I have a variable $categoryName which has value ABC/ABC (for example). I nedd to add quotes around this text "ABC/ABC". This is my PHP code:
public function getCategoryID($categoryName)
{
$row = Db::getInstance()->getRow('
SELECT `id_category`
FROM ' . _DB_PREFIX_ . 'category_lang c
WHERE c.`name` = ' . $categoryName);
return isset($row['categoryName']);
}
And the error from mysql.
SELECT `id_category`
FROM ps_category_lang c
WHERE c.`name` = ABC/ABC LIMIT 1
How to solve this problem ? Thanks for help.
Just put the quotes in the string.
$row = Db::getInstance()->getRow('
SELECT `id_category`
FROM ' . _DB_PREFIX_ . 'category_lang c
WHERE c.`name` = "' . $categoryName . '"');
As mentioned in the comments, it would be better if you used prepared statements to protect against SQL injection. If you can't do that, you should make sure to escape $categoryName properly.
See How can I prevent SQL injection in PHP?
Related
I have set up a query as such:
$query = 'SELECT SGC.sys_id, TBL.semester, SGC.bonus, SGC.exam, SGC.ca FROM SubjectGradeComponent AS SGC, ';
$query .= '(SELECT `sys_id`, `semester` FROM AcademicYearTerm AS AYT, SubjectYearTermLevel AS SYTL WHERE academic_year = "' . $academic_year . '" AND SYTL.subject_id = ' . $subject_id . ' AND SYTL.form_level = ' . $form_level. ' AND SYTL.yearTerm_id = AYT.yearTerm_id) AS TBL ';
$query .= 'WHERE SGC.sys_id = TBL.sys_id;';
However when I run the query, $mysql->query($query);it returns an empty result with 0 rows. Running the same query on phpmyadmin shows the desired result. I have looked around but do not understand the problem.
$mysql->error does not show any error message either
EDIT:
generated query is like this:
SELECT SGC.sys_id, TBL.semester, SGC.bonus, SGC.exam, SGC.ca FROM SubjectGradeComponent AS SGC, (SELECT `sys_id`, `semester` FROM AcademicYearTerm AS AYT, SubjectYearTermLevel AS SYTL WHERE academic_year = "2018-2019" AND SYTL.subject_id = 1 AND SYTL.form_level = 1 AND SYTL.yearTerm_id = AYT.yearTerm_id) AS TBL WHERE SGC.sys_id = TBL.sys_id;""
Question is where are the "" from?
Looks like you want a JOIN query instead.
You should also use prepared statement with placeholders ? instead of injecting values directly into the query.
$query = "SELECT SGC.sys_id,
AYT.semester,
SGC.bonus,
SGC.exam,
SGC.ca
FROM SubjectGradeComponent AS SGC
JOIN AcademicYearTerm AS AYT
ON SGC.sys_id = AYT.sys_id
JOIN SubjectYearTermLevel AS SYTL
ON SYTL.yearTerm_id = AYT.yearTerm_id
WHERE academic_year = ?
AND SYTL.subject_id = ?
AND SYTL.form_level = ?";
I have been trying to write the the select statement to fetch from the products table using the combination of the companyid and customerid, I am very sure I'm not doing it the right way, kindly help me to write the right sql to fetch using these parameters.
$customerid=$_SESSION['customersid'];
$companyid=$_SESSION['companyid'];
$test="SELECT producttype,quantity FROM product WHERE username= '" . mysql_real_escape_string($customerid) . "'" . 'AND'.mysql_real_escape_string($companyid) . "'" ;
You must put the fieldname for the companyid in the query
$test="SELECT producttype,quantity FROM product WHERE username= '" . mysql_real_escape_string($customerid) . "'" . 'AND COMPANYID_FIELDNAME ='.mysql_real_escape_string($companyid) . "'" ;
your syntax is incorrect. Try the following:
$customerid = mysql_real_escape_string($_SESSION['customersid']);
$companyid = mysql_real_escape_string($_SESSION['companyid']);
$test = "
SELECT producttype,quantity
FROM product
WHERE username='$customerid'
AND company='$companyid'
";
Btw, you should be using mysqli and not mysql since it is deprecated.
I have an array $friends and I used $friend_new = join(',',$friends ); to get name1,name2,name3.
But when I use this query I got error:
$query = mysqli_query($connect_db, "SELECT * FROM post WHERE name IN ($friend_new )");
Does anyone know where the problem is?
