This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I have this SQL query
$sql_ = "SELECT score FROM users WHERE username=$row['uid']";
Every user in the table users has a score value and a username. $row['uid'] is a variable from a previous SQL statement, this query is giving me an error, how would I fix this, also how would I get that score value into a single variable?
You need to use some SQL Injection prevention mechanism. Never use raw variables in a query like that. Have a look at PDO.
You need to bind your variables and then execute the query.
But for what you need and ONLY for testing purposes check the following quoting your variable:
$sql_ = "SELECT score FROM users WHERE username = '" . $row['uid'] . "'";
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I need to use a select query but my code keeps crashing because some of the names have apostrophes in it. I pull all data into a table and half way through it just stops because it hits a apostrophe.
My select Query:
$query = mysqli_query($dbh,"select * FROM show_invoice where id_show='$get_id' and status='UNPAID' and scratch = 'Unscratched'and show_deleted != 'Deleted' ORDER BY 'class_no' ASC")
There are 3 columns that will possibly contain apostrophes. Any advice on how i can stop it from crashing.
You can use mysqli_real_escape_string.
So just do
$get_id = mysqli_real_escape_string($dbh,$get_id);
before running your query.
Note: You should really use prepared statements instead of own queries because of risk of SQL injection attacks.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I was wondering if after all these hours of trying you could help me
After hours of trying i still have a problem retrieving data from a mysql query:
This is my query:
$res =mysql_query("SELECT * FROM user WHERE username =".$_SESSION['user']);
The user in the session is the current username.
i have an if statement like this:
if(!$res)
{
die('Invalid query: ' . mysql_error());
}
i run the code to check if the mysql_error isn't thrown but everytime i get this error:
Invalid query: Unknown column 'Amando' in 'where clause'
Can someone explain to me what im doing wrong and maybe help me fix it
You need to enclose the $_SESSION['user'] in quotes for MYSQL to consider it a string rather than a column name
$res =mysql_query('SELECT * FROM user WHERE username ="'.$_SESSION['user'].'"');
You need to quote the user variable. Try this
$res =mysql_query("SELECT * FROM user WHERE username ='".$_SESSION['user']."'");
You should also read up on SQL injection and maybe PDO since your code is vulnerable for SQL injections as it is now. Or at least it can be, depending on if you have secured/validated the session variable before you use it in the query.
This question already has answers here:
How to insert a value that contains an apostrophe (single quote)?
(13 answers)
Closed 7 years ago.
In my database, I have a column named storeName with a value called Joe's Kitchen.
When user enters Joe's Kitchen, I would store it in a variable named storeName and do a select query on it like this: "SELECT * FROM shops WHERE storename='".$storeName."'". Problem now is that the value contains apostrophe, how should I go about this ?
I have tried the method below but it is not working
$storeName = mysqli_real_escape_string($db->getConnection(),$_POST["storeName"]);
Escape the apostrophe in query by writing two apostrophes
Example
SELECT * FROM shops WHERE storename='Joe''s Kitchen' //added 2 apostrophes
this is not a recommended method since it has serious security issues, try to use pdo or parameterized queries
In your SQL query, you can replace the single quote ' by `. Then the name can contain single quotes...
You can do this way also
SELECT * FROM shops WHERE
storename="Joe\'s Kitchen"
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Ok so i have this kind of query
SELECT * FROM table WHERE column LIKE 'Blahblahblah Blah - Blah (Blah-Blah)'
(Yep, column values are 20-30 characters long)
And it works in phpmyadmin and returns ~ 100 results.
But whn i try it in PHP framework CI (CodeIgniter)
It is not returning any values.
My code looks like:
$sql = "SELECT * FROM table WHERE column LIKE '$val' ORDER BY column ASC";
$sql = $this->db->query($sql);
return $sql->result();
So how do i get this to work?
Before you try to make it work, you really, really need to change the way you're constructing the query. You should use a prepared statement where you introduce variables, and then bind them to values.
The way you've written it is horribly vulnerable to SQL injection attacks. (Suppose $val contained '; DROP DATABASE blah; .... What would the whole SQL statement now look like?) If you try to solve the problem in its current form, you'll end up with something that works but will be very dangerous. Make it safe first with a prepared statement.
Details in this linked question.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Are dynamic mysql queries with sql escaping just as secure as prepared statements?
Is using only mysqli_real_escape_string enough to secure a query? Or is there more to consider when trying to securely query a database?
If used everywhere correctly real_escape_string is an option. But consider the following code:
$page = $_GET['page'];
$sql = 'SELECT `name` FROM `user` WHERE `id` = ' . mysqli_real_escape_string($page);
Safe or not? real_escape_string can only be used to escape strings inside quotation marks. $page could be 1 OR id IN (2,3,4,5,6,7,8,9) → no quotation marks, no real escaping. Casting to the correct datatype (int) might help in this case. You're better off using prepared statements, they are not as easily to mis-use.