I am new to php language. I just copy a database connection function from another sample project. The code is below.
public function getRows($conditions = array()){
$sql = 'SELECT ';
$sql .= array_key_exists("select",$conditions)?$conditions['select']:'*';
$sql .= ' FROM '.$this->table;
if(array_key_exists("where",$conditions)){
$sql .= ' WHERE ';
$i = 0;
foreach($conditions['where'] as $key => $value){
$pre = ($i > 0)?' AND ':'';
$sql .= $pre.$key." = '".$value."'";
$i++;
}
}
if(array_key_exists("order_by",$conditions)){
$sql .= ' ORDER BY '.$conditions['order_by'];
}
if(array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
$sql .= ' LIMIT '.$conditions['start'].','.$conditions['limit'];
}elseif(!array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
$sql .= ' LIMIT '.$conditions['limit'];
}
$query = $this->db->prepare($sql);
$query->execute();
if(array_key_exists("return_type",$conditions) && $conditions['return_type'] != 'all'){
switch($conditions['return_type']){
case 'count':
$data = $query->rowCount();
break;
case 'single':
$data = $query->fetch(PDO::FETCH_ASSOC);
break;
default:
$data = '';
}
}else{
if($query->rowCount() > 0){
$data = $query->fetchAll();
}
}
return !empty($data)?$data:false;
}
Can anyone show me example how to use this function?I want to use WHERE,LIMIT,GROUP_BY and SELECT clauses. When I put in an array like this, I got error message " Invalid argument supplied for foreach()"
$conditions = array('where' => "user_name = '$username'");
$data = $userMo -> getRows($conditions);
you are making a mistake, as its said Invalid argument supplied for foreach()
that means its not getting an array, and think if there are multiple WHERE then??
so try this
$conditions = array('where' => array('user_name' => $username));
Related
How do I add a where clause in the following query using the CI? E.g. WHERE name = 'Joe'
<?php
include 'dbclass.php';
$db = new DB();
$users = $db->getRows('users',array('order_by'=>'id DESC'));
if(!empty($users)):
$count = 0;
foreach($users as $user):
$count++;
?>
dbclass.php
snippet:
public function getRows($table,$conditions = array()){
$sql = 'SELECT ';
$sql .= array_key_exists("select",$conditions)?$conditions['select']:'*';
$sql .= ' FROM '.$table;
if(array_key_exists("where",$conditions)){
$sql .= ' WHERE ';
$i = 0;
foreach($conditions['where'] as $key => $value){
$pre = ($i > 0)?' AND ':'';
$sql .= $pre.$key." = '".$value."'";
$i++;
}
}
if(array_key_exists("order_by",$conditions)){
$sql .= ' ORDER BY '.$conditions['order_by'];
}
if(array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
$sql .= ' LIMIT '.$conditions['start'].','.$conditions['limit'];
}elseif(!array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
$sql .= ' LIMIT '.$conditions['limit'];
}
$result = $this->db->query($sql);
I want help in passing the Where clause condition.
I am using Codeignitor 4.
Not sure where the codeigniter parts are in this, that looks like code you have written, so just add a where key to the array you are passing like this
$users = $db->getRows('users',array('where' => ["name => 'Joe']",
'order_by'=>'id DESC'));
I am working with datatable and the code can successfully display the entire records. searching of records is also working.
I am trying to display a specific record when page loads. you can see that SELECT * FROM users will display all records at once. I need to display a specific record when page loads like SELECT * FROM users where id=$userid and email=$email.
In normal PDO query I can just do
$result = $db->prepare("SELECT * FROM users where email=:email and id=:id");
$result->execute(array(':email' => $email,':id' => $userid));
Here in the datatable is a little bit complicated.
