I am trying to build a search query. I got following error, It seems syntax error of sql.
SQLSTATE[HY093]: Invalid parameter number (SQL: select * from products
where styles = Abstract , Abstract and subject = ? )
Why this error occurred ?
How to figure it out ?
My code as follows
if (isset($request->search)) {
//GET ALL INPUT FROM THE REQUEST
$query_strings = $request->all();
//PULL OUT ANY EMPTY FIELD FROM THE REQUEST
$filtered_array = array_filter($request->all());
//remove the last item
array_pop($filtered_array);
//BUILD A QUERY
$sql = array();
$values = array();
$x = 1;
foreach ( $filtered_array as $key =>$value ) {
if($x < count($filtered_array)){
$sql[]=" $key = ? and ";
$values[] =" $value , ";
} else {
$sql[]=" $key = ? ";
$values[] =" $value ";
}
$x++;
}
$fields = join(' ', $sql);
$v = join(' ',$values);
dd( \DB::select("select * from products where {$fields} ", [$v]));
}
When you're passing some values, you should add ? placeholder:
\DB::select("select * from products where ?", [$value]));
This is a bit of a stretch and I doubt it will work as is on the first try. But I really suggest you try and make use of the Laravel's query builder.
This code assumes you're passing 'products' table column names as names of GET or POST parameters and values you want to query by as values. For example:
url.com?price=200&size=2
Where 'price' and 'size' are column names of 'products' table.
Code:
// Check if request has 'search' parameter
if($request->has('search')) {
// $filtered_array now has all parameters that were passed to the controller
$filtered_array = $request->all();
// Start a query on table 'products'. Laravel style (more: https://laravel.com/docs/5.3/queries)
$query = \DB::table('products');
// For each parameter passed to the controller, we make "and where products.$key = $value" statement in the query
foreach($filtered_array as $key => $value) {
$query->where($key, '=', $value);
}
// Tell the query builder to get the results and save it to $results variable
$results = $query->get();
}
This will undoubtedly cause a lot of errors as anyone can send anything as GET/POST parameters and query by that (which will throw SQL error that the column doesn't exist).
You should change the $filtered_array = $request->all() to:
$filtered_array = $request->only(['id', 'price', 'size']);
This way you will store only the parameters you specify in the ->only(array) in the $filtered_array and ignore all the others. So you should replace 'id', 'price' and 'size' with all the columns of the 'products' table you wish to query by.
Related
I am trying to get a list of coupons through ajax when the checkboxes are selected. So everything else is working fine but the query is returning only the first match.
So my query is:
$this->db->from('tbl_coupons');
if($storeids !=''){
$ids = array($storeids);
$this->db->where_in('coupon_store', $ids );
}
$this->db->where('coupon_cat', $catid);
$this->db->where('coupon_status', 'active');
$query = $this->db->get();
if ($query->num_rows() > 0) {
$ds = $query->result_array();}
According to this my SQLquery becomes
SELECT * FROM `tbl_coupons`
WHERE `coupon_store` IN('1,97')
AND `coupon_cat` = '16'
AND `coupon_status` = 'active'
But this query is returning values with coupon_store=1 and no results are coming for coupon_store=97
I checked values for coupon store 97 which exists in that category.
use below way if data exist it will be part of query.
storeids = explode(',',storeids);
$ids = array();
foreach($storeids as $val){
$ids[] = $val;
}
if(!empty($ids)){
$this->db->where_in('coupon_store', $ids );
}
hope it will create proper sql query
The query is mostly correct, except at line 2, where you need to make the change as:
WHERE coupon_store IN('1','97')
everything else remains the same.
So, I have a following js and php:
JS:
var names = jQuery('#name').val();
data : {'action':'AJAX' , name:names },
The #name values are "mike,sean,steve"
PHP:
global $wpdb;
$names = $_POST['name'];
$table = $wpdb->prefix . 'my_name';
$RSS_UPDATE = $wpdb->get_col("SELECT update_number FROM $table WHERE id_name IN ($names)");
//update_number are int (example: 0,3,1,2)
$name = explode(',', $names);
if ( $RSS_UPDATE ){
foreach ( $RSS_UPDATE as $RSS_SINGLE ){
$RSS_ROW_NEW = $RSS_SINGLE + 1;
$wpdb->update($table, array('update_number' => $RSS_ROW_NEW),array( 'id_name' => $name));
}
}
So, few things:
what I am trying to achieve:
With the input values, get corresponding update_number. Then increase each value by "1" and update the same column with the new value.
