I have table which contain [Username, Email] and I'm checking them for non repeating any of them,
but It's case-sensitive , so if there is user that's Username is "SelvsterTP", if other user typed it, he won't be able to register, but if he type "selvstertp" for example, no errors face him! ,
I think of making extra column called 'UsernameCheck' and upload to it Username 'lowercase' , then check on that column (same with Email) ,
but it seems to me not the best code for that situation, so any ideas or suggestions?
Original code
$CheckusernameRow =
RowCountDB("Id","users","Username",$Username); //function
to get rows
My Idea
$CheckusernameRow =
RowCountDB("Id","users","UsernameCheck",strtolower($Username));
Did you try the LOWER() selector?
$lowerUsername = strtolower($Username);
$query = "SELECT id FROM users WHERE LOWER(Username) LIKE '$lowerUsername'";
Related
I'm create a user search where a user can search for other users based on username, language and/or location. At least one field is required so for example, you can search for just username, or username and location etc.
I'm having difficulty writing a MYSQL query which takes into consideration that some parameters can be blank. I've tried using a maximum of two paramaters at the moment:
PHP/MYSQL (PDO)
$data = json_decode(file_get_contents("php://input"));
$user = $data->user; //'null' if left blank
$location = $data->location; //'null' if left blank
$sql = "SELECT user, spokenLanguages, profileImage
FROM users WHERE user LIKE :user
AND (town = LOWER(:location) OR country = LOWER(:location))";
This works perfectly if $user and $location are defined, but I only need the location WHERE clause included if $user is defined and $location isn't equal to null. Similarly if $location is defined and $user is null, the user clause shouldn't be considered. Is there any quick method of doing this that I'm unaware of? Or will it be a case of extending the query with a if/else statements?
Any help will be appreciated.
You might be better off constructing different queries based on what conditions are defined. This makes it easier to optimize them.
If you want to put the logic in a single query, I think you want:
WHERE (:user IS NULL OR user LIKE :user) AND
(:location IS NULL OR LOWER(:location) IN (town, country))
I wonder if it is possible to search a value in columns using in clause having column names as in elements.
for instance :
$username_or_mail = 'value';
select * from users where $username_or_mail in(username,email);
where username and email are column names in table users.
I tried this and seems that it is working but i want to be sure if i'm right.
Would I be right in assuming you're using this for a "Enter your username or e-mail address and password to login" login form?
If so, then your SQL code is correct, but hints at a possible design flaw: what happens if someone has a username that is also the email address of another user? This could be used as a malicious attack (i.e. hijack another user's account by making your username equal to the victim's email address).
There is a solution/workaround: simply check for the '#' character and ensure that email addresses contain # and similarly ensure that no username contains # either.
...and if you're going to do that logic, then you might as well optimize the SQL and skip having to check multiple columns (psuedocode):
if( $usernameOrEmail contains '#' ) {
registerParameter("#email", $usernameOrEmail);
$sql = "SELECT ... WHERE EmailAddress = #email"; // note that "#email" is the syntax for query parameters in MySQL.
} else {
registerParameter("#userName", $usernameOrEmail);
$sql = "SELECT ... WHERE UserName = #userName";
}
I'm working on a mailbox system for a game on Facebook. I have 2 inputs to a php script, with example input below:
$FriendIDs = "10000001,10002421,10132000,10074794,13523543"
$MailCode = "ReqGem"
and a table with the columns ID, Mailbox.
What I want to be able to do is concatenate whatever was originally in the Mailbox field, with MailCode, for each person in the FriendIDs.
I figured it was something like this, but I couldn't get it to work (my php/sql knowledge is pretty dire!):
mysqli_query($db, "UPDATE Save SET Mailbox = CONCAT(Mailbox,'$MailCode' . '_') WHERE 'id' IN $FriendIDs);
EDIT: I've just realized I need to add a new row if the FriendID isn't already in the table.
I'm guessing I need to start out with INSERT INTO and then use ON DUPLICATE KEY UPDATE, but I can't seem to get it to work. It's a bit trickier since the unique key is in an array, and I can't use WHERE id IN(ArrayOfValues) in an INSERT query.
Any help would be greatly appreciated!
