in $query
//first parameter: 's' -> string
mysqli_stmt_bind_param($statement, 's', $q);
//execute the statement
mysqli_stmt_execute($statement);
//bind an output variable
mysqli_stmt_bind_result($stmt, $value);
while ( mysqli_stmt_fetch($stmt)) {
echo $value; //print the value from each returned row
}
If you consider using PDO, look at bindparam(). You will need to determine the parameters for the PDO constructor but then can use it to get prepared statements with the prepare() method.
I want to know, can I just use prepared statements one time?
Here is my script:
$stm = $db->prepare("UPDATE
qanda AS ans1
JOIN qanda AS ans2 ON ans2.related = ans1.related
JOIN qanda AS ques ON ans2.related = ques.id
SET ans1.acceptedanswer = 1,
ans1.aadate = IF( ans1.id <> ?, ans1.aadate, ?)
WHERE ques.author_id = ? AND ans2.author_id = ?
");
$stm->execute(array($answer_id, time(), $_SESSION["Id"], $author_id));
$done = $stm->rowCount();
if ($done){
/* I don't use prepared statement here */
$stm1 = $db->prepare("UPDATE user SET rep = rep + 15 WHERE id = $author_id");
$stm1->execute();
}
As you see I didn't use prepared statement for second query. Because I did it for first query and if first query is working then I'm sure arguments are valid and don't need to bind them by prepared statement.
Please don't ask me why you don't want to use prepared statemen't for second query, because the reason is too long.
So what I'm doing is correct? Isn't there any security problem?
The straight answer is: yes, you can.
The reason why is actually up to you, since it's anyway good practice to use prepared statement whenever you pass values.
Also consider that, if you are not binding any parameter, it makes more sense to use the query() method, just to be explicit on the fact that you are not going to bind anything. So your second query would be
$stm1 = $db->query("UPDATE user SET rep = rep + 15 WHERE id = $author_id");
(see http://php.net/manual/en/pdo.query.php)
instead of
$stm1 = $db->prepare("UPDATE user SET rep = rep + 15 WHERE id = $author_id");
$stm1->execute();
Moreover you mentioned a dynamic query, but this is not the case of your sample code. Anyway I will give you an example of how two use prepared statement also on queries dynamically generated.
It's a silly example, but should be enough to give you an idea.
Assume we have some values to update 'email', 'date_of_birth' and 'website'. Let's say we want to do some check on this data before inserting them. I'll pretend we have a valid() function already in place.
$dynamic_sql = array();
$parameters[':date_of_bird'] = $date_of_birth;
if(valid($email)) {
$dynamic_sql['email_sql'] = "email = :email";
$parameters[':email'] = $email;
}
if(valid($website)) {
$dynamic_sql['website_sql'] = "website = :website";
$parameters[':website'] = $website;
}
if(count($dynamic_sql)>0) {
$dynamic_sql = ','.implode($dynamic_sql);
}
$query = "UPDATE user
SET date_of_birth = :date_of_birth $dynamic_sql
WHERE
user_id = :user_id";
$stm = $db->prepare($query);
$stm->execute($parameters);
This kind of approach will allow you to keep using prepared statement also with dynamically generated SQL.
Okay so i am new to PDO statements so i am unsure if i have done a syntax error or whatnot. The php file does not show any errors:
<?php
include('db_config.php');
$itemName = 'Item1';
$sql = "SELECT * FROM order WHERE itemName = $itemName;";
$stmt = $conn->prepare($sql);
$stmt->execute();
while ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
echo $row['itemName'];
}
?>
My objective is to pull an item using bootstraps datepicker, but for the purpose of this testing i am using the itemName.
The php file comes up blank?
I have checked the field names, db_config, and am unsure where the issue is coming from.
Please let me know if i have done an error in my statement or anything that seems wrong.
Firstly, you're using a MySQL reserved word, being order and it requires special attention; mainly using ticks around it.
Then since we're dealing with a string, $itemName needs to be wrapped in quotes.
