I am preparing a statement in php using the postgres extension.
Then I try to fetch the result as an object using pg_fetch_object.
No rows returned, from the prepared statement but it should.
I also get the following warning:
Warning: pg_prepare(): Query failed: ERROR: prepared statement "parking" already exists in C:\xampp\htdocs\map\MapMarkers.php on line 33
$devices_query = pg_query($conn, "SELECT applications.name category, devices.* FROM app_as.application applications, app_as.device devices WHERE applications.id = devices.application_id");
//variables are bound in the loop
$parking_pst = pg_prepare($conn, "parking", "SELECT distinct on (name) name,application_name,longitude,latitude,parking_car_status status,received_at FROM V_DEVICE_PARKING WHERE name = $1");
while ($devices = pg_fetch_object($devices_query)) {
pg_execute($conn, "parking",[$devices->name]);
while ($parking = pg_fetch_object($parking_pst)) {
$devices->parking_car_status = $parking->parking_car_status;
}
$data['DEVICES'][] = $devices;
}
You're getting this error/warning because you are calling pg_fetch_object() on the pg_prepare() call. Essentially, every time you iterate in the while() loop, you are calling pg_prepare() again, inadvertently trying to create a new prepared statement called "parking."
What you really mean to do is to get the result of pg_execute() and then pull the results with pg_fetch_object():
$devices_query = pg_query($conn, "SELECT applications.name category, devices.* FROM app_as.application applications, app_as.device devices WHERE applications.id = devices.application_id");
$prepare_result = pg_prepare($conn, "parking", "SELECT distinct on (name) name,application_name,longitude,latitude,parking_car_status status,received_at FROM V_DEVICE_PARKING WHERE name = $1");
// Maybe process $prepare_result as needed here
while ($devices = pg_fetch_object($devices_query)) {
$execute_result = pg_execute($conn, "parking", [$devices->name]);
while ($parking = pg_fetch_object($execute_result)) {
$devices->parking_car_status = $parking->parking_car_status;
}
$data['DEVICES'][] = $devices;
}
Related
I want an if-statement that only runs, when there are no rows in the table or if existing rows dont match a specific parameter from my input. I tried this way:
$currentURL = $post["media_url"];
$sql = "SELECT * FROM images WHERE imageURL = '$currentURL'";
$result = $conn->query($sql);
if(!$result)
{ ... }
From my thinking this should execute the if-statement on the first time I want to add something to the database and if the $currentURL does not exist in existing data. But this does not seem to work the way I think it does. How would you do this? Maybe I'm handling the $result wrong, because if I test the sql-query inside phpmyadmin this shows the right result (no rows).
The correct way to do this would be to use prepared statement and fetch the results into an array. You can fetch all rows into an array using fetch_all()
$stmt = $conn->prepare("SELECT * FROM images WHERE imageURL = ?");
$stmt->bind_param('s', $post["media_url"]);
$stmt->execute();
// Get result and then fetch all rows from the result object
$result = $stmt->get_result()->fetch_all(MYSQLI_ASSOC);
// Then check if you have any rows at all using a simple if statement
// Negate it using ! to check if the array is empty
if (!$result) {
// no results found
}
I guess, that $conn is a PDO connection? In that case, the method $conn->query() returns an object of type PDOStatement. See https://www.php.net/manual/de/class.pdostatement.php
The method does NOT return the result set.
