This code not work :
UPDATE `test` SET `done`='1' WHERE `name`='x_&_y'
But this is work :
UPDATE `test` SET `done`='1' WHERE `name`='x_y'
Both of code return 1 value but first code not work and table not updated !
PHP code :
$value = 'x_&_y'; // send by $_GET['value']
$value = htmlspecialchars(trim($value),ENT_QUOTES,'UTF-8');
UPDATE `league` SET `leagueUpdateDone`='1' WHERE `leagueCountry`='$value';
The problem is you're running your query wrong. Never, ever use htmlspecialchars on input if you're trying to match things. & is a reserved character in HTML, it will be mangled.
Your final query looks like:
'x_&_y'
Instead use prepared statements with placeholder values, like this:
$stmt = $db->prepare('UPDATE `league` SET `leagueUpdateDone`='1' WHERE `leagueCountry`=?');
Then bind values against that. The procedure varies in implementation based on your use of mysqli or PDO.
Note: htmlspecialchars is only used for displaying HTML. Keep the content in your database as neutral as possible, never pre-escaped. You want to treat everything in your database as raw, escaping it for the context it's used in, be that JSON, HTML, email or otherwise, on a case-by-case basis. If you presume it's HTML that can make life very ugly if you need to undo that and re-do it for JSON, for example.
I don't know where you learned that htmlspecialchars technique, but it's highly probable this is cargo cult programming where incantations are used without their purpose being fully understood. This is a common problem with a lot of YouTube tutorial-type training where they drown you in code but offer very little in the way of theoretical foundation or practical explanations.
I'm trying not to be too hard on you here, you're just trying to learn, but it's important to understand the code you're using instead of just using it because someone told you to. Try to dig a little deeper, look up the documentation on the methods you're using. PHP has a fantastic manual with a comments section full of people helping to clarify any misunderstandings.
Related
I have a MySQL database that has large amount of records. For each record there is a field of text called "Comment" and I've put 3 examples below:
"Very fast payment, thank you. "
"love the thank you"
"Fast delivery thank u "
My question is this:
How do I interrogate each record look at the contents of the "Comment" field and then work out what the top 20 words used are?
For example using the 3 comments above the words
"thank" appears 3 times,
"Fast" 2 times
And the rest of the words used are only used once.
I am guessing that I'll need to use PHP to work through each record, explode out using a " " (space), remove characters like commas & full stops, then store the results and then count those.
But I am really not sure on the best approach and not sure how to handle plurals such as "thanks" & "thank". Hence the question :)
Matt
Because they are all in the one column you can't really do much SQL filtering here.
If the data set isn't too huge (i.e. php running out of memory huge) then you should be able to read it into php and process it.
You can use explode to split on spaces and work with the data as a huge array. And you can use preg_match function to do string compare operations, see: http://us3.php.net/preg_match - you should spend some time investigating regular expressions.
It would be easier to use the SQL like function in the where clause if you were looking for something specific like SELECT COUNT(comment) where comment like '%thank%'` but you would have to do that manually.
Also, you may want to consider dumping it out to a file and using unix-based commands like wc which can help you with what you are after. You can also use PHP to interact with these commands if you are in a unix-like environment.
Short of writing the code there isn't much more I can tell you.
Possible, perhaps. However, MySQL is not really good for this type of querying. If you did attempt this using MySQL is is likely to take a long time to actually complete and would not be practical if you wanted to run this type of query frequently.
I'd suggest you look into indexing your data using something that is specifically designed for these kind of queries. Some kind of Apache Lucene derivative would do nicely, for example you could use Elasticsearch. Here are the docs from ES that describe the kind of query you are looking to run: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-facets-terms-facet.html
Unlike MySQL running these kind of queries on something like ES would execute very quickly as it is specifically designed for it.
I’m currently working on a small set of database access and management classes in php. while trying to understand our well known mysqli better, I still fail to understand why and how variable-types defined in mysqli_stmt::bind_param could and would enhance security/utility within the current application.
The advantages of having a mysql statement going on are clear. Query and values are submitted on two different paths and that of course makes the application more secure and more error proof! But what happens to these variables… are these checked prior by php or after on in mysql?
Is it just mysqli being lazy for doing something like?
!is_numeric($v) && ( !is_null($v) || $v != “NULL”) ? “‘$v’” : $v
Or is there any var type definition on the mysql side which I don’t know?
“PREPARE stmt_name FROM … “;
“SET #var1 = 3”;
“SET #var2 = ‘foo’”;
“EXECUTE stmt_name USING #var1, #var2”;
It doesn’t seem there’s much going on this values. quite anything passed as a string is evaluated properly… then why bother?
There’s another side-question even though related to this one: is there any way to replicate mysqli’s way of sending blob string in packets?
Thanks bye
As nobody has given an answer yet... i do have one now! The data-type definition within bind_param does noting more than adding those quotes to the query, although, variables are bound at a lower level than a php script could be ever capable of! formally going though any different path apart from mysqli/pdo would mean to transfer all the data by strings!
thats it, cheers!
I'm trying to check a string passed through the URL and get back all results from a MySQL database where that string is a match.
I send different queries based on the input, but the one in question looks basically like this (it's really much longer):
if ($projectsname) {$result = mysql_query("SELECT item FROM items WHERE projectname=$projectsname",$db)}
The issue is that $projectsname is a string. All my other queries return an integer and work fine. But in this case I can't get it to give me a proper result in the actual PHP code unless I put it in quotes, and here's how I did that:
$projectsname = (isset($_GET['projectname']) && !empty($_GET['projectname'])) ? '"'. $_GET['projectname'] .'"' : 0;
...by appending the quotes to the data that creates the variable. And that works. It just seems wrong to me.