You should use implode("','", $friends) and IN ('$friends_new') as these are string values.
Your code is vulnerable to injection. You should use properly parameterized queries with PDO / mysqli
Your list has to look like:
... IN ('friend1','friend2','friend3')
If you have an array of friends such as:
$friends = array("friend1","friend2","friend3");
You can use implode to prepare for use with an IN:
$friend_new = "'" . implode("','", $friends) . "'";
Finally,
SELECT * FROM post WHERE name IN ($friend_new)
The way you do it the individual strings won't be quoted, and that causes the error. As join allows you to specify a "glue" longer than 1 character you can do as follows:
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('".join("', '", $friends)."') ";
or
$friend_new = join("', '", $friends);
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('$friend_new') ";
that is, have join write the intermediate ', ' , and surround with ''
I am facing issue in inserting single quoted value (say Product Name: xyz80'). So how can I insert such data into mysql & oracle database. With double quote, it's working fine. eg: xyz90"
My script:
$query2 = "SELECT sfoi.name, sfoi.sku, sfoi.qty_ordered
FROM sales_flat_order sfo
JOIN sales_flat_order_item sfoi
ON sfoi.order_id = sfo.entity_id
WHERE sfo.increment_id = 100000473";
$result_query2 = mysql_query($query2);
while($row = mysql_fetch_array($result_query2))
{
$row["name"] = mysql_real_escape_string($row["name"]);
// $row["name"] = html_entity_decode($row["name"]);
$result_str_product .= "('". $row["name"] . "',". "'" . $row["sku"] . "'," . "'" . $row["qty_ordered"]),";
}
I tried using both mysql_real_escape_string() and html_entity_decode(), still getting error.
Here $row[name] is fetching value which is like xyz80', pqr75' etc. As I am inserting these values through PHP, unable to get where exactly error is occurring.
I am facing similar problem with Oracle db also. In Oracle , I tried this: "'". $row["name"] . "''," using '' at the end.
HOW TO insert special characters in Oracle dataabse?
prepare the data by replacing one ' with two '', before composing the query:
while($row = mysql_fetch_array($result_query2)) {
$n = mysql_real_escape_string($row["name"]);
$s = mysql_real_escape_string($row["sku"]);
$q = mysql_real_escape_string($row["sku"]);
// $n = html_entity_decode($row["qty_ordered"]);
$result_str_product .= "('$n','$s','$q'),";
}
// remember_to_remove_final_stray_comma($result_str_product);
print( $result_str_product ); // just to see what's been made
For Oracle, you could replace the single quotes with two single quotes when you query:
$query2 = "SELECT REPLACE(sfoi.name,'''','''''') name, sfoi.sku, sfoi.qty_ordered
FROM sales_flat_order sfo JOIN sales_flat_order_item sfoi
ON sfoi.order_id = sfo.entity_id
WHERE sfo.increment_id = 100000473";
Then the rest of your code should work as is.
In Oracle, two consecutive single quotes represent a single quote in a string literal.
Oracle now have the q function used to escape strings
http://docs.oracle.com/cd/B19306_01/appdev.102/b14251/adfns_sqltypes.htm#sthref373
select q'my 'quoted text' ' from dual
this solution is nice cause you don't have to have a bunch of nested quotes
Is it possible to add WHERE id = '$id' to the end of my $query string? My $query string reads as:
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
Thanks
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = "' . $id . '"';
If $id is just a number (most likely) you can do...
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = ' . $id;
Also use mysql_real_escape_string() as ZombieHunter replied in his answer.
Do not append variables directly. Use mysql_real_escape_string() to avoid potential SQL injections!
I strongly encourage you to read this page about SQL injections:
http://www.php.net/manual/en/security.database.sql-injection.php
If $sqlConditions contains more than one condition (as the variable name states), this is a dangerous operation. Anyway, if you really want to use it this way, you need to put it after the WHERE condition.
$query = 'UPDATE students SET column = value WHERE ' . join(' , ', $sqlConditions) . ' AND id = ' . mysql_real_escape_string($id);
If $sqlConditions contains the SET statement this is a dangerous operation too. Use the actual column names together with mysql_real_escape_string():
$query = 'UPDATE students SET column1 = value1, column2 = value2 WHERE id = ' . mysql_real_escape_string($id);