Instead you can use the PDOStatement object, to fetch the results:
$currentURL = $post["media_url"];
$sql = "SELECT * FROM images WHERE imageURL = '$currentURL'";
$result = $conn->query($sql)->fetchAll();
if(empty($result))
{ ... }
In case you are using mysqli, the object returned by query() is this: https://www.php.net/manual/en/class.mysqli-result.php
So the code would be:
$currentURL = $post["media_url"];
$sql = "SELECT * FROM images WHERE imageURL = '$currentURL'";
$result = $conn->query($sql)->fetch_all(MYSQLI_ASSOC);
if(empty($result))
{ ... }
Please also note: Your code is highly insecure! You should use prepared statements to prevent sql-injection:
$currentURL = $post["media_url"];
$sql = "SELECT * FROM images WHERE imageURL = :currentUrl";
$stmt = $conn->prepare($sql);
$stmt->execute(['currentUrl' => $currentURL]);
$result = $stmt->fetchAll();
if(empty($result))
{ ... }
sanitize input against sql injection (or better - use prepared statements and param binding)
$sql = "SELECT * FROM images WHERE imageURL = '".$conn->real_escape_string($currentURL)."'";
mysqli query returns true on success (even empty dataset is success), use num_rows instead:
if ( $result->num_rows === 0 ) { ... }
I'm trying to run a db2 parameterized query in PHP and upon the execution of the insert, I get the error:
Invalid parameter number., SQL state S1002 in SQLDescribeParameter
This is my script:
$getItems = "
SELECT
ID,
EXPIRATION_TIMESTAMP
FROM table1
";
$stmt = odbc_exec($DB2connDEV, $getItems);
$prepInsert = odbc_prepare($DB2connPROD, "INSERT INTO table2 (originalID, expiration_timestamp) VALUES(?,?)");
while($gettingDevItems = odbc_fetch_array($stmt)){
$rows[] = $gettingDevItems;
}
foreach($rows as $row){
$originalID = $row['ID'];
$expiration_timestamp = $row['EXPIRATION_TIMESTAMP'];
$getIdentity = "SELECT IDENTITY_VAL_LOCAL() AS LASTID FROM SYSIBM.SYSDUMMY1";
$insertTable = odbc_execute($prepInsert, array($originalID, $expiration_timestamp));//error at this line
$insertTable = odbc_exec($DB2connPROD, $getIdentity);
$row = odbc_fetch_array($stmt);
$ret = $row['LASTID'];
}
When I do a var_dump on the array of params, I get this:
array(2) {
[0]=>string(1) "2"
[1]=>string(26) "2019-10-03 00:00:00.000000"
}
What am I doing wrong here? Even if I take one value out to only insert one or the other I still get it, so It's not specific to one column.
Maybe odbc can't support reuse of prepared statement, or your driver, or other part of your code, or another thing.
Anyway, move the prepared statement inside your foreach loop to make sure you will rebuild it:
foreach($rows as $row){
$prepInsert = odbc_prepare($DB2connPROD, "INSERT INTO table2 (originalID, expiration_timestamp) VALUES(?,?)");
...
I'm having some trouble using a variable declared in PHP with an SQL query. I have used the resources at How to include a PHP variable inside a MySQL insert statement but have had no luck with them. I realize this is prone to SQL injection and if someone wants to show me how to protect against that, I will gladly implement that. (I think by using mysql_real_escape_string but that may be deprecated?)
<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'hospital_name' AND value = '$q'";
$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
echo $row['value'];
}
?>
I have tried switching '$q' with $q and that doesn't work. If I substitute the hospital name directly into the query, the SQL query and PHP output code works so I know that's not the problem unless for some reason it uses different logic with a variable when connecting to the database and executing the query.
Thank you in advance.
Edit: I'll go ahead and post more of my actual code instead of just the problem areas since unfortunately none of the answers provided have worked. I am trying to print out a "Case ID" that is the primary key tied to a patient. I am using a REDCap clinical database and their table structure is a little different than normal relational databases. My code is as follows:
<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'case_id' AND record in (SELECT distinct record FROM database.table WHERE field_name = 'hospital_name' AND value = '$q')";
$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
echo $row['value'];
}
?>
I have tried substituting $q with '$q' and '".$q."' and none of those print out the case_id that I need. I also tried using the mysqli_stmt_* functions but they printed nothing but blank as well. Our server uses PHP version 5.3.3 if that is helpful.
Thanks again.
Do it like so
<?php
$q = 'mercy_west';
$query = "SELECT col1,col2,col3,col4 FROM database.table WHERE field_name = 'hospital_name' AND value = ?";
if($stmt = $db->query($query)){
$stmt->bind_param("s",$q); // s is for string, i for integer, number of these must match your ? marks in query. Then variable you're binding is the $q, Must match number of ? as well
$stmt->execute();
$stmt->bind_result($col1,$col2,$col3,$col4); // Can initialize these above with $col1 = "", but these bind what you're selecting. If you select 5 times, must have 5 variables, and they go in in order. select id,name, bind_result($id,name)
$stmt->store_result();
while($stmt->fetch()){ // fetch the results
echo $col1;
}
$stmt->close();
}
?>
Yes mysql_real_escape_string() is deprecated.
