Working on an UPDATE query for an Oracle database. The field in question is of the type NCHAR(25), which accepts a 25 character UTF-8 byte string. My input values are in ASCII which should work no problem.
The following snippet uses the oci_bind_by_name function to escape the variable in the WHERE clause and insert into the placeholder variable :herp.
$sql = "UPDATE MYTABLE SET OPT = '1' WHERE FIELD = :herp";
$stmt = oci_parse($this->conn, $sql);
oci_bind_by_name($stmt, ":herp", $record['value'], -1, SQLT_CHR);
This next snippet does not use the oci_bind_by_name function and instead inserts the variable into the SQL statement unescaped (YOLO).
$sql = "UPDATE MYTABLE SET OPT = '1' WHERE FIELD = '".$record['value']."'";
$stmt = oci_parse($this->conn, $sql);
My problem
The first snippet does not work, while the second one works fine, i.e. the UPDATE statement succeeds every time on the second method while it fails every time on the first.
Both versions of the UPDATE should work. However when I use the oci_bind_by_name function for a few fields, somehow the variable is getting changed. (I am doing more rigorous error checking in the actual code).
My question
What is going on here? How can I still use the oci_bind_by_name instead of just concatenating the variable directly into the SQL statement?
Per the developers:
Neither PHP OCI8 or PDO_OCI support NVARCHAR, NCHAR or NCLOB types.
Related
Following this syntax:
Here is generic SQL syntax of UPDATE command to modify data into MySQL table −
UPDATE table_name SET field1 = new-value1, field2 = new-value2 [WHERE Clause]
from https://www.tutorialspoint.com/mysqli/mysqli_update_query.htm
I made this:
$query = mysqli_query($MYSQL_CONNECT, "UPDATE forum_topics SET player_userid = ".$player_userid.", titulo = ".$titulo.", msg = ".$msg.", data = ".$data." WHERE UserID=".$inTopic."");
mysqli_query($MYSQL_CONNECT,$query);
But on line:
mysqli_query($MYSQL_CONNECT,$query);
Is showing:
mysqli_query(): Empty query in /var/www/html/ucp/php_func/edit_topic.php on line 30
The main problem is that you're trying to execute your query twice. And the second attempt is invalid because, where it expects a string query, you're either passing it a result object or a boolean (if the first query failed).
Just execute your query once:
$query = mysqli_query($MYSQL_CONNECT, "...");
Then the value in $query will be the result.
Additionally, you have the problem that your code is open to SQL injection and you're not checking for errors. If mysqli_query() returns false you'd need to examine what went wrong by using mysqli_error($MYSQL_CONNECT), which returns the error as a string.
For the SQL injection problem, what you should be doing is treating values as values (query parameters) instead of as executable code (by concatenating them directly into the query). This is a great place to learn more about that. Note that SQL injection is not just a security concern but is also a very common source of errors and bugs. Since you're currently having exactly that problem, it's worth correcting.
You should wrap your variables in single quotes, try:
$query = mysqli_query($MYSQL_CONNECT, "UPDATE forum_topics SET player_userid = '".$player_userid."', titulo = '".$titulo."', msg = '".$msg."', data = '".$data."' WHERE UserID='".$inTopic."'");
From PHP, i am querying MySQL database using PDO. Query is
$id = 5;
$stmt = $con >prepare("select name from employee where id= ? ");
$stmt ->bindValue(1, $id, PDO::PARAM_INT);
This is working as expected and the name of the employee with id 5 is fetched. However from the logs I could see that the query actually executed is
select name from employee where id= '5'
id was int type and binding was done using PDO::PARAM_INT. so the query executed should have been id= 5 and not id= '5'. MySql had to possibly covert string to int due to this,
Is this expected behavior with PDO or is there an error in my understanding?
It's possibly a bug in PHP, this ticket or related to this one. A commit to fix this bug have been submitted (Tue, 11 Oct 2016), wich says :
The prepared statement emulator (pdo_sql_parser.) figures out how to quote
each query parameter. The intended type is specified by the PDO::PARAM_
consts, but this direction wasn't always followed
What is your version of PHP? An update can probably fix it.
A user-contributed note in http://php.net/manual/en/pdostatement.bindvalue.php specifies the following:
"Emulated prepares work more stable in this cases, because they convert everything to strings and just decide whenever to quote argument or not to quote."
Ref: http://php.net/manual/en/pdostatement.bindvalue.php#119956
I have a question.
I have the following query:
$query = "select * from module,bloc where module.id_bloc = ?";
I tried to bind the value so I did:
$stmt = $this->db->prepare($query);
$stmt->bindValue(1, "bloc.id_bloc");
But, when I test I don't get any result on my browser.
It's weird because when I replace directly inside like the following code:
$query = "select * from module,bloc where module.id_bloc = bloc.id_bloc";
I get the the right result on my browser.
Could someone explain to me why it doesn't work when I am doing a bindValue?
It will not work because, when bound, a string will be quoted. (Or, for all intents and purposes, work as if it were quoted, however PDO may handle it behind the scenes.) Then, your query is interpreted as:
select * from module,bloc where module.id_bloc = 'bloc.id_bloc'
That is: It will be interpreted as a literal string, rather than a reference to a table column, and will obviously not give you the expected result. There is no need for binding it to begin with.
