This question already has answers here:
What is the difference between single-quoted and double-quoted strings in PHP?
(7 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I am trying to filter data from database by adding a variable into the query. The query that I have made is like this:
$data = $this->db->query('SELECT channel, MIN(product_name) as product_name, SUM(revenue) AS revenue FROM my_test_table WHERE channel = "chanel1" AND province=$area GROUP BY SUBSTRING(product_name, 1, 3)')->result();
But it result in this message:
Error Number: 1054
Unknown column '$area' in 'where clause'
I use the "$area" variable in the query to make it dynamically filter the data based on the input from the user. So the $area is a variable that assign any value from the input.
the codeigniter way for your example is:
$data = $this->db->select('channel, MIN(product_name) as product_name, SUM(revenue) AS revenue')
->where('channel','chanel1')
->where('province',$area)
->group_by('SUBSTRING(product_name, 1, 3)')
->get('my_test_table')
->result();
Codeigniter Query Builder Class, it creates a query string, which escapes the columns properly
$data = $this->db->query('SELECT channel, MIN(product_name) as
product_name, SUM(revenue) AS revenue FROM my_test_table WHERE channel
= "chanel1" AND province='.$area.' GROUP BY SUBSTRING(product_name, 1, 3)')->result();
Note this solution probably is not secure. The variable can be SQL injected. I write the solution under your consideration.
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Reference - What does this error mean in PHP?
(38 answers)
Closed 4 years ago.
could someone help me fix the below code please:
$decision = mysqli_real_escape_string($conn, $_POST['decision']);
$sql = "SELECT * FROM user1 WHERE 'fao' LIKE '%decision%' AND id NOT IN
(SELECT id FROM assigned)";
$result=mysqli_query($conn, $sql);
fao field only ever has two values, Nurse or Dietitian. The issue is with my SELECT statement. In the assigned table, there are two columns, an id value and the name of a user. What I am trying to do is if the id value exists in 'assigned' table, then I would like to remove this from the results of SELECTing all from 'user1'. I am then echoing these results into a table. Thanks!
This question already has answers here:
Passing an array to a query using a WHERE clause
(17 answers)
Closed 4 years ago.
I need help in issue related to MySQL database OR Operator, I am new to MySQL database so I am facing problems. Actually, I am building search engine filter.
I am getting two values from another page and show them on a search page by filtering from the database.
Here I declare values that come from another page
$cid = $_GET['cid'];
$plateform = $_GET['plateform'];
And here is my SQL
SELECT * FROM `products` WHERE (Cat_id = $cid) OR (plateform_id IN ($plateform)
when I try to get two values it gives me error like and when I get one value it works well. help me solve this problem.
It gives me an error , given below
mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in
you are missed close parenthesis at the end.
Need to change:
SELECT * FROM `products` WHERE (Cat_id = $cid) OR (plateform_id IN ($plateform)
To:
SELECT * FROM `products` WHERE (Cat_id = $cid) OR (plateform_id IN ($plateform))
Or you can also modify your query.
SELECT * FROM `products` WHERE Cat_id = $cid OR plateform_id IN ($plateform)
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 5 years ago.
I have db like this :
id, name, group.
(Group is a slug, that I can't know for my request)
So one group can have many name.
I want to sort by group with php/mysql.
I want get something like this :
$request = array( 'groupeOne = array ('name')', 'groupeTwo = array()' )
Something like this. I try to order by group but it doesn't work
You can use
order by
`group` (using backtics ..because group is a reserver word
select tid, name, `group`
from my_table
order by `group`
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I use below php code to generate a random id number
md5(uniqid(rand(), true)
the type of string it generate is something like this
9a423553ce53c4d7a6199fa9254bfdc5
I use that as an ID in Mysql table then I do a standard select query
SELECT * FROM table WHERE id = 9a423553ce53c4d7a6199fa9254bfdc5
I get this error
Unknown column '9a423553ce53c4d7a6199fa9254bfdc5' in 'where clause'
if I just change the id to a simple number like 1 it works.
Why is this?
Have you tried encapsulating that in quotes? In your query id = 9a423553ce53c4d7a6199fa9254bfdc5 You can compare two columns like id = other_id .. MySQL needs to know how to handle your query.
For clarification, should be: SELECT * FROM table WHERE id = '9a423553ce53c4d7a6199fa9254bfdc5';
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I've written a $_GET query that passes strings on from a URL to a select query used to find information in MySQL.
The problem is, unless the URL query includes quotation marks, it won't work.
Is there any way to pass a string without the quotation marks ?
Here's the relevant code:
$query = $_GET['query'];
connect to database code..
$sql = "SELECT * FROM table1 WHERE col1 RLIKE $query";
result code ...
$sql = "SELECT * FROM table1 WHERE col1 LIKE '".addslashes($_GET['query'])."'";