I am trying to construct an SQL statement with two string parameters. Essentially I am querying a MS Access table with php.
Is my syntax correct below?
$parm1 = "TPMS";
$parm2 = "Clamp In";
$sql = "SELECT * FROM archive where productfamily like ".$parm1 ."and where productderivative like". $parm2;
Now I have tried a one parameter string called $parm1, The syntax of the string is as below. Please note this is a MS Access table I am querying with php.
$parm1 = "'TPMS'";
Now the corresponding MS Access SQL statement is as follows which works:
$sql = "SELECT * FROM archive where productfamily like $parm1 order by fullname asc"
Now the corresponding MS Access SQL statement with two parameters which does not work. Can somebody tell me why the second parameter does not work in the SQL statement? Is it perhaps my syntax?
$sql = "SELECT * FROM archive where productfamily like $parm1 and "
$sql .= "where productderivative like $parm2 order by fullname asc";
Firstly, you need to enclose your string literals with single quotes: '
$parm1 = "'TPMS'";
$parm2 = "'Clamp In'";
$sql = "SELECT * FROM archive where productfamily like ".$parm1 ."and where productderivative like". $parm2;
Secondly, a LIKE statement is useful with a wildcard character
% The percent sign represents zero, one, or multiple characters
? The question mark(for Access) represents a single character
So that if you are looking for occurences that may include TPMS anywhere after the , you would have
For example:
$parm1 = "'TPMS%'";
$parm1 = "'%TPMS'";
$parm1 = "'%TPMS%'";
$parm1 = "'?T%'";
$parm1 = "'T?%?%'";
$parm1 = "'T%o'";
Which evaluate to the following SQL:
WHERE productfamily LIKE 'TPMS%' --Finds any values that starts with "TPMS"
WHERE productfamily LIKE '%TPMS' --Finds any values that ends with "TPMS"
WHERE productfamily LIKE '%TPMS%' --Finds any values that have "TPMS" in any position
WHERE productfamily LIKE '?T%' --Finds any values that have "T" in the second position
WHERE productfamily LIKE 'T?%?%' --Finds any values that starts with "T" and are at least 3 characters in length
WHERE productfamily LIKE 'T%o' --Finds any values that starts with "T" and ends with "o"
I'll adapt the code from the documentation here https://www.sitepoint.com/using-an-access-database-with-php/ to your situation.
$dbName = $_SERVER["DOCUMENT_ROOT"] . "yourpathhere\archive.mdb";
if (!file_exists($dbName)) {
die("Could not find database file.");
}
$pdo = new PDO("odbc:DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=$dbName; Uid=; Pwd=;");
$parm1 = 'TPMS';
$parm2 = 'Clamp In';
$sql = 'SELECT * FROM archive where productfamily like :family and where productderivative like :derivative';
$pdo->prepare($sql)
$pdo->bindParam(':family', $parm1, PDO::PARAM_STR);
$pdo->bindParam(':derivative', $parm2, PDO::PARAM_STR);
$pdo->execute();
That should get you there. This is untested. If anything fails, let me know and I'll create some tables and run it.
Related
I am fetching data from the MySQL Database and database has a table name
wp_evr_event. I am fetching records using event_name from wp_evr_event.
wp_evr_event table has a fiels name event_name that use name of event.
now event name is Women\'s Reading Group into database.
when I used the Query
$sql = "SELECT * FROM `wp_evr_event` WHERE `event_name` LIKE '%".$_REQUEST['events_name']."%' ";
echo $sql;
Query become like
SELECT * FROM `wp_evr_event` WHERE `event_name` LIKE '%Women \'s Reading Group%'
But this is not fetching any record.
For the wordpress wpdb class you should use 2 functions. esc_like & prepare
A small example:
global $wpdb;
// First, escape the link for use in a LIKE statement.
$link = $wpdb->esc_like( $_REQUEST['events_name'] );
// Add wildcards
$link = '%' . $link . '%';
// Create a SQL statement with placeholders for the string input.
$sql = "SELECT * FROM `wp_evr_event` WHERE `event_name` LIKE '%s'";
// Prepare the SQL statement so the string input gets escaped for security.
$sql = $wpdb->prepare( $sql, $link);
If you prepare your query like this you should get the expected result.
I'm using PHP to query oracle DB and everything works great unless i try to use oci_bind_by_name to replace a variable
$link = oci_connect("user","password","server/service");
$sql = "SELECT name FROM customers WHERE name LIKE '%:name%'";
$query= oci_parse($link, $sql);
$name = "Bruno";
oci_bind_by_name($query, ":name", $name);
$execute = oci_execute($query);
I also tried to escape the quotes like this, but it returns the same error, i assume it's a problem with the wildcards %
$sql = "SELECT name FROM customers WHERE name LIKE \"%:name%\" ";
The error is not specific:
( ! ) Warning: oci_bind_by_name(): in D:\gdrive\www\sites\pulseiras\php\engine.php on line 30
I'd like to use bind by name to avoid sql injection, how can i make it work ?
OCI is inserting the bound variable to your query and ending up with something like this:
SELECT name FROM customers WHERE name LIKE '%'Bruno'%'
Obviously a couple of unnecessary quotes have been added. This happens because a bound variable is treated as a single item.
