My PDO query is throwing an error
42000 1064 You have an error in your SQL syntax
$sql = "SELECT * FROM {$this->config->__get('table_medicine')} WHERE patient_id = ? AND medicine LIKE %?%";
$query = $this->dbh->prepare($sql);
$data = array($patient_id, $medicine);
$response = $query->execute($data) or die(implode(" ", $query->errorInfo()));
Can someone see what am I doing wrong?
The % need to be inside the string argument to LIKE. Either use CONCAT() in the SQL:
$sql = "SELECT * FROM {$this->config->__get('table_medicine')}
WHERE patient_id = ? AND medicine LIKE CONCAT('%', ?, '%')";
or do the concatenation in PHP:
$data = array($patient_id, '%'.$medicine.'%');
Related
I tried to use TRIM() in a PDO SELECT query and got a syntax error message as "Syntax error or access violation: 1064 You have an error in your SQL syntax;". What should I do to correct this error?
DB:
tblrecord (firstname, lastname, score)
PHP:
$firstname = trim('Mary');
$lastname = trim('Lamb');
$sql = "SELECT * FROM tblrecord WHERE TRIM(firstname) AS firstname = ? AND TRIM(lastname) