I want to search in two tables but there is no results im getting. this is my code.
$query=mysqli_query($db_connection,"SELECT * FROM db_clients JOIN db_deadreg ON db_clients.clientID=db_deadreg.clientID where fullname like '%$searchq%'");
You could use a concat for buil the proper filter
$query=mysqli_query($db_connection,
"SELECT *
FROM db_clients
JOIN db_deadreg ON db_clients.clientID=db_deadreg.clientID
where fullname like concat('%' , $searchq , '%') ; ");
anyway you should not use php var in SQL you are at risk for sql injection, you should take a look at you sql driver for prepared statements and bindig param
eg:
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("SELECT *
FROM db_clients
JOIN db_deadreg ON db_clients.clientID=db_deadreg.clientID
where fullname like concat('%' , ? , '%')");
$stmt->bind_param("s", $searchq);
$stmt->execute();
Related
Anyone know how to combine PHP prepared statements with LIKE? i.e.
"SELECT * FROM table WHERE name LIKE %?%";
The % signs need to go in the variable that you assign to the parameter, instead of in the query.
I don't know if you're using mysqli or PDO, but with PDO it would be something like:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE ?");
$st->execute(array('%'.$test_string.'%'));
For mysqli user the following.
$test_string = '%' . $test_string . '%';
$st->bind_param('s', $test_string);
$st->execute();
You can use the concatenation operator of your respective sql database:
# oracle
SELECT * FROM table WHERE name LIKE '%' || :param || '%'
# mysql
SELECT * from table WHERE name LIKE CONCAT('%', :param, '%')
I'm not familar with other databases, but they probably have an equivalent function/operator.
You could try something like this:
"SELECT * FROM table WHERE name LIKE CONCAT(CONCAT('%',?),'%')"
in PHP using MYSQLI you need to define a new parameter which will be declared as:
$stmt = mysqli_prepare($con,"SELECT * FROM table WHERE name LIKE ?");
$newParameter='%'.$query.'%';
mysqli_stmt_bind_param($stmt, "s", $newParameter);
mysqli_stmt_execute($stmt);
this works for me..
For me working great, I've looked for answer hours, thx.
$dbPassword = "pass";
$dbUserName = "dbusr";
$dbServer = "localhost";
$dbName = "mydb";
$connection = new mysqli($dbServer, $dbUserName, $dbPassword, $dbName);
if($connection->connect_errno)
{
exit("Database Connection Failed. Reason: ".$connection->connect_error);
}
$tempFirstName = "reuel";
$sql = "SELECT first_name, last_name, pen_name FROM authors WHERE first_name LIKE CONCAT(CONCAT('%',?),'%')";
//echo $sql;
$stateObj = $connection->prepare($sql);
$stateObj->bind_param("s",$tempFirstName);
$stateObj->execute();
$stateObj->bind_result($first,$last,$pen);
$stateObj->store_result();
if($stateObj->num_rows > 0) {
while($stateObj->fetch()){
echo "$first, $last \"$pen\"";
echo '<br>';
}
}
$stateObj->close();
$connection->close();
I will just adapt Chad Birch's answer for people like me who are used to utilize bindValue(...) for PDO:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE :name");
$st->bindValue(':name','%'.$name.'%',PDO::PARAM_STR);
$st->execute();
In SQL, you can do it like this using prepared statements.
SELECT * FROM TABLE_NAME WHERE (TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%')) OR (ANOTHER_TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%'))
The sprintf can do it. Remember to put another % in front of the original % to escape it.
$ret = sprintf("SELECT * FROM table WHERE name LIKE %%%s%%", $name);
I need to do a PHP PDO call to my db with an INNER JOIN and WHERE clause.
In navicat GUI this statement is running fine and i can see the results. The problem come out lather in php environment about string concatenation.
I would like to format this request so that it can be digested by php:
SELECT * FROM tsourcetb as T INNER JOIN users as U ON U.username = T.username WHERE U.username = $username AND T.username = $username;
what I tried to do
$sth = $db->prepare("SELECT * FROM tsourcetb as T INNER JOIN users as U ON U.username = T.username WHERE U.username = $username AND T.username = $username");
the return is an error indicating that there is no table with the variable name. Basically it takes the variable as the name of the table the return is an error indicating that there is no table with the variable name. Basically it takes the variable as the table name and not the table name as it should like (SELECT * FROM $username) jumping out the first part of statement).
The intent is to have all the records of table A where the username field is = to the username field of table B with value passed from a variable.
Thank for any suggestion to achieve my goal.
UPDATE
php is magic need to try and retray. At the end tish one help me to goal:
$username = ($_POST['username']);
$password = ($_POST['password']);
$statement = $db->prepare('SELECT p.* FROM `tsourcetb` as p LEFT JOIN `users`as s ON p.username = s.username WHERE s.username = :username;');
$statement->bindParam(':username', $username, PDO::PARAM_STR);
$statement->execute();
/* look here -> $statement->fetchall(PDO::FETCH_ASSOC) */
$array_select = $statement->fetchall(PDO::FETCH_ASSOC);
echo json_encode($array_select, JSON_PRETTY_PRINT);
<?php
$sth = $db->prepare("SELECT * FROM `tsourcetb` as T INNER JOIN users as U ON U.username = T.username WHERE U.username = ? AND T.username = ? ");
$sth->execute([$username,$username]);
$results = $sth->fetchall();
?>
wrapper your table name with backticks and also use placeholders
Try this:
$stmt = $db->prepare("SELECT * FROM tsourcetb as T INNER JOIN users as U ON U.username = T.username WHERE U.username = :username AND T.username = :username");
$stmt->bindValue(':username', $username, PDO::PARAM_STR);
$stmt->execute();
You need to bind a value with prepared statement:
Source: Docs
You have to bind parameters when you are making an dynamic query with PDO.
Change this in your query.
$username -> :username
And before you make the call
$yourQueryObj->bindValue(':username', $username, PDO::PARAM_STR);
That's why prepared statments are safer than regular variables as you assign it's type before it's sent for query.
You can read about it here
http://php.net/manual/en/pdostatement.bindvalue.php
You should be able also execute with array of parameters after preparing like that :
$sth = execute(array(':username'=> $username));
I have table: id, name(text, utf8_general_ci).
Simple data into table: 1, LOlKek_228666
Trying PHP:
$link = mysqli_connect($host, $user, $password, $database);
mysqli_set_charset('utf8',$link);
$q = mysqli_query($link, "SELECT * FROM `commands` WHERE LOWER(`name`) = LOWER('$nick') ORDER BY id DESC");
or simple:
$q = mysqli_query($link, "SELECT * FROM `commands` WHERE `name` = '$nick' ORDER BY id DESC");
It can't find any if use LolKek_228666 (to find LOlKek_228666) in query($nick).
But phpmyadmin find it. How to fix that?
As you are using a case-insensitive collation, you might just go with using the "LIKE" operator and drop the LOWER() functions.
WHERE LOWER(name) will just lowercase the fieldname, not the data value.
I'm shifting my database connections from mysqli to PDO.
While updating,I'm stuck on one query:
In mysql its:
$quec='designation=10 OR designation=11 OR designation=12';
$query="select firstname,mobile,email from mt where location=".$value." and cp!=".$cpa" and (".$quec.") and dept=".$usersubdept." and mstatus=1";
Its working fine in mysqli.
In PDO i wrote:
$query="select firstname,mobile,email from mt where location=:value AND cp!=:cpa AND (:quec) AND dept=:usersubdept AND mstatus=:mstatus";
Binding the values with variables using bind syntax, I'm not getting any result row.
How to rectify the problem?