You need to modify the variable before you bind, so:
$sql = "SELECT name FROM customers WHERE name LIKE :name"; // chars removed.
$query= oci_parse($link, $sql);
$name = "%Bruno%"; // chars added.
oci_bind_by_name($query, ":name", $name);
As usual, the PHP manual has many useful examples.
It's amazing how the brain only seems to start working after posting the question on stackoverflow. It turns out the solution is to isolate the wildcards and concatenating with the variable:
$sql = "SELECT name FROM customers WHERE name LIKE '%' || :name || '%' ";
$name = "Bruno";
oci_bind_by_name($query, ":name", $name);
$execute = oci_execute($query);
I am trying to search the name field in my database using LIKE. If I craft the SQL 'by hand` like this:
$query = "SELECT * \n"
. "FROM `help_article` \n"
. "WHERE `name` LIKE '%how%'\n"
. "";
$sql = $db->prepare($query);
$sql->setFetchMode(PDO::FETCH_ASSOC);
$sql->execute();
Then it will return relevant results for 'how'.
However, when I turn it into a prepared statement:
$query = "SELECT * \n"
. "FROM `help_article` \n"
. "WHERE `name` LIKE '%:term%'\n"
. "";
$sql->execute(array(":term" => $_GET["search"]));
$sql->setFetchMode(PDO::FETCH_ASSOC);
$sql->execute();
I am always getting zero results.
What am I doing wrong? I am using prepared statements in other places in my code and they work fine.
The bound :placeholders are not to be enclosed in single quotes. That way they won't get interpreted, but treated as raw strings.
When you want to use one as LIKE pattern, then pass the % together with the value:
$query = "SELECT *
FROM `help_article`
WHERE `name` LIKE :term ";
$sql->execute(array(":term" => "%" . $_GET["search"] . "%"));
Oh, and actually you need to clean the input string here first (addcslashes). If the user supplies any extraneous % chars within the parameter, then they become part of the LIKE match pattern. Remember that the whole of the :term parameter is passed as string value, and all %s within that string become placeholders for the LIKE clause.
I have a php script that pulls content from a database and prints them in a certain fashion. The database has a column-header called "order" which is an INT size 11. I'm trying to order the contents by the value "order" in the database when I'm getting data from it, like this:
<?php
$db_hostname = '<hostname>';
$db_database = '<db>';
$db_username = '<username>';
$db_password = '<password>';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
mysql_select_db($db_database, $db_server);
$query = "SELECT * FROM <table> ORDER BY order"; // why is "ORDER BY order" problematic...
$table = mysql_query($query);
$data_items = '';
$carousel_items = '';
while($row = mysql_fetch_array($table)) {
// ...etc
There are few rows in the database I'm getting information from, and the query "SELECT * FROM <table>" works exactly the way it should. What am I doing wrong?
If it helps, the error I'm getting back (on the website that this script is for):
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /$PATH/php/myfile.php on line 15
Line 15 is while($row = mysql_fetch_array($table)) {
I'm aware that if I wasn't lazy I could sort this out without the MySQL query and, because php is absurdly flexible, do something like $array[$row['order']] = $row['what I want'];, but I'd like a solution that doesn't have to add those (what should be) unnecessary lines. I've also tried adding the semicolon (just to be sure) to the end of my query, but it doesn't change anything at all.
Thanks for any help!
order is a reserved word, surround it with backticks
$query = "SELECT * FROM <table> ORDER BY `order`";
Since order is a keyword you need to enclose it in backticks if you want to use it as an identifier:
SELECT * FROM <table> ORDER BY `order`
Order is a reserved word in mysql. Use backticks to surround the reserved word like this:
"ORDER BY `order`"
Documentation here:
http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html
I am trying to search the name field in my database using LIKE. If I craft the SQL 'by hand` like this:
$query = "SELECT * \n"
. "FROM `help_article` \n"
. "WHERE `name` LIKE '%how%'\n"
. "";
$sql = $db->prepare($query);
$sql->setFetchMode(PDO::FETCH_ASSOC);
$sql->execute();
Then it will return relevant results for 'how'.
However, when I turn it into a prepared statement:
$query = "SELECT * \n"
. "FROM `help_article` \n"
. "WHERE `name` LIKE '%:term%'\n"
. "";
$sql->execute(array(":term" => $_GET["search"]));
$sql->setFetchMode(PDO::FETCH_ASSOC);
$sql->execute();
I am always getting zero results.
What am I doing wrong? I am using prepared statements in other places in my code and they work fine.
The bound :placeholders are not to be enclosed in single quotes. That way they won't get interpreted, but treated as raw strings.
When you want to use one as LIKE pattern, then pass the % together with the value:
$query = "SELECT *
FROM `help_article`
WHERE `name` LIKE :term ";
$sql->execute(array(":term" => "%" . $_GET["search"] . "%"));
Oh, and actually you need to clean the input string here first (addcslashes). If the user supplies any extraneous % chars within the parameter, then they become part of the LIKE match pattern. Remember that the whole of the :term parameter is passed as string value, and all %s within that string become placeholders for the LIKE clause.