edited...
hi guys can anyone help me with my website
I just want to get a specific comment in the comment area just like in facebook
<?php
require 'db.php';
$sql = 'SELECT * FROM comment WHERE postID = postID';
$statement = $connection->prepare($sql);
$statement->execute();
$comment = $statement->fetch(PDO::FETCH_OBJ);
?>
what I mean is that if I comment in the first post it will just fetch the current comment and it will not display on the other post.
Here's what your query is currently doing:
get records from the table comment where the field postID = postId
Which of course, won't work, you're using a string (without quotes) as your value. You need to bind the parameter and pass the value in, e.g.
$sql = 'SELECT * FROM `my_table` WHERE `some_field` = :myVal;';
$res = $conn->prepare($sql);
$res->execute([':myVal' => $_GET['id']]);
$data = $res->fetchAll(PDO::FETCH_ASSOC);
Here, I pass the bind a param (:myVal) and then prepare that statement. You then pass in the value for :myVal (in this case, a $_GET of the query param id).
Then fetch, var_dump/print_r that, and you should see table data in your script.
I believe answer would look like this:
<?php
require 'db.php';
$postId = 1; // get it somewhere, probably from $_GET
$sql = 'SELECT * FROM comment WHERE postID = ?';
$statement = $connection->prepare($sql);
$statement->execute( [$postId]);
$comment = $statement->fetch(PDO::FETCH_OBJ);
?>
Explanations, copied from comment to original question:
Your SQL condition postID = postID literally says any comment. You need to pass actual post ID there.
Related
I want to Increment an integer in every time +1. Now my code just at first time work after that don't work it does not move to number 2.At first time I can see number 1 in my table but that number do not Increment at second time.
PHP code:
<?php
include 'connt.php';
$Id = $_POST['Id'];
$sql = "UPDATE student SET Posts =? WHERE Id=?" ;
$stmt = $con->prepare($sql);
$Posts =+1;
$stmt->bind_param("ss",$Posts,$Id);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
?>
Your $Posts is never set. Incrementing it will always leave it at 1. You don't need to read values or increment in PHP, you can do it right in your query:
<?php
include 'connt.php';
$Id = $_POST['Id'];
$sql = "UPDATE student SET Posts = Posts+1 WHERE Id=?" ;
$stmt = $con->prepare($sql);
$stmt->bind_param("s",$Id);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
You can simply use $Posts++ to increment your variable.
Your mistaken here,
$Posts =+1;
You probably meant something like this,
$Posts++;
// Or,
$Posts += 1;
Edit:
Hey You dont even have $Post defined in the first place !
With this code (if this is all the code), your $Posts variable is always 1.
You should first read the number of posts from the database, then increment it by one and then update it to the new value.
I am very worried about sql injection. I have been reading up about it and been trying to prepare the following query:
$query_AcousticDB = "SELECT * FROM products WHERE Category = 'Acoustic ' ORDER BY RAND()";
$AcousticDB = mysqli_query($DB, $query_AcousticDB) or die(mysqli_connect_error());
$row_AcousticDB = mysqli_fetch_assoc($AcousticDB);
$totalRows_AcousticDB = mysqli_num_rows($AcousticDB);
which works great.
I thought that I only have to change to the following:
$query_AcousticDB = prepare("SELECT * FROM products WHERE Category = 'Acoustic ' ORDER BY RAND()");
However this doesn't work. I get the following error:Call to undefined function prepare()
I still would like to get my values as:<?php echo $row_AcousticDB['what ever']; ?>
Can somebody point me into the right direction?
How about this?
$category = "Acoustic";
$sql = "SELECT * FROM products WHERE Category = ? ORDER BY RAND()";
$stmt = $DB->prepare($sql);
$stmt->bind_param('s', $category);
$stmt->execute();
$row_AcousticDB = $stmt->get_result(); // altenative: $stmt->bind_result($row_AcousticDB);
$row_AcousticDB->fetch_array(MYSQLI_ASSOC)
If you let the user enter any data (in text boxes on website) or you pull anything out of database for use (risk of second order injection) make sure you sanitize it (cleanse it of any nasty tags like < or >) by using htmlspecialchars($category) or htmlentities($category).
With this method implemented into your code, you will be reasonably safe from SQL Injection :)
Try to make this variable global: Put this on the upper part of your script global $acousticDB; or else you may try this $acoustic='';
I'm trying to get data from a database but cant seam to get the following working, does anyone know why?