One solution, as hinted by answers like this one in that post you included a link to, is to use prepared statements. MySQLi and PDO both support binding parameters with prepared statements.
To continue using the mysqli_* functions, use:
mysqli_prepare() to get a prepared statement
mysqli_stmt_bind_param() to bind the parameter (e.g. for the WHERE condition value='$q')
mysqli_stmt_execute() to execute the statement
mysqli_stmt_bind_result() to send the output to a variable.
<?php
$q = 'Hospital_Name';
$query = "SELECT value FROM database.table WHERE field_name = 'hospital_name' AND value = ?";
$statement = mysqli_prepare($conn, $query);
//Bind parameter for $q; substituted for first ? in $query
//first parameter: 's' -> string
mysqli_stmt_bind_param($statement, 's', $q);
//execute the statement
mysqli_stmt_execute($statement);
//bind an output variable
mysqli_stmt_bind_result($stmt, $value);
while ( mysqli_stmt_fetch($stmt)) {
echo $value; //print the value from each returned row
}
If you consider using PDO, look at bindparam(). You will need to determine the parameters for the PDO constructor but then can use it to get prepared statements with the prepare() method.
I have a MySQL query that was working up until I changed it in order to use prepared statements.
I cannot figure out why I do get this error:
mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, object
given
The query (of this log in form) should return just one result:
$conectar = mysqli_connect(localhost, USER, PASS, DATABASE);
//from the log in form
$email = $_POST['email'];
$clave = $_POST['clave'];
//this should get me just one result: the user to which the email belongs.
$consulta = "SELECT usuarios.userID, usuarios.userPass, usuarios.userEmail, usuarios.userPass, usuarios.userFechaGeneracion, usuarios.userNombres, rolesUsuarios.nombreRol,
GROUP_CONCAT(rolesUsuarios.nombreRol SEPARATOR '|') AS roles
FROM rolesUsuarios, usuarios
WHERE usuarios.userEmail=?
AND rolesUsuarios.userID = usuarios.userID
GROUP BY usuarios.userID
";
$buscarUsuario = mysqli_prepare($conectar,$consulta);
mysqli_stmt_bind_param($buscarUsuario, 's', $email);
mysqli_stmt_execute($buscarUsuario);
if (mysqli_stmt_get_result($buscarUsuario)) {
$row = mysqli_fetch_assoc($buscarUsuario);
$originalPass = $row['userPass'];
...
Why isn't working? The query in itself should return an array with that result, containing the User Name Email, the Password (a hashed value, actually), his Role, etc...
You are close:
// vvvvvvv--- this is missing
if ($result = mysqli_stmt_get_result($buscarUsuario)) {
$row = mysqli_fetch_assoc($result);
// ^^^^^^^--- & needs to be used here
The reason is that $buscarUsuario is a statement "handle", not an actual result set from the database. You use that "handle" to get the actual result set. Following the trail of logic using the documentation:
mysqli_stmt_get_result takes a mysqli_stmt argument and returns a mysqli_result:
mysqli_result mysqli_stmt_get_result ( mysqli_stmt $stmt )
mysqli_fetch_assoc takes a mysqli_result:
array mysqli_fetch_assoc ( mysqli_result $result )
According to the documentation ( https://secure.php.net/manual/en/mysqli-stmt.get-result.php ), this is how you use mysqli's prepared statements, where $stmt is $buscarUsuario in your code snippet:
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_array($result, MYSQLI_NUM);
When using mysqli_stmt_execute(), the mysqli_stmt_fetch() function must be used to fetch the data prior to performing any additional queries. Official Doc
while (mysqli_stmt_fetch($stmt)) {
}
Currently I save prepared statements into a private variable, because I ignore how they really work in the deepness, and do it just in case.