<?php
include('db_config.php');
$itemName = 'Item1';
$sql = "SELECT * FROM `order` WHERE itemName = '$itemName';";
$stmt = $conn->prepare($sql);
$stmt->execute();
while ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
echo $row['itemName'];
}
?>
Either use ticks around your table name, or rename it to "orders", it's not a reserved keyword.
"The php file does not show any errors:"
That's because you're not checking for them.
Add $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); right after the connection is opened.
Now, if you're going to use PDO, use PDO with prepared statements, they're much safer.
As per a comment you left under your question containing the MySQL error:
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order
Read it near 'order it starts at "order".
Now, if ever your query should ever contain any character that MySQL will complain about, such as a quote etc. then you will need to escape your query and use prepared statements.
For example, if using:
$itemName = "Timmy's Sour Dough";
would translate to
WHERE itemName = 'Timmy's Sour Dough'
in turn throwing a syntax error.
So, it's best to immediately escape any data right away.
Edit
Your use of prepare and new to PDO collectively suggest that you are already trying to use prepared statements, just not the right way. You're just a little off from a well prepared statement. One correct way in your code would be
$sql = "SELECT * FROM `order` WHERE itemName = ? ";
$stmt = $conn->prepare($sql);
$stmt->execute(array($itemName));
Notice how we have a ? in your query then we are sending a value for it in your execute call. There you go :)
Using PDO with prepared statements will take care of that.
You're completely ignoring the main reason people use PDO. Prepared statements are what you should be using, which would make your query look like this:
$itemName = 'Item1';
$sql = "SELECT * FROM order WHERE itemName = ?";
$stmt = $conn->prepare($sql);
$stmt->bindParam(1, $item, PDO::PARAM_STR);
$stmt->execute();
Read up on bindParam().
In future, turn on your error reporting at the beginning of the script with this:
ini_set('display_errors', 1);
error_reporting(E_ALL);
That will save you a lot of time.
Looks like there is an error in you sql statement. since itemName is either a varchar or text in your database, you need to put it in single quotes in the query:
$sql = "SELECT * FROM order WHERE itemName = '$itemName';";
I am writing some SQL and using AdoDb to connect to my database and run the queries and so on. I am using parametrized queries and have run into a snag.
Is their a way to pass an array of values to an in_clause in AdoDb/MySql for parametrization.
My problem is that if I pass a prepared string as the parameter i.e. 'test','test2','test3' it does not work as the library or database auto escapes it and adds external quotes at the start and end so all the internal quotes are then auto escaped thus the query returns nothing as it looks for '\'test\',\'test2\',\'test3\'' as opposed to what I fed it.
UPDATED WITH ANOTHER POSSIBLE METHOD TO ACCOMPLISH THIS
<?php
$in_clause = implode(",", $first_names);
$query = "
SELECT
mytable_id_pk
FROM
mytable
WHERE
FIND_IN_SET(mytable_fname," . $DB->Param('first_names') . ")"
$stmt = $DB->Prepare($query);
$result = $DB->Execute($stmt,array($in_clause));
?>
I would do it this way (as I was googling for a while and google came up with nothing useful):
$count = count($first_names);
$in_params = trim(str_repeat('?, ', $count), ', ');
$query = "
SELECT
mytable_id_pk
FROM
mytable
WHERE
mytable_fname IN ({$in_params});";
$stmt = $DB->Prepare($query);
$result = $DB->Execute($stmt, $first_names);
This should do it...
First a few tips:
Please read carefully the AdoDB documentation on prepared statements.
Never include ; in SQL query strings.
You can try something like this:
$question_marks = substr(str_repeat('?,', count($first_names)), 0, -1);
$query = "SELECT mytable_id_pk FROM mytable WHERE mytable_fname IN (" . $question_marks . ")";
$stmt = $DB->Prepare($query);
$result = $DB->Execute($stmt,$first_names);
WARNING: I haven't tested this (not having a mySQL installation here).