Where do I add something like
$sql .= 'WHERE id = '.$userid.' and email = '.$email.' ';
Here is the full code for datatable backend:
<?php
include('db.php');
if(isset($_POST["get_content"])){
$get_content = strip_tags($_POST["get_content"]);
if($get_content == 'get_data'){
$userid =102;
$email = 'test#gmail.com';
$sql= '';
$error = '';
$message='';
$response= array();
$sql .= "SELECT * FROM users ";
if(isset($_POST["search"]["value"])){
$value= $_POST["search"]["value"];
$sql.= 'WHERE fullname LIKE "%'.$value.'%" ';
$sql .= 'OR email LIKE "%'.$value.'%" ';
}
$start = $_POST['start'];
$length = $_POST['length'];
$draw= $_POST["draw"];
if(isset($_POST["order"])){
$order_column = $_POST['order']['0']['column'];
$order_dir = $_POST['order']['0']['dir'];
//$sql .= 'WHERE id '.$userid.' ';
$sql .= 'ORDER BY '.$order_column.' '.$order_dir.' ';
}
else{
$sql.= 'ORDER BY id DESC ';
}
if($length != -1){
$sql .= 'LIMIT ' . $start . ', ' . $length;
}
$pstmt = $db->prepare($sql);
$pstmt->execute();
$rows_count = $pstmt->rowCount();
while($row = $pstmt->fetch()){
$rows = array();
$rows[] = $row['id'];
$rows[] = $row['fullname'];
$rows[] = $row['email'];
$response[] = $rows;
}
$data = array(
"draw" => $draw,
"recordsTotal" => $rows_count,
"data" => $response);
}
echo json_encode($data);
}
?>
As per my understanding, you need manage to put WHERE condition for id, email in your example code,
Do change some portion of your code:
$sql .= "SELECT * FROM users ";
// ADD YOUR REQUIREMENT CONDITION
$sql .= 'WHERE id = '.$userid.' and email = '.$email.' ';
if (isset($_POST["search"]["value"])){
$value = $_POST["search"]["value"];
// CHANGED WHERE TO AND
$sql .= 'AND (fullname LIKE "%'.$value.'%" ';
$sql .= 'OR email LIKE "%'.$value.'%") ';
}
I am using below function ( i got this from internet) to fetch data from DB and its working fine. If i use where and search condition is not working properly or i have missed some thing. Can any one help me to fix this issue.
public function getRows($table,$conditions = array()){
$sql = 'SELECT ';
$sql .= array_key_exists("select",$conditions)?$conditions['select']:'*';
$sql .= ' FROM '.$table;
if(array_key_exists("where",$conditions)){
$sql .= ' WHERE ';
$i = 0;
foreach($conditions['where'] as $key => $value){
$pre = ($i > 0)?' AND ':'';
echo $sql .= $pre.$key." = '".$value."'";
$i++;
}
}
if(array_key_exists("search",$conditions)){
$sql .= (strpos($sql, 'WHERE') !== false)?'':' WHERE ';
$i = 0;
foreach($conditions['search'] as $key => $value){
$pre = ($i > 0)?' OR ':'';
$sql .= $pre.$key." = '".$value."'";
$i++;
}
}
if(array_key_exists("order_by",$conditions)){
$sql .= ' ORDER BY '.$conditions['order_by'];
}
if(array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
$sql .= ' LIMIT '.$conditions['start'].','.$conditions['limit'];
}elseif(!array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
echo $sql .= ' LIMIT '.$conditions['limit'];
}
$query = $this->conn->prepare($sql);
$query->execute();
if(array_key_exists("return_type",$conditions) && $conditions['return_type'] != 'all'){
switch($conditions['return_type']){
case 'count':
$data = $query->rowCount();
break;
case 'single':
$data = $query->fetch(PDO::FETCH_ASSOC);
break;
default:
$data = '';
}
}else{
if($query->rowCount() > 0){
$data = $query->fetchAll();
}
}
return !empty($data)?$data:false;
}
Function used with where and Search condition
if(!empty($_POST['customer_number'])) {
$ajaxData = $auth_user->getRows(
'tablename',
array('where' => array('fieldName'=>$doc)),
array('search'=> array('fieldname1'=>$_POST['customer_number'], 'fieldname2'=>$_POST['customer_number']))
);
}
Result of the above code is
SELECT * FROM tablename WHERE cust_consum_type = '1'
Expected Result is.
select * from tablename where fieldName='somevalue' and fieldname1='somevalue' OR fieldname2='somevalue'
Help me to fix this issue.
This function is so wrong on so many levels, being critically insecure in the first place.
Instead, use vanilla PDO. Make your function this way
public function getRows($sql,$input = array()){
$stmt = $this->conn->prepare($sql);
$stmt->execute($input);
return $stmt;
}
Then just write your query right away with placeholders, pass the data in pparameters and have the result:
$sql = "select * from tablename where fieldName=:fieldName
and (fieldname1=:fieldName1 OR fieldname2=:fieldName2)";
$input = ['fieldName'=>$doc,
'fieldname1'=>$_POST['customer_number'],
'fieldname2'=>$_POST['customer_number']];
$data = $db->getRows($sql, $input)->fetchAll();
it will be safe, clean, always working, safe, flexible, safe from SQL injections and syntax errors.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I have this code
$where = '';
if (isset($_POST['lvl']) && $vals = $_POST['lvl']) {
$where = 'WHERE ';
$first = false;
if ($vals[0] === '0') {
$where .= 'team = "neutral"';
unset($vals[0]);
$first = true;
}
if (count($vals)) {
if ($first) $where .= ' OR ';
$where .= 'lvl IN (\'' . implode('\',\'', $vals) . '\')';
}}
$sql = "SELECT * FROM $table $where";
$res = $DBH->prepare($sql);
$res->execute();
$num = $res->rowCount();
echo "<h2>".$num."</h2>";
It works, but if someone did something, then this happens. How to fix this?
