Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I am writing code to delete a row based on ID from a SQL Server database. I want to make sure my code is safe from accidentally deleting everything or deleting something other than what it should. My code at the moment is as follows...
$st = $conn->prepare("if (select count(*) from sometable where id = :id) = 1
delete from sometable where id = :id");
$st->bindParam(':id',$id);
$st->execute();
Is this a safe way to delete a single row without accidentally deleting everything? Is there a better, known best-practices way to do it?
Edit: I am getting an error COUNT field incorrect or syntax error when testing this code.
I have changed my code accordingly to resolve this (I was hoping I could refer to the same field more than once and bind it once but apparently not)
$st = $conn->prepare("if (select count(*) from sometable where id = ?) = 1
delete from sometable where id = ?");
$st->execute(array($id,$id));
(Might as well use my question to troubleshoot since stackoverflow won't let me delete it)
Is this a safe way to delete a single row without accidentally deleting everything?
Yes, as long as your ID's are unique for each row.
Is there a better, known best-practices way to do it?
No.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am able to navigation between a php page using ID but not using project name. Can you only use an number and not characters?
Works
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE id=$id";
'.$row['project'].'
page url: https://example.com/project.php?id=1
Doesn't work
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE project=$project";
'.$row['project'].'
page url: https://example.com/project.php?project=Test
Thanks for the help!
MySQL uses single or double quotes for strings. Your second query puts string to a query, resulting in invalid query.
This is not a valid SQL query:
SELECT `name` FROM `cats` WHERE `breed` = ordinary cat
But this is:
SELECT `name` FROM `cats` WHERE `breed` = 'ordinary cat'
Of note, be careful with using any input (including query string) in your query like you did. You should use prepared statement instead to safely escape that string for your query.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
Let's say that I have a database with this data stored:
Email-Link-Link2
1E#231-Example1-Example2
1E#231-Example3-Example4
How can I select all of this value with a PDO query excluding those seen before, so in this case 1E#231,will select only one time.
If understand what you said, this is your answer:
Connexion to data base with PDO
<?php
//CONNEXION TO DATA BASE WITH PDO...
$pdo_options[PDO::ATTR_ERRMODE] = PDO::ERRMODE_EXCEPTION;
$base = new PDO('mysql:host=localhost;dbname=your_data_base', 'the_user', 'Your_password', $pdo_options);
//end of connexion to data_base
;?>
NOW getting data from data base with not duplication(you can use sql function DISTINCT
<?php
$sc=$base->query("SELECT DISTINCT Email FROM table_where_data_stored");
while($data_distinct =$sc->fetch()){
//your data will be displayed here
;}
;?>
May this help you!!
To evade double selection commonly one use the DISTINCT statement, like this:
SELECT DISTINCT *
FROM myTable
But the best way to evade double-selection is to evade redundant entries to the database. As far as I understand the two entries in your database the second one is an update, and you don't want to overwrite the previous entry. This is a well known problem, and commonly solved like this:
There is a certain date from when on the new eMail should be used, so add a field "valid_from" and add this WHERE statement to your query:
WHERE valid_from > GETDATE()
GETDATE() returns a datetime, therefore it's enough to select "greater than".
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have a little problem, am trying to read values from mysql table. I have done research and could not find a definite or conclusive answer on this. I will describe the problem:
select data from mysql table using a where e.g where gender=female.
count the results and return the count - just to help know how many records were found
compare a value in table, e.g 'taken' and 'available',
if 'taken' = 'available' in the first record, go to next record(and compare again), if not perform a specific operation in this case can be update or insert or anything of that sort.
the first three are ok and the only problem is, part 4. Kindly help. This is a php problem. Looking forward for your help.
As was said, if you're merely going to skip the record then you may as well not retrieve them in the first place (and thus incur the overhead for having to extract them into PHP memory, etc):
SELECT * FROM `your_table` WHERE `gender` = 'female' AND `taken` = `available`;
However, if you have a specific reason to do this, you can merely do the following:
foreach ($hotels as $hotel) {
// skip if the item is not available, logic can be changed if necessary
if ($hotel->taken >= $hotel->available) continue;
// do the other work here...
}
I interpreted your conditions a little here, assuming you wanted to skip people who aren't 'available'. Though it does look like you wanted the opposite, in which case you can switch the logic in the sql from != to = and in php from != to ==.
Updated: To reflect additional comments made.
Create connection to your database using mysqli or by using PDO.
$db = new PDO($mysqlhost,$username,$password);
$statement = $db->prepare($sqlstatement);
$rows = $statement->execute();
foreach($rows->fetch() as $row)
{
if($row['column_name']==something)
{
//do work
}
else
{
//do work
}
}
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Ok so i store the column i want to update in side a variable so i need to put the variable in side the main query i try and do it like so
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
I have searched for an answer and have found a thread here on the site doing the same:
Using a passed variable in a query using PDO (Oct 2011; by Don S)
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
You can't bind the names of columns; so that isn't going to work. There's no way to use a bound variable for a column or table name, so the only way to do this is to actually interpolate the variables into the string:
$sqlltyryrt = "UPDATE user_items SET $fggdgdf = $fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array($_SESSION['username']));
But you need to be very sure that you've sanitized the variables, else you're open to SQL injection. You can use whitelisting for this, as you should be able to generate an array of possible column names and can check that the variables are present in that array.
But the fact that you're trying to bind the names of comments implies that your database design could do with looking at.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am new to PHP and mysql and i am trying to make API's for my iphone app.
So far i have been able to connect and retrive data from my sql database now m trying to make entries to it using API's and parameters.
Can anyone help me out here please.
Thanks alot!!
If by to make entries you mean adding data to the database.
You do this in the same way that you select data.
Instead of issuing a select statement like:
SELECT x,y,z FROM table1
You do:
INSERT INTO table1 (x,y,z) VALUES ('a', 1, 'test')
Or:
UPDATE table1 SET x = 'b' WHERE x = 'a'
How you pass parameters depends on the API you use.
It is best (safest) to use PDO to pass parameters.
How to get parameters out of a url
In order to get the parameters out of the url (e.g.: example.com/test.php?username=xyz&password=!##$%) do:
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT * FROM users WHERE username = '$username'
AND passhash = sha2(CONCAT(salt,'$password'),512)";
Note that it's vital to put single quotes around the injected variable names when using mysql_real_escape_string() or the escaping will be useless. Used like this the code is 100% secure from SQL-injection.
If you're using PDO, you can drop the mysql_real_escape_string() if not you need it to prevent SQL-injection.
Links
http://dev.mysql.com/doc/refman/5.5/en/update.html
http://dev.mysql.com/doc/refman/5.5/en/insert.html
http://php.net/manual/en/ref.pdo-mysql.php
https://stackoverflow.com/search?q=%5Bphp%5D+%5Bmysql%5D+pdo
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/function.mysql-real-escape-string.php