This question already has answers here:
What is the size of column of int(11) in mysql in bytes?
(11 answers)
Closed 5 years ago.
I have a situation where I have to add a phone number to the database.
If I enter number something like: 868150705 It goes OK to database
If I enter something like this: 3706150705 It goes to database with value 2147483647
With this input I take the value out of form
<input type="text" class="demoInputBox" maxlength="20" name="telefonas" value="<?php if(isset($info['tel_nr'])) echo $info['tel_nr']; ?>">
And with this query I put it into database (I have the $username)
$telnr = $_POST['telefonas'];
$db_handle = new mysqli("localhost", "root", "xxx", "Database");
$query = "UPDATE table SET tel_nr = '$telnr' WHERE username = '$username'";
$result = $db_handle->query($query);
My field tel_nr has the below format:
tel_nr int(20)
Can you help me with this strange magic? Btw I know this code is unsafe but the project isn't live at the moment. Just test things.
You're trying to put integer greater than int limit to the database. I'd suggest using VARCHAR for this (phone number isn't integer anyway - consider something like +420 730 500 600). Also, you are not escaping the data you get before trying to put it in the database, so it is vulnerable to SQL injection.
Hope this helps you, comment if you have any questions
I would recommend switching to a BIGINT for the tel_nr since it is 64bit by default and int is 32 bit (2147483647=2^31-1). the 20 in INT(20) specifies the number of characters mysql displays so in your case with zero fill on it would display 2147483647 preceded by 10 zeros
UPDATE:
found where i had read it
https://stackoverflow.com/a/4769436/6054257
Related
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 5 years ago.
I created TINYINT columns in my MySQL database to interpret boolean variables, which based on whether checkboxes are checked or not in the html store the values (0 for false, everything else for true) in the DB. But it won't update the values when the php file is called. Is there something wrong with my SQL? Are TINYINTs inputted as below? Simply with a 0 and a 1?
<?php
include_once("createConnection.php");
session_start();
$checkbox = $_POST['name'];
$checked = $_POST['checked'];
$currentUser = $_SESSION['validUser'];
if($checked=='yes'){
$request='UPDATE projectDB.Members
SET :name=1 WHERE username=:currentUser';
$preparedStatement = $bdd->prepare($request);
$preparedStatement->bindParam(':name', $checkbox, PDO::PARAM_STR);
$preparedStatement->bindParam(':currentUser', $currentUser, PDO::PARAM_STR);
$preparedStatement->execute();
}
else{
$request='UPDATE projectDB.Members
SET :name=0 WHERE username=:currentUser';
$preparedStatement = $bdd->prepare($request);
$preparedStatement->bindParam(':name', $checkbox, PDO::PARAM_STR);
$preparedStatement->bindParam(':currentUser', $currentUser, PDO::PARAM_STR);
$preparedStatement->execute();
}
?>
Normally you want to parameterize your queries like this when you're taking user input. Your problem is that the user input (or at least potential user input) you're taking in is a column name rather than a value. PHP is converting your query to something like this:
UPDATE projectDB.Members
SET 'name'=1 WHERE username='currentUser'
Which doesn't do what you want it to (it's telling SQL to update a string called 'name' instead of update a column called name).
You still run a risk here if you don't sanitize your data - you basically have two options:
Have a whitelist of acceptable column names in your code; verify that the incoming string matches an entry in that whitelist exactly, if so use it as a column name. The disadvantage here is that you have column names in your data model strewn about your code and HTML. e.g.:
$chkcols['name1'] = true;
$chkcols['name2'] = true;
$chkcols['name3'] = true;
...
if ($chkcols[name] == true) ...;
or
Come up with a different data model, maybe something like EAV, where you don't have to deal with dynamic column names. Disadvantage here is that EAV can be a bit of an antipattern in SQL. This might use a query something like:
UPDATE projectDB.Members SET Enabled = 1 WHERE name=:name AND username =:currentUser; you could, alternatively to an EAV model, have a column that has preferences or a bitmask/list of some sort (but again, this is a SQL antipattern in that you're trying to pack in multiple pieces of information in a single column.
This question already has an answer here:
Input my php in mysql without repeat?
(1 answer)
Closed 9 years ago.
I want to add some random number that created by PHP to my SQL without repeat.
I use this code to create 14 length random:
for ($i=0;$i<10;$i++) {
$n1 = rand(100000,999999);
$n2 = rand(100000,999999);
$pincode = (string)$n1.(string)$n2;
echo $pincode;
echo nl2br("$pincode\n");
Now I want to input created a number in My SQL and ignore the repeated number.
How can I do that ?
The best way is to use timestamp. It shall always be unique and no chance of duplicacy.
Afroz, timestamp is probably unique, but very predicteable ;-)
This might be interesting: How to 'insert if not exists' in MySQL?