UPD: added PDO code
You need to use PDO::quote() for all string values.
Also you should never select all the records when you need only to count them. Ask a database to do it for you
$where = '';
if (!empty($_POST['lvl'])) {
$vals = $_POST['lvl'];
$where = 'WHERE ';
if ($vals[0] === '0') {
$where .= "team = 'neutral'";
unset($vals[0]);
if ($vals) {
$where .= " OR ";
}
}
if ($vals) {
foreach ($vals as $i => $val) {
$vals[$i] = $DBH->quote($val);
}
$where .= "lvl IN (".implode(',', $vals).")";
}
}
$sql = "SELECT count(*) as cnt FROM $table $where";
$res = $DBH->query($sql);
$res->execute();
$row = $res->fetch();
echo "<h2>".$row['num']."</h2>";
By the way, with my own class the code would be slightly less complex, because it makes manual escaping unnecessary (it is using mysqli, not PDO though).
$where = '';
if (!empty($_POST['lvl'])) {
$vals = $_POST['lvl'];
$where = 'WHERE ';
if ($vals[0] === '0') {
$where .= "team = 'neutral'";
unset($vals[0]);
if ($vals) {
$where .= " OR ";
}
}
if ($vals) {
$where .= $db->parse("lvl IN (?a)",$vals);
}
}
$num = $db->getOne("SELECT count(*) as cnt FROM ?n ?p",$table, $where);
echo "<h2>".$num."</h2>";
Use PHP's mysqli_real_escape_string() in order to escape values. Note that it is mysqli because mysql functions have been depreciated.
Use PDO with named parameters
http://php.net/manual/en/pdo.prepared-statements.php
I'm attempting the modify this Modx Snippet so that it will accept multiple values being returned from the db instead of the default one.
tvTags, by default, was only meant to be set to one variable. I modified it a bit so that it's exploded into a list of variables. I'd like to query the database for each of these variables and return the tags associated with each. However, I'm having difficulty as I'm fairly new to SQL and PHP.
I plugged in $region and it works, but I'm not really sure how to add in more WHERE clauses for the $countries variable.
Thanks for your help!
if (!function_exists('getTags')) {
function getTags($cIDs, $tvTags, $days) {
global $modx, $parent;
$docTags = array ();
$baspath= $modx->config["base_path"] . "manager/includes";
include_once $baspath . "/tmplvars.format.inc.php";
include_once $baspath . "/tmplvars.commands.inc.php";
if ($days > 0) {
$pub_date = mktime() - $days*24*60*60;
} else {
$pub_date = 0;
}
list($region, $countries) = explode(",", $tvTags);
$tb1 = $modx->getFullTableName("site_tmplvar_contentvalues");
$tb2 = $modx->getFullTableName("site_tmplvars");
$tb_content = $modx->getFullTableName("site_content");
$query = "SELECT stv.name,stc.tmplvarid,stc.contentid,stv.type,stv.display,stv.display_params,stc.value";
$query .= " FROM ".$tb1." stc LEFT JOIN ".$tb2." stv ON stv.id=stc.tmplvarid ";
$query .= " LEFT JOIN $tb_content tb_content ON stc.contentid=tb_content.id ";
$query .= " WHERE stv.name='".$region."' AND stc.contentid IN (".implode($cIDs,",").") ";
$query .= " AND tb_content.pub_date >= '$pub_date' ";
$query .= " AND tb_content.published = 1 ";
$query .= " ORDER BY stc.contentid ASC;";
$rs = $modx->db->query($query);
$tot = $modx->db->getRecordCount($rs);
$resourceArray = array();
for($i=0;$i<$tot;$i++) {
$row = #$modx->fetchRow($rs);
$docTags[$row['contentid']]['tags'] = getTVDisplayFormat($row['name'], $row['value'], $row['display'], $row['display_params'], $row['type'],$row['contentid']);
}
if ($tot != count($cIDs)) {
$query = "SELECT name,type,display,display_params,default_text";
$query .= " FROM $tb2";
$query .= " WHERE name='".$region."' LIMIT 1";
$rs = $modx->db->query($query);
$row = #$modx->fetchRow($rs);
$defaultOutput = getTVDisplayFormat($row['name'], $row['default_text'], $row['display'], $row['display_params'], $row['type'],$row['contentid']);
foreach ($cIDs as $id) {
if (!isset($docTags[$id]['tags'])) {
$docTags[$id]['tags'] = $defaultOutput;
}
}
}
return $docTags;
}
}
You don't add in more WHERE clauses, you use ANDs and ORs in the already existing where clause. I would say after the line $query .= " WHERE stv.name = '".$region... you put in
foreach ($countries as $country)
{
$query .= "OR stv.name = '{$country}', ";
}
but I don't know how you want the query to work.