This headache of a sql massage thrwos no error, but the $zvv variable is not being inserted properly in the query, it is like affecting the result as if it is "" nothing BUT it does have a valid string value, but it is not getting into the query.
See any problem with this sql?
$sqlQuery = " SELECT * FROM tbl_staff WHERE status =' " . $zvv . " ' limit
" . ($lowerLimit) . " , " . ($perPageCount) . " ";
Try this:
"SELECT * FROM tbl_staff WHERE status='$zvv' LIMIT
$lowerLimit , $perPageCount ";
Should do the trick.
You have spaces in your concatenation. Also if you use double quotes, the content of the variable will be printed out.
$sqlQuery = "
SELECT *
FROM
tbl_staff
WHERE
status ='$zvv'
LIMIT
$lowerLimit , $perPageCount ";
You have spaces in your query:
$sql = " SELECT * FROM tbl_staff WHERE status =' " . $zvv . " ' limit " . ($lowerLimit) . " , " . ($perPageCount) . " ";
-----^ -----^
So if $zvv has a value of 'abc' you're using it in the query as status=' abc ' which, because of the spaces, isn't the same. Cleaned up result, this is how I prefer to write it:
$sqlQuery = "SELECT * FROM tbl_staff
WHERE status='". $zvv ."'
LIMIT ". $lowerLimit.",".$perPageCount;
Thanks, got 2 birds with one stone here, some of this oughta work better than my current query, and prepared statements seem like a good permanent way to get past wrestling characters with this trial and error approach and that more safely from SQL injection risk.
That error was holding up the rest of the routine in a deceptive manner where it seemed to work until I looked closer, as this is the first time I messed with AJAX and pagination.
This advice oughta save some real sql-roulette headache time immensely in the future, it is pretty finicky but I understand why now.
Thanks everyone.
Related
I am using these two MySQL statements to get all messages between two users, but I am running into a pretty big problem when it comes to manipulating the data later in the code since it's not in order by ID. Is there any way to combine these statements AND order the results by ID?
$sql = "SELECT * FROM messages WHERE sender='" . $username . "' AND receiver='" . $chatPartner . "'"
$sqlTwo = "SELECT * FROM messages WHERE sender='" . $chatPartner . "' AND receiver='" . $username . "'"
Essentially, I need every occurrence of a message between two people, but sorted by ID. As of right now, I am joining the arrays to get my full list, but it's not in order by ID.
SELECT * FROM messages
WHERE (sender='" . $username . "' AND receiver='" . $chatPartner . "'")
OR (sender='" . $chatPartner . "' AND receiver='" . $username . "'")
ORDER BY id DESC
How about just combine both into 1 query ?
$sql = "SELECT * FROM messages WHERE (sender=" . $username . " OR sender =". $chatPartner .") AND (receiver=" . $chatPartner . " OR receiver=" . $username .") ORDER BY id"
You could also write a shorter version of #dtj's answer using row constructors.
SELECT *
FROM messages
WHERE (sender, receiver) IN (($username, $chatPartner),($chatPartner, $username))
ORDER BY id DESC
In my opinion it looks a bit nicer in code and makes it more readable, but remember that it doesn't improve performance of execution.
I am generating the first part of the query like this:
while ($all_products = $db->fetch_array($all_prods))
{
$filter_string .= 'AND product_id !=';
$filter_string .= $all_products['item_id'];
$filter_string .= ' ';
}
and then the second part like this:
$sql_more_items = $db->query("SELECT * FROM db_products
WHERE owner_id='" . $user_id . "' AND active=1 '" . $filter_string . "'
ORDER BY RAND() LIMIT 10");
However it's giving me a mySQL syntax error and the $filter_string part strangely adds ' twice before and after the string, so it runs like this:
WHERE user_id='12345' AND active=1 'AND product_id !=0001 AND product_id !=0002 ' ORDER BY RAND ...
What am I doing wrong?