I am trying to display the contents of a field in a MS SQL database, the data type of which is 'text'. When I connect to the database with MS Excel on a PC the value looks something like:
Shipped on the: 18/10/12 Toll IPEC Connote Number: XXX XXX XXXX
When I connect to the database with PHP using the Microsoft ODBC driver for Linux, the output of the text field will display random characters, which are slightly different each time I run the exact same script. Here is what it output the last four times:
Xisep)!ØwXment.class.php))
5isep)!ment.class.php))
µ}isep)!Ø}ment.class.php))
t)!!Owner_IDt)Ø©Ø8
Not sure where it's getting the 'ment.class.php' bit from. That looks like the end of the name of one of my classes, but not one that is included in this particular script. Is the driver broken or what? All other data types (int, varchar, datetime etc) seem to display correctly, the problem only seems to happen with this one text field.
Here is the code:
<?php
require('ConnectWise.inc.php');
$config = new CW_Config;
// Connect to database
$dbcnx = odbc_connect("ConnectWise", $config->db_username, $config->db_password);
// Query database
$query = "select * from Billing_Log where Invoice_Number = '24011'";
$result = odbc_exec($dbcnx, $query);
while ($row = odbc_fetch_array($result)) {
echo $row['Top_Comment'] . "\n";
}
odbc_close($dbcnx);
Here is the output of my last few attempts:
\3ȶä!!¶äY!
öÈö§!!ö§Y!
&Èö×!!ö×Y!
Looks like you're getting an overflow. For some reason SQL is passing the length of your text field as 0, which to SQL means "long" but to PHP means "I dont know" and so PHP is showing whatever is in its memory at the location its expecting data (or something like that - any PHP experts care to explain?).
I've seen this with varchar(max) before but not text. (Converting to) Text is normally the way to fix it. So maybe I'm wrong.
Hope this is of some help. Im not a PHP developer, I just have to use it occasionally, and this sounds much like a painful experience I've gone through before :)
I'm still kinda new to PHP and MySQL and I've tried so many times to do this and I just can't figure out how.
I have a query that returns the results I want in PHPMyAdmin as a straight MySQL query but I'm trying to get this to generate on a webpage using a PHP $query and I just can't get the syntax right.
this is the working MySQL query:
SELECT fk_toon_no, fk_actor_no, actor_no, actor FROM cartoon_characters,
characters WHERE fk_toon_no=50 HAVING fk_actor_no=actor_no;
The kicker is that I also want to have a variable $new_toon_id as the = for the WHERE statement, so, something like: (but only displaying the row as I will eventually plug this into a table and know how to do that fine)
WHERE fk_toon_no=$new_toon_id
fk_actor_no is the foreign key of the cartoon_characters table to the primary key actor_no in the characters table.
I'm trying to get it so that I can print out every character associated with a particular cartoon so it would look something like
(toon id) (character id #) (character name)
($fk_toon_no) (actor_no) (actor)
3 5 Eisenhower
3 9 Nixon
3 12 Uncle Sam
Any help would be greatly appreciated. I think I've included all the relevant information but if I forgot anything please ask.
I'm in desperate need of help. Thanks!!
$query=<<<HERE
SELECT fk_toon_no, fk_actor_no, actor_no, actor FROM cartoon_characters,
characters WHERE fk_toon_no='50' HAVING fk_actor_no=actor_no;
HERE;
$send=mysql_qyery($query);
while($row = mysql_fetch_assoc($send))
{
echo $row["fk_toon_no"];
echo "<br />"
echo $row[fk_actor_no];
}
This should do the trick.
This question already has an answer here:
Closed 10 years ago.
Possible Duplicate:
PHP PDO Username Availability Checker
I have a php script that checks the availability of a username (if it's taken already or not). But I want to compare the username typed in by the user and the usernames in the database in lowercase. I already put the input in lowercase, but how do I make the retrieved column in lower case. Here's the php script
<?php
$usr = strtolower($_GET['username']);
$link = new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***');
$usr_check = $link->prepare("SELECT * FROM Conference WHERE Username = :usr");
$usr_check->bindParam(':usr', $usr);
$usr_check->execute();
if($usr_check->rowCount()>0)
echo "false";
else
echo "true";
?>
How do i set the username column to lowercase, then compare it to $usr? Thanks
please try
SELECT * FROM Conference WHERE LOWER(Username) = :usr
http://www.sqlinfo.net/mysql/mysql_function_upper_lower.php
ok as you said on the comment below I recommend you to do the following.
convert your result into lowercase http://sqlfiddle.com/#!2/bd50e/1
convert your comparison string to the table into lowercase by using strtolower
now compare the results
You could use
SELECT * FROM Conference WHERE LOWER(Username) = :usr
as the query, but that would cost you the benefit of an index.
However, the comparison should be case insensitive anyways if the column uses a "ci" collation.
If you want to convert string to lower in MySQL use LOWER(str) function.