This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 3 years ago.
I am trying to insert different jobs into a database and i want to check if there already is an entry for that job in the table. The idea was to use an SQL Statement that returns either true or false depending on the job existing in the table or not.
The connection is propperly established and i can get the values from a column using a SELECT statement as an array by using a similar syntax.
$sql = "SELECT COUNT(*) FROM job WHERE key = Pilot";
$result= $db->executeQuery($sql);
if($result == true) {
// action 1
}
else{
// action 2
}
the result from the executeQuery($sql) is a boolean but it always returns false, whether the job already exists or not but i was hoping to get true when the job exists.
Your SQL is invalid, key is a reserved word and should be quoted with backticks. Also the parameter you have should be quoted as well:
$sql = "SELECT COUNT(*) FROM job WHERE `key` = 'Pilot'";
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
I have a value in my MYSQL database, all I want to do is to increase the current value with a new one, this is what I have tried
} elseif ($gametype == "veckanskluring"){
$sql = "UPDATE users SET veckanskluring='veckanskluring'+'$score' WHERE id='$id'";
$retval = mysql_query( $sql, $link );
echo "GAME == $gametype";
}
But for some odd reason, this won't work.
I have searched online and found examples, but they all look, almost exactly the same as my code.
// Sidenote this is not the whole code, obviously.
Everything except the part where I add the new value to the old value works, and if I remove 'veckanskluring'+ it updates without any problems.
I strongly believe something is wrong with this part - 'veckanskluring'+ as the other part works fine.
//NOTE2 score is always 999, just have it set to $score if I want to change it later.
UPDATE -
MY fault, apparently I had put '' around veckanskluring.
$sql = "UPDATE users SET veckanskluring=veckanskluring +'$score' WHERE id='$id'"; <-- Working.
Assuming that $score and $id are number you shoudl not use sigle quote around this vars
and assuming that veckanskluring is column name you must not use single quote aroud column name
"UPDATE users SET veckanskluring= veckanskluring +$score WHERE id=$id";
But the use of php var in sql is deprecated you at risk for sql injection .. take a look at your mysql driver for bindig param
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Reference - What does this error mean in PHP?
(38 answers)
Closed 5 years ago.
One of my MySQL columns contains a hyphen. While the query works fine when tested through a mysql browser, it returns the key rather than the value when using using php mysqli_fetch_array($result).
The query I am running looks like this:
if($test_base_name==='isolation-mer') {
$test_name="`".$ds_channel[$i]."_isolation-mer`";
}
else {
$test_name=$ds_channel[$i]."_isolation-mer";
}
$query="select serial_number, $test_name from table_name";
if($result=mysqli_query($dbc,$query)) {
while($row=mysqli_fetch_arrya($result) {
$sid=$row['serial_number'];
$pass_fail=$row[$test_name];
...
The serial number is retrieved successfully. However, the $pass_fail variable always retrieves nothing. The test name is embedded with quotes. Even if I hardwire the key name within all kinds of quotes, it always retrieves the key and not the value.
This is an old version of PHP and I wonder if that is the issue. Perl has no issues with this.
PHP reads the below code as a variable and not as the name of your database column:
$pass_fail=$row[$test_name];
The below code should work:
$pass_fail=$row['$test_name'];
Using ...
select serial_number, 'isolation-noise' from table_name
means that 'isolation-noise' is a literal value which is selected and will return a result set of (e.g.)
1234,'isolation-noise'
1235,'isolation-noise'
whereas...
select serial_number, `isolation-noise` from table_name
using backticks, will return the actual value of the column.
Update:
When doing the assignment - you definitely shouldn't have backticks in the name of the field, so
$test_name=$ds_channel[$i]."_isolation-mer";
$query="select serial_number, `$test_name` from table_name";
if($result=mysqli_query($dbc,$query)) {
while($row=mysqli_fetch_arrya($result) {
$sid=$row['serial_number'];
$pass_fail=$row[$test_name];
So this always puts backticks round column name in the select statement and uses the raw name in fetching the data from the result set.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Using LIKE in bindParam for a MySQL PDO Query [duplicate]
(2 answers)
Closed 7 years ago.
I'm trying to get PDO to return the results of a wildcard search. My code is:
$search = "%Notes%";
$result = $db->prepare("SELECT * FROM books WHERE 'name' LIKE :search");
$result->bindParam(':search', $search);
$result->execute();
while($arr = $result->fetch(PDO::FETCH_ASSOC)){
echo $arr['name'];
}
At the moment, I get a blank screen. If I run the sequel through PHPMyAdmin:
SELECT * FROM books WHERE name LIKE '%Notes%'
I get the appropriate result.
I assume it's something to do with the way I am formatting my PDO statement, I know you can't have a dynamic column name but I don't see what is going wrong?
in your query you have 'name' change that to just backticks instead of quotes
aka
$result = $db->prepare("SELECT * FROM `books` WHERE `name` LIKE :search");
you can also just remove the backticks
This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
Closed 8 years ago.
I'm trying to prepare the following code:
foreach((array)$problem as $word) { //cycles through each word in the problem, grabs tag name like word, looking through each separate tag table
foreach((array)$tables as $table) { //cycles through list of keyword tables, checks keywords against tables
$query = $mysqli->prepare("SELECT ?.name FROM ? WHERE ?.words LIKE '?'"); //grabs table name where keyword exists
$query->bind_param('ssss',$table,$table,$table,$word);
$query1 = $query->execute();
$resultThree::fetch_assoc($query1);
if(!is_null($resultThree)) { //if keyword exists
array_push($pretag, $resultThree['name']); //push to pretags
}
}
}
It returns saying "Call to a member function bind_param() on a non-object in /home/whatpzcp/public_html/test/search.php on line 25" (the prepared statement line). Apparently this means the MySQL didn't return anything, but this same code worked fine before I was using prepared statements and doesn't anymore, which is what is confusing me.
Go easy on me as this is my first program! Also, do I need to prepare ALL MySQL statements or just ones that deal with user input?
According to the PHP docs, you may not use ? binding variables "for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign."
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I am having trouble getting this SQL command to work correctly. (I know this code is insecure, I just need to get it working first.)
When I run this I get the error: "Unknown column 'username' in 'where clause'"
$login_username = $_POST['username'];
$login_password = $_POST['password'];
$lc = "SELECT * FROM user WHERE username = $login_username AND password = $login_password";
$lcr = mysql_query($lc);
$lcgr = mysql_num_rows($lcr)or die(mysql_error());
If you are getting that error it means that your user table has no column called username.
Secondly, your code is open to SQL Injection. You should validate and secure your $_POST values.
Also, you should perform the die check on mysql_query rather than mysql_num_rows.
try using the quotes in the query:
$lc = "SELECT * FROM user WHERE username = '$login_username' AND password = '$login_password'";
It appears that username in your query is not the correct column name. Can you check?
Do you have the column 'username' in your 'user' table? Try DESC user so you're sure of what your field names are in the table and you can amend your query accordingly.
You'll also want to encapsulate your strings (presumably username and password are strings) in quotes.
You've already alluded to knowing your code is insecure so I'll leave any injection commentary out :)
first - do you have a column named "username" in the user table in your database?
Second = put $login_username and $login_password in single quotes as they are strings, right?