I have tried print_r too and shows nothing, the db connection and everything is working too.
$id = $_GET['id'];
$query = $db->prepare('SELECT id, title, content FROM articles WHERE id = $id');
$query->execute();
$article = $query->fetchall();
This does however print_r the id from the URL correctly.
print_r($_GET);
Any help is appreciated!
Important note:
Variables inside single qoutes are not interpolated. They're just literal strings
Much better to bind them properly:
$id = $_GET['id'];
$query = $db->prepare('SELECT id, title, content FROM articles WHERE id = :id');
$query->bindParam(':id', $id);
$query->execute();
$article = $query->fetchAll(PDO::FETCH_ASSOC);
I am working on a friend list function and I can't figure out how to correctly receive the values.
My code looks like this:
$getuid = $mysqli->prepare("SELECT `uid` FROM `users` WHERE name = ? OR name = ?");
$getuid->bind_param("ss", $user, $friend);
$getuid->execute();
$getuid->bind_result($uid);
$getuid->fetch();
$getuid->close();
$resetpass = $mysqli->prepare("INSERT INTO `friendlist` SET `friend1`=?, `friend2`=?, `accept`=0");
$resetpass->bind_param("ss", $uid[0], $uid[1]);
With the first query I get exactly two uid values back. I want to use them in the second query. It seems like bind_result is not working, neither as array nor when using two values in bind_result. How can I do this using mysqli. I can't use get_result because I'm on PHP 5.2 .
Anyone able to help me?
I think you need something like this. I have not tested it and there are probably even better ways to do this. I just tried the quickest change i could make to your original code to get it to work.
$query = "SELECT uid FROM users WHERE name = '".$user."' OR name = '".$friend."'";
$getuid = $mysqli->query($query);
if($uid = $getuid->fetch_assoc())
{
$query = "INSERT INTO friendlist SET friend1= '".$uid['uid'][0]."', friend2='".$uid['uid'][1]."', accept=0";
$mysqli->query($query)
}
$getuid->close();
Okay I finally understood the concept of fetch.
In order to receive all the values I have to retrieve them in a while-loop.
Here is the solution:
$getuid = $mysqli->prepare("SELECT `uid` FROM `users` WHERE name = ? OR name = ?");
$getuid->bind_param("ss", $user, $friend);
$arra = array();
$getuid->execute();
$getuid->bind_result($uid);
while ($getuid->fetch()) {
$arra[] = $uid;
}
Now I can call the array values using $arra[0] and $arra[1]
I'm just migrating my code from mysql_query style commands to PDO style and I ran into a problem. THe old code looked like this :
$query_list_menu = "SELECT ".$_GET['section_name']." from myl_menu_hide_show WHERE id='".$_GET['id']."'";
And the updated code looks like below. Apparently it's not working. I store in $_GET['section_name'] a string that represents a field name from the database. But I think there is a problem when I pass it as a variable. Is the below code valid ? Thanks.
$query_list_menu = "SELECT :section_name from myl_menu_hide_show WHERE id=:id";
$result_list_menu = $db->prepare($query_list_menu);
$result_list_menu->bindValue(':section_name', $_GET['section_name'] , PDO::PARAM_STR);
$result_list_menu->bindValue(':id', $_GET['id'] , PDO::PARAM_INT);
$result_list_menu->execute();
If $_GET['section_name'] contains a column name, your query should be:
$query_list_menu = "SELECT " . $_GET['section_name'] . " from myl_menu_hide_show WHERE id=:id";
Giving:
$query_list_menu = "SELECT :section_name from myl_menu_hide_show WHERE id=:id";
$result_list_menu = $db->prepare($query_list_menu);
$result_list_menu->bindValue(':id', $_GET['id'] , PDO::PARAM_INT);
$result_list_menu->execute();
The reason is that you want the actual name of the column to be in the query - you'd changed it to be a parameter, which doesn't really make much sense.
I'll also add that using $_GET['section_name'] directly like this is a massive security risk as it allows for SQL injection. I suggest that you validate the value of $_GET['section_name'] by checking it against a list of columns before building and executing the query.
There is no good and safe way to select just one field from the record based on the user's choice. The most sensible solution would be to select the whole row and then return the only field requested
$sql = "SELECT * from myl_menu_hide_show WHERE id=?";
$stmt = $db->prepare($query_list_menu);
$stmt->execute([$_GET['id']]);
$row = $stmt->fetch();
return $row[$_GET['section_name']] ?? false;