If, for some reason, you need to run a query with a variable table/column name from an unsafe source, you will have to manually format/sanitize it; see here for an example of how to do it.
I am currently working on a php project and used the word 'value' as a column name. The problem being that when I run the query, it overwrites all entries in the database, even though I have a delimiter (primary key = *). I have tried everything I can think of to get this to work, and it hasn't yet. here is the complete line of code:
$SqlStatement = "UPDATE rev_exp SET Date_Entered = '".date('Y-m-d')."', Description = '".$_POST['txtUtilityType']." ".$_POST['txtAccountNumber']." ".$_POST['txtDateAdded']."', `Value` = ".$_POST['txtValueBalance'].", Notes = '".$_POST['txtNotes']."' WHERE PK_Rev_Exp = ".$row['FK_Rev_Exp'];
Note here, that $row['FK_Rev_Exp'] is the delimiter I was talking about. It is being pulled accurately from a previous query. Also, please ignore any sql injection problems, I'm just working on getting the project functional, I can optimize later.
EDIT 1: I have also tried enclosing the "value" in everything I can think of that may get rid of this problem, but no luck.
EDIT 2: I also don't think it is a problem with the statement itself, as I directly entered the statement into the mysql command line and it only affected 1 row, possibly a php problem?
EDIT 3: Full block, including the execution of the sql. Here, ExecuteSQL runs all necessary mysqli statements to execute the sql command. it takes in a sql statement and a true/false if there is a result set:
$SqlStatement = "UPDATE rev_exp SET Date_Entered = '".date('Y-m-d')."', Description = '".$_POST['txtUtilityType']." ".$_POST['txtAccountNumber']." ".$_POST['txtDateAdded']."', `Value` = '".$_POST['txtValueBalance']."', Notes = '".$_POST['txtNotes']."' WHERE PK_Rev_Exp = ".$row['FK_Rev_Exp'];
ExecuteSQL($SqlStatement, false);
I can't figure it out, and any help would be appreciated.
I think your problem is not about mysql reserver keywords because your correctly surrounded Value with backtick and that makes database understand this is a field. I'm more concerned about treating not integers as integers so i would suggest to surround with quotes '' your value since it is a decimal
`Value` = '".$_POST['txtValueBalance']."',
I'm trying to use odbc_prepare and odbc_execute in PHP as follows:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name='?'");
$res=odbc_execute($pstmt,array('version'));
var_dump($res); //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row); //bool(false)
The first var_dump returns true so the execute succeeds, but there is no row returned. A row does indeed exist with the param_name = 'version'. Why is no row returned?
To make things interesting, I ran another very simple example in php using a prepared insert.
$pstmt=odbc_prepare($odb_con,"insert into tmp1 values(?,'?')");
This line, by itself, inserted a row into the database!! Surely this is just wrong? The data entered was col 1 = blank, col 2 = ?
Any advice on where to start fixing this would be appreciated, thanks.
Edit: This is in PHP 5.2.8
Try removing the single quotes from the query string and adding them to the parameter value itself:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));
var_dump($res); //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row); //bool(false)
The single space character at the beginning of the parameter value is very important--if the space is not there, it will treat the variable as a path to a file.
From http://www.php.net/manual/en/function.odbc-execute.php:
If you wish to store a string which
actually begins and ends with single
quotes, you must add a space or other
non-single-quote character to the
beginning or end of the parameter,
which will prevent the parameter from
being taken as a file name.
when I read this paragraph
Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.
If you wish to store a string which actually begins and ends with single quotes, you must add a space or other non-single-quote character to the beginning or end of the parameter, which will prevent the parameter from being taken as a file name. If this is not an option, then you must use another mechanism to store the string, such as executing the query directly with odbc_exec()).
It seems to me that it isn't necessary to add single quotes ' to a string, only if you really want to have the quotes as text in the DB
Therefore if I only want to insert the text, without the single quotes I would write something like that ...
see this example from odbc-prepare
http://www.php.net/manual/en/function.odbc-prepare.php
Use this example for IBM DB/2:
$q = "update TABLE set PASS=? where NAME=?";
$res = odbc_prepare ($con, $q);
$a = "secret"; $b="user";
$exc = odbc_execute($res, array($a, $b));
This would result in the following statement
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$name = "version";
$params = array($name);
$res=odbc_execute($pstmt,$params);
var_dump($res); //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row); //bool(false)
See that I not only removed the qoutes for the value in the params array but also removed the qoutes in the SQL statement.
please give feedback if this was right
You should not enclose variables in quotes in a prepared statement:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));
should be:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array("version"));
Question marks represent parameter placeholders, the value passed is meant to represent an unescaped, unenclosed value, which will be properly escaped by the SQL interpreter.
EDIT:
Gah, ignore me, misread php.net
odbc_fetch_array accepts as it's parameter the result of odbc_execute, you seem to be passing in the prepared statement.
What DBMS are you using? The fact that the lone insert prepare statement seems to be executed against the database rather than being prepared points to either a poor implementation of php (unlikely) or the DBMS not supporting prepared sql. If the latter is the case it is possible that their way of supporting the command with out the functionality is just to execute the statement leading to the results you get. If the DBMS does support prepared statements and the php implementation handles it properly there is some kind of issue with the insert being executed which also needs some investigation.
Did you try using double quotes? i.e.
$res=odbc_execute($pstmt,array("version"));