You're close:
$FriendIDs = "10000001,10002421,10132000,10074794,13523543";
$MailCode = "ReqGem";
mysqli_query($db, "UPDATE Save SET Mailbox = CONCAT(Mailbox,'$MailCode' . '_') WHERE `id` IN($FriendIDs));
You just needed the parenthesis for IN() as it is a function.
Don't use single quotes for column names. Use ticks. Single quotes are for strings.
I'm pretty new to web development so there's a good chance I'm doing something pretty dumb here.
I'm using AJAX to send data to a PHP file which will use the data to run SQL commands to update a table. I'm dealing with editing articles, so my PHP file needs to know three things: The original name of the article (for reference), the new name and the new content. I also tell it what page the user is looking at so it knows which table to edit.
$('#save_articles').click(function () {
var current_page = $('#current_location').html();
var array_details = {};
array_details['__current_page__'] = current_page;
$('#article_items .article_title').each(function(){
var article_name = $(this).html(); //The text in this div is the element name
var new_article_name = $(this).next('.article_content');
new_article_name = $(new_article_name).children('.article_content_title').html();
var new_article_content = $(this).next('.article_content');
new_article_content = $(new_article_content).children('.article_content_content').html();
array_new_deets = {new_name:new_article_name, content:new_article_content};
array_details[article_name] = array_new_deets;
});
send_ajax("includes/admin/admin_save_articles.php", array_details);
});
In the PHP file, I first retrieve the current page and store it in $sql_table and then remove the current page variable from $_POST. Then I run this.
foreach($_POST as $key => $value){
$original_name = $key;
$new_name = $value['new_name'];
$new_cont = $value['content'];
$query = "UPDATE
`$sql_table`
SET
`element_name`= '$new_name',
`element_content` = '$new_cont',
WHERE
`element_name` = '$original_name'";
$query = mysql_query($query);
if(!$query){
die(mysql_error());
}
}
I always receive an error saying that 'sitep_Home' is an incorrect table name. Not only is it a real table in my db, but I've actually changed its name to make sure it isn't an issue with keywords or something.
If I instead run the query without the variable $sql_table (specifying that the table is called 'sitep_Home'), the query accepts the table. It then doesn't actually update the table, and I suspect it's because of the WHERE argument that also uses a variable.
Can anyone see what I'm doing wrong here?
try to use $sql_table as '$sql_table' if you are sure that this contain a right table name.
Like you are using other column's value
Check if this can help!!
Dump/log your query before executing it - the problem should be quite visible after that (I suspect some additional characters in the table name).
Couple of things:
you should never trust your users and accept everything they'll send you in $_POST, use whitelist for the fields you'd like to update instead
your code is vulnerable to SQL injection, I recommend to use some framework / standalone library or PDO at least, avoid mysql_query which will be deprecated in the future. Check this to get some explanation http://www.phptherightway.com/#databases
Table names are case sensitive in MySQL. Please check if there is mistake in the case.
You have to surround name of mysql table in query in this `` qoutes. When you dinamically create mysql table it is very important to trim($variable of mysql name table) before create, because if "$variable of mysql name table" have space in the edns or in the start mysql not create table. And the last when you call dinamically $variable of mysql name table in query you have to trim($variable of mysql name table) again.
In my website usernames are saved like this robert and funny thing is that one can registers with the name Robert (Capital R).
How would I prevent these somehow duplicated usernames?
My project is in mysql/php
if (mysql_num_rows(mysql_query("SELECT username FROM user_table WHERE username='$username'")) > 0){
die("duplicated usernames can't be saved , this username exists.");
}
Even with this code Robert can be registered.
You should add a UNIQUE index on the username column.
Also, you may find some useful info here: https://stackoverflow.com/search?q=mysql+case+sensitive
Convert them both to the same case and then compare them.
As such:
SELECT username FROM table WHERE LOWER(username) = LOWER('$username')
Hopefully you've sanitized the user input for the username to prevent SQL injections, after that, use PHP to LC your usernames before checking for duplicates or inserting the name in the database:
$username = strtolower($username);
if (mysql_num_rows(mysql_query("SELECT username FROM user_table WHERE username='$username'")) > 0){
die("duplicated usernames can't be saved , this username exists.");
}
php has very important function but people ignore it in start strtolower , use it at the time of
registering and query hence
$username = strtolower($username);
you will never face such problem again .