$filter_string adds ' because you put it there. :P
Try with just the double quotes around $filter_string:
$sql_more_items = $db->query("SELECT * FROM db_products WHERE owner_id='" . $user_id . "' AND active=1 " . $filter_string . "ORDER BY RAND() LIMIT 10");
$sql_more_items = $db->query("SELECT * FROM db_products
WHERE owner_id='" . $user_id . "' AND active=1 '" . $filter_string . "'
ORDER BY RAND() LIMIT 10");
Check the way you're performing a string concatenation (putting together strings). It seems like there's a copy/paste error as you're using '" instead of just a "
I would use whitespace (and a good code editor) to your advantage by reformatting your code to look like this:
$queryString = "SELECT * FROM db_products WHERE owner_id='$user_id'"
." AND active=1 " //Note these
. $filter_string //are separated
. "ORDER BY RAND() LIMIT 10 "; //into individual lines
$sql_more_items = $db->query($queryString);
This style helps you keep track of whether you're using " or ' for your strings and also helps you debug things more easily than putting it into one giant hard to read string.
That's probably because of the part
`"' AND active=1 '"`
^.... This ' here
I am learning how.. but failing....
When I run this query I get all the products for the product type entered.
$productchk = "SELECT products"
. " from products"
. " WHERE active = '0' and product_type = '" . [v_product_type] . "'";
but I need to add the following:
order by product Limit 1
to the query and I have tried . " I keep getting syntax errors.
I thought that by adding it before the "."; on the end of statement would work but it doesnt..
Any thoughts?
Also.. what would you look up on the internet to learn about creating statements like this?
The last ' closes the value of product_type, so if you insert stuff there, it gets interpreted as part of that value. Append after "'" but before the closing ";".
Effectively:
$productchk = "SELECT products"
. " from products"
. " WHERE active = '0' and product_type = '" . [v_product_type] . "'"
. " order by product Limit 1";
Also, please use stored procedures and prepared statements! It's 1. faster, 2. much safer, 3. less escaping
$productchk = "SELECT products"
. " FROM products"
. " WHERE active = '0' AND product_type = '" . $v_product_type . "'"
. " ORDER BY product LIMIT 1";
I'm trying to search an element into two different column of a MySQL database. The first may match the searchedObject the second may contain it (the column contain text). I'm using PHP
The page return me an error :
Parse error: syntax error, unexpected ')' in C:\wamp\www\v2\header.php on line 9
Here is my request
"SELECT * FROM corporate WHERE (columnA = " . $_GET["searchedObject"]) . " OR (columnTextedB LIKE '%" . $_GET["searchedObject"] . "%' )";
Any idea to save my night :o ?
The error is pretty clear on what you have done wrong...
$_GET["searchedObject"])
Move that )... into
") OR (columnTextedBLIKE '%"
PS. this code is very vulnerable to sql injection attacks
The syntax error is a problem in your PHP:
"SELECT * FROM cim_corporate WHERE (columnA = " . $_GET["searchedObject"]) . " OR (columnTextedBLIKE '%" . $_GET["searchedObject"] . "%' )";
Note that you close a bracket that is never opened in PHP. Try:
"SELECT * FROM cim_corporate WHERE (columnA = " . $_GET["searchedObject"] . ") OR (columnTextedBLIKE '%" . $_GET["searchedObject"] . "%' )";
However please do not use $_GET variables directly in queries. A malicious user can then add all sorts of nasty stuff to your query.
I apologize if this question has come up before, but I've looked and only found people who are only concerned with the actual result returned by
mysql_query($query);
I'm making a php/mysql page with ajax for a project where the user can create a database and perform a search by interacting with a few select boxes. I would also like to be able to print out the actual query generated by the php, just for testing.
if($dArray[0] == 'sb2a'){
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] + "\'";}
print($sql);
It just prints 0 rather than something like
"SELECT * FROM Vehicles WHERE VID = '01'"
Any help would be greatly appreciated.
Near the end of your line of code setting the value for $sql:
. $dArray[2] + "\'";
That + should be a .
if($dArray[0] == 'sb2a')
{
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] . "\'";
}
print($sql);
To concatenation we should always use '.'
Query should be like this.
$sql = "SELECT * FROM Vehicles WHERE {$dArray[1]} = '{$dArray[2]}'";