So the question is really simple, if I iterate over the same $PDO->prepare(), will it prepare again the same query?
foreach( $arr as $docid ) {
if( $this->dbLink === null ) { // PDO resource, saved in the object.
throw new Exception( 'Must first connect to DB' );
}
if( $this->queryCheckAccess === null ) {
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
}
else {
$result = $this->queryCheckAccess->execute(array(':id'=>$docid));
}
}
Will it matter ? Or the DB Engine / PHP is smart enough to know that it is the same prepared statement?
Thanks a lot.
----------------- EDIT --------------
I think I was misunderstood.
What I ask is what happens if I do:
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
And what happens if I do:
if( $this->queryCheckAccess === null ) {
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
}
Will the engine prepare the query 4 times in the first example? Or will notice it is the same query and just "jump" that?
Your code only prepares the query once, because after the first loop iteration, it's not NULL so it the conditional block won't run. But it's a waste of time to check the condition every time through the loop.
But to answer your question, if you prepare() the same query, it does do redundant work, even if the query is identical to the one you prepared before. So you should avoid that.
But you don't need to prepare inside the loop at all. Prepare once before you start the loop, and bind a variable to the parameter. You don't need to bind every time in the loop, just change the value of that variable.
if( $this->dbLink === null ) { // PDO resource, saved in the object.
throw new Exception( 'Must first connect to DB' );
}
$query = 'SELECT * from something where id = :id';
$this->queryCheckAccess = $this->dbLink->prepare($query);
$this->queryCheckAccess->bindParam(':id' => $docidparam);
foreach( $arr as $docid ) {
$docidparam = $docid;
$result = $this->queryCheckAccess->execute();
}
I'm not sure if you can bind the variable and also use it as the loop variable, there might be a scope conflict.
Another suggestion for this query: why not just run one query to search for a list of values?
$list = implode(",", array_fill(1, count($arr), "?"));
$query = "SELECT * FROM something WHERE id IN ( $list )";
$this->queryCheckAccess = $this->dbLink->prepare($query);
$this->queryCheckAccess->execute($arr);
PS: Also you should check for errors. If you enable PDO error mode EXCEPTION, then errors will automatically throw exceptions. If you don't enable that mode, you need to check the return value of prepare() and execute(), which return false if there's an error.
I just RUN a code similar to your example, and enabled MySQL Query LOG I found that all prepare requests are sent to MySQL Server
Prepare SELECT * FROM test_table WHERE username = ?
Close stmt
Prepare SELECT * FROM test_table WHERE username = ?
Close stmt
Prepare SELECT * FROM test_table WHERE username = ?
Close stmt
Prepare SELECT * FROM test_table WHERE username = ?
Close stmt
Test code:
$sth = $dbh->prepare($sql);
$sth = $dbh->prepare($sql);
$sth = $dbh->prepare($sql);
$sth = $dbh->prepare($sql);
$sth = $dbh->prepare($sql);
$sth->bindParam(1, $user);
$sth->execute();
Then, the best way is to prepare once, and Bind different values and then execute.
$sth = $dbh->prepare($sql);
$user = "test";
$sth->bindParam(1, $user);
$sth->execute();
$user = "test2";
$sth->bindParam(1, $user);
$sth->execute();
$user = "test";
$sth->bindParam(1, $user);
$sth->execute();
No, that's one of the main features of prepared statements. If you're going to run the same query multiple times but with different variables then preparing the query will give you a speed increase. Especially if you make use of transactions (requires InnoDB storage engine).
To answer the question from the title (which is quite different from questions in the body), the best way to avoid preparing the same statement more than once, apparently would be to avoid running multiple similar queries at all.
To answer the question from the question body - no, DB Engine / PHP is not "smart" enough to know that it is the same query were prepared again. With every new prepare() call another statement is created. And I would be first to hate such a "smart" behavior. The "smarter" your tool, the more unpredictable results you get.
To answer the real problem in the code, a smart developer would use a right tool to save himself a trouble.
With safeMysql whole mess will be reduced to one query and one line of code
$data = $this->dbLink->getAll('SELECT * from somth where id IN (?a)', $arr);
S0 - no multiple queries, no multiple preparations, no multiple questions.
By the way, you are losing first id with your code.
Yet you're losing all of them but last one if you don't use the result in place.