Errors
Unknown column 'Array' in 'where clause' for query SELECT update_number FROM wp_my_name WHERE id_name IN (Array)
Just in general, something is not right...
Can someone help me out?
Thank you.
EDIT:
Does this look right?
if(!empty($_POST['name'])) {
$names = $_POST['name']; //array
$table = $wpdb->prefix . 'rh_subs';
$query = "SELECT update_number FROM $table WHERE id_name = %s";
$RSS_UPDATE = $wpdb->get_results($wpdb->prepare($query, $names));
if(!empty($RSS_UPDATE)) {
foreach($RSS_UPDATE as $RSS_SINGLE) { // for each row
$RSS_ROW_NEW = $RSS_SINGLE->update_number + 1;
$wpdb->update($table, array('update_number' => $RSS_ROW_NEW),array('id_name' => $RSS_SINGLE->id_name));
}
}
}
Just what I've said in the comments in your earlier post, since you're taking multiple inputs, you'll need to use the WHERE IN clause.
The simple example would be like this:
$_POST['name']; // these are comma delimited string of names
// "mike,sean,steve"
So in essence, you'll need to construct them inside a WHERE IN clause like this:
WHERE id_name IN ('mike', 'sean', 'steve')
The unsafe and dirtiest way would be to just explode - put quotations on the strings - implode it back together with comma again:
$names = array_map(function($e){
return "'$e'";
}, explode(',', $test));
$names = implode(',', $names);
// 'mike','sean','steve' // SATISFIES WHERE IN CLAUSE
// BUT UNSAFE!
So in order to do this safely, use the wpdb prepared statements. (This could get you started).
if(!empty($_POST['name'])) {
$names = explode(',', $_POST['name']); // explode the comma delimited string into an array
$table = $wpdb->prefix . 'my_name';
$stringPlaceholders = implode(', ', array_fill(0, count($names), '%s')); // create placeholders for the query statement, this will generate
$statement = $wpdb->prepare("SELECT update_number, id_name FROM $table WHERE id_name IN ($stringPlaceholders)", $names); // create the statement using those placeholders
$RSS_UPDATE = $wpdb->get_results($statement); // execute
// fetch resuls
if(!empty($RSS_UPDATE)) {
foreach($RSS_UPDATE as $RSS_SINGLE) { // for each row
$RSS_ROW_NEW = $RSS_SINGLE->update_number + 1;
$wpdb->update($table, array('update_number' => $RSS_ROW_NEW),array('id_name' => $RSS_SINGLE->id_name));
}
}
}
Note: Of course you can get creative yourself. I think you could combine the UPDATE and WHERE IN clause so that you'll just execute all of this once.
First of all, It seems that $_POST['name'] returns an array.
You can view what exactly you are getting in $_POST['name'] by:
var_dump($_POST['name'], true);
Also For the id_name, if they are like these "mike,sean,steve" then you should do this for adding quotes for strings and the escaping issue so that they can be like this "'mike','sean','steve'" as you are using a WHERE IN clause:
$names = $_POST['name'];
if(!is_array($names)) $names = explode(",",$names);
$new_names = array();
foreach($names as $name){
$name = get_magic_quotes_gpc() ? stripslashes($name) : $name;
$new_names[] = "'".mysql_real_escape_string($name)."'";
}
$names = implode(",", $new_names);
I'm trying to build a custom class to manage operations with database. I'm a beginner with OOP so if you have any suggests please tell me. By the way, i have an update method which took as parameter the name of the table, the fields to update, the values with which i want to update the fields and the fields and values to put in where clause of query.
At this time, i have two distinct arrays, one for the set part and one for the where part.
I build the query string like so PDOStatement Object ( [queryString] => UPDATE Ordini SET Nome=':Nome', Cognome=': Cognome', Telefono=': Telefono' WHERE ID=':ID' )
Now i would like to bind the params to the variables and execute the query and that's the problem. I try this way but the query don't update the fields.