Is there a better way of making this comparison?
(I wish I could say this was a newbie question, but it's something I've often had trouble with in my years as a designer who tries to code.)
Feel free to edit the question if you know better terminology than I have used here (and let me know what your edits were--I'm having a hard time phrasing the question.).
if ($projectsname) {$result = mysql_query("SELECT item FROM items WHERE projectname='$projectsname'",$db)}
You need to quote strings that you pass to mysql.
Run
echo "SELECT item FROM items WHERE projectname=$projectsname";
to see what query you're actually sending.
Also read up about mysql_real_escape_string and about SQL injections in general. Consider the following example of a very typical SQL injection your code is prone to:
$projectsname = "123 OR 1=1";
echo "DELETE FROM items WHERE projectname=$projectsname";
Using pure PHP for complete application projects is highly discouraged. It puts the coder in the position of worrying about elementary problems such as escaping queries, validating form data, security, templating, loading libraries, etc., etc. Instead of worrying about the program logic the coder puts too much time worrying about the syntax. Only newbies do that. We don't because time is money for us.
My recommendation: use framework. I personally recommend Codeigniter or Zend. Believe me it'll save you a lot of headache.
I needed a generic function in php that will properly clean and escape any variable used in a Dynamic MySQL Statement. For example MySQL is vulnerable to random user - inserted data. Any sample code , or links are highly appreciated.
Edit 1- I did follow the links posted below. I still feel a concrete example would help.The requirement at work is to have a function which ma look like below:
function MySQLClean($string){
// Contentns
return string;
}
My questions are
What characters should this function escape for mysql . I know a few like ' ^ etc
What characters should be removed i.e cleaned ?. This should be generic rather than databsae specific.
How do I test it ? - Do , I pass in each string that make up my query to this function before executing the query or do I pass in the entire query to this function , split them into tokens and then clean/escape each character in the tokenized string and return it by joining it together.
An example of a Before and After "Escaping and Cleaning" the query string will be highly appreciated.
If this explanation seems vague and unspecific - that pretty much sums up my understanding of how to clean and validate the data. I will however be glad to provide any further details.
Edit 2 - After reading some material on the net and following the link in the given below answers - I have the below following function
function MySQLClean($string)
{
if(get_magic_quotes_gpc()){
$string = stripslashes($string);
}
return addcslashes(mysql_real_escape_string($string),"%_");
}
Is this sufficient?
If you use prepared statements, your data will be cleaned and help prevent SQL injection attacks.
http://www.php.net/manual/en/function.mysql-real-escape-string.php
Ok, since you've edited your question and I better understand what you're trying to do, let me say this:
Don't Do It!
You will run into problems with the character set of the connection, differing collations, etc. There are a fair number of edge cases that you will likely miss and still be vulnerable with. For one example of an edge case, check out Chris Shiflett's Blog Post...
If you're writing a DB abstraction layer and want to create a uniform interface, call the database's escape method in the driver layer. Don't try to write your own escape mechanism since it will not be nearly as good as the in-built one, and will not be kept up to date as well either...
I'm running php 5.2.13 and i have an app that contains tons of files but they all calling one file at the beginning, i want to put some line in that file to automatically mysql real escape any query, because i don't want to go across every file and change code.
Thanks!
I don't know how well that would work. What you really need is to escape the input not things like table names, fields, etc. If you pass the entire query to an escape, I'd be willing to bet you'd find a good number of queries that will fail because it will turn things like
select * from tablename where name = 'foo'
into
select * from tablename where name = \'foo\'
Which would choke.
And, having a wrapper function in your code helps a lot (assuming you don't want to use a framework, etc). If you have "mysql_query()" littered around your code, you probably are in for a bit of work to change it up. If you can't/don't-want-to adopt a framework, at least wrap it in a function of your own, like "db_query()" like this:
function db_query($query,$and,$other,$arguments)
{
mysql_query( ... ); // you can change this to some other database later if you want
}
I did that in a project a few years ago and it helped a ton when I wanted to log some errors. I just added it to that function instead of having it in 200 places in the code.
But even that won't really help if you didn't escape input properly in the first place. In that case your only option is to take some time and fix it.
Hans has some good suggestions. But i think the bottom line is youre going to have to modify a lot of code. There is no magic bullet on this one. Whoever wrote it should have known better, and now you my friend are going to pay the price. Personally if youre going to have to go in and manually edit i would urge you to switch to PDO or mysqli. That way you can make use of prepared statements which will handle the escaping of variables for you provided you use them correctly.
If you have a large project, and need to change the data access, I would suggest to move to an ORM, my personal pick is Propel.
With that you would solve the whole escaping sql's problem, would make your app more scalable and you could also reverse your database diagram in order to generate the classes needed for Propel.
Propel will give you benefits like transactions, parameters and many more, so you should reaally think about it.
Best regards
Take note that it's not queries that you will want to escape, it's user supplied variables that are to be included in the query (unless you're writing malformed SQL yourself on purpose). So what you can do is to run mysql_real_escape_string() on, say, the $_POST array with array_map(), provided that you are not going to use that array for anything else.
mysql_real_escape_string() is still only the second best solution to the issue anyway. I you can use prepared statements (AKA parametrized queries) and you're home free.