I don't think you can use :quec as a parameter, since it is actually 3 things and not a value that can be bound. Otherwise, you may have something wrong with how you're binding, perhaps, but we haven't seen your code for that. Try this:
$query="SELECT firstname, mobile, email FROM mt WHERE location = :value AND
cp != :cpa AND (" . $quec . ") AND dept = :dept AND mstatus = 1";
$stmt = $db->prepare($query);
$stmt->bindValue(':value',$value);
$stmt->bindValue(':cpa',$cpa);
$stmt->bindValue(':dept',$usersubdept);
$stmt->execute();
You need to prepare a string like this: ':id0, :id1, :id2, you can do this like this:
$designationlist = ':id'.implode(',:id', array_keys($designationIds));
then your SQL will be:
$query="select firstname,mobile,email from mt where location=:value AND cp!=:cpa AND designation IN(".$designationlist.") AND dept=:usersubdept AND mstatus=:mstatus";
and:
$parms = array_combine(explode(",", $designationlist), $designationIds);
$stmt = $PDO->prepare($query);
$res = $stmt->execute($parms);
Anyone know how to combine PHP prepared statements with LIKE? i.e.
"SELECT * FROM table WHERE name LIKE %?%";
The % signs need to go in the variable that you assign to the parameter, instead of in the query.
I don't know if you're using mysqli or PDO, but with PDO it would be something like:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE ?");
$st->execute(array('%'.$test_string.'%'));
For mysqli user the following.
$test_string = '%' . $test_string . '%';
$st->bind_param('s', $test_string);
$st->execute();
You can use the concatenation operator of your respective sql database:
# oracle
SELECT * FROM table WHERE name LIKE '%' || :param || '%'
# mysql
SELECT * from table WHERE name LIKE CONCAT('%', :param, '%')
I'm not familar with other databases, but they probably have an equivalent function/operator.
You could try something like this:
"SELECT * FROM table WHERE name LIKE CONCAT(CONCAT('%',?),'%')"
in PHP using MYSQLI you need to define a new parameter which will be declared as:
$stmt = mysqli_prepare($con,"SELECT * FROM table WHERE name LIKE ?");
$newParameter='%'.$query.'%';
mysqli_stmt_bind_param($stmt, "s", $newParameter);
mysqli_stmt_execute($stmt);
this works for me..
For me working great, I've looked for answer hours, thx.
$dbPassword = "pass";
$dbUserName = "dbusr";
$dbServer = "localhost";
$dbName = "mydb";
$connection = new mysqli($dbServer, $dbUserName, $dbPassword, $dbName);
if($connection->connect_errno)
{
exit("Database Connection Failed. Reason: ".$connection->connect_error);
}
$tempFirstName = "reuel";
$sql = "SELECT first_name, last_name, pen_name FROM authors WHERE first_name LIKE CONCAT(CONCAT('%',?),'%')";
//echo $sql;
$stateObj = $connection->prepare($sql);
$stateObj->bind_param("s",$tempFirstName);
$stateObj->execute();
$stateObj->bind_result($first,$last,$pen);
$stateObj->store_result();
if($stateObj->num_rows > 0) {
while($stateObj->fetch()){
echo "$first, $last \"$pen\"";
echo '<br>';
}
}
$stateObj->close();
$connection->close();
I will just adapt Chad Birch's answer for people like me who are used to utilize bindValue(...) for PDO:
$st = $db->prepare("SELECT * FROM table WHERE name LIKE :name");
$st->bindValue(':name','%'.$name.'%',PDO::PARAM_STR);
$st->execute();
In SQL, you can do it like this using prepared statements.
SELECT * FROM TABLE_NAME WHERE (TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%')) OR (ANOTHER_TABLE_COLUMN LIKE CONCAT('%', :SEARCH_TEXT, '%'))
The sprintf can do it. Remember to put another % in front of the original % to escape it.
$ret = sprintf("SELECT * FROM table WHERE name LIKE %%%s%%", $name);