- In $values i have the values i want to bind to variables in the SET part
- In $wv i have the values i want to bind to variables in the WHERE part
- In $fieldsQuery i have the placeholders for the SET part(":Nome" for example)
- In $fieldsWhere i have the placeholders for the WHERE part
How can i bind in the right way the placeholders with the variables?
public function update($table=NULL, $fieldsQuery=NULL, $fieldsValues = NULL, $whereFields=NULL, $whereValues=NULL, $whereOperators = NULL)
{
if($fieldsQuery != NULL)
$fields = explode(",", $fieldsQuery);
if($fieldsValues != NULL)
$values = explode(",", $fieldsValues);
if($whereFields != NULL)
$wf = explode(",", $whereFields);
if($whereValues != NULL)
$wv = explode(",", $whereValues);
$fieldsQuery = array_map(function($field) { return ":$field";}, $fields);
$bindValuesSet = array_combine($fieldsQuery, $values);
//return an array in which every field is => Fieldname=':Fieldname'
$bindSetInitial = array_combine($fields, $fieldsQuery);
//transform every item in array from field to :field
$fieldsWhere = array_map(function($field) { return ":$field";}, $wf);
$bindValuesWhere = array_combine($fieldsWhere, $wv);
$bindWhereInitial = array_combine($wf, $fieldsWhere);
//implode an array mantaining both key and value
$fieldsValues = implode(', ', array_map(function ($v, $k) { return sprintf("%s='%s'", $k, $v); }, $bindSetInitial, array_keys($bindSetInitial)));
$fieldsWhere = implode(', ', array_map(function ($v, $k) { return sprintf("%s='%s'", $k, $v); }, $bindWhereInitial, array_keys($bindWhereInitial)));
$query = $this->db->prepare('UPDATE ' . $table . ' SET ' . $fieldsValues . ' WHERE ' . $fieldsWhere);
$query->bindParam(':Nome', $values[0]);
$query->bindParam(':Cognome', $values[1]);
$query->bindParam(':Telefono', $values[2]);
$query->bindParam(':ID', $wv[0], PDO::PARAM_INT);
$query->execute();
print_r($query->debugDumpParams());
}
':Nome' is not a placeholder for a prepared statement. It's just a string ':Nome'
Placeholder is :Nome (without `) and without any spaces, tabs etc.
I.e. : Nome is not a placeholder too.
So, you query should be:
UPDATE Ordini SET Nome=:Nome, Cognome=:Cognome, Telefono=:Telefono WHERE ID=:ID
And thanks to #Fred-ii- - read error handling section of PDO
I have some text stored in a table. I want to replace all the expressions that look like this : [%parameter_name] with the corresponding value stored in another table.
All the parameters and in which column I must fetch their value are stored in a third column.
I tried to make a function to put all the needed patterns and their value in an array. However, it gives me a fatal error. Why?
Here is the code :
$search = $db->prepare("
SELECT *
FROM table
WHERE id = ?");
$search->execute(array($id));
$search->setFetchMode(PDO::FETCH_OBJ);
while($result = $search->fetch()){
$search2 = $db->prepare("
SELECT parameter_name,
read_from
FROM pattern
WHERE type = ?");
$search2->execute(array(strtolower($result->type)));
$search2->setFetchMode(PDO::FETCH_OBJ);
while($pattern = $search2->fetch()){
array_push($patterns, '/\[%'.$result->type.'\.'.$pattern->parameter_name.'\]/i');
$column = explode(',', $pattern->read_from);
if(count($column) == 1){
$col = $column[0];
// ERROR ON THE LINE BELOW
$value = $result->$col;
}
else{
$value = 0;
foreach($column as $col){
// BUT NOT ON THE ONE BELOW
$value += $result->$col;
}
}
array_push($replacements, $value);
}
}
I'm trying to do the following:
public function checkResult($table, $appends)
{
$append = null;
foreach ($appends as $key => $val)
$append = " AND `{$key}` = '{$val}'";
$result = $this->fetchObj("
SELECT *
FROM :cms_table
WHERE id :append
", array(
":cms_table" => $table
":append" => $append
));
return ($result ? true : false);
}
But I can't get this working because I don't know how to do this in PDO.
Also when I leave the :append my query isn't working either. It looks like I can't execute a table. When I change :cms_table to the cms_pages (table I need) it works correctly.
I couldn't find a thing about such query's in PDO. Anyone who can help me out?
Don't try to outsmart yourself.
You don't need no checkResult() function, as well as no other function of similar structure.
$sql = "SELECT 1 FROM table WHERE field = ? AND col = ?";
$found = $db->fetchObj($sql, array(1,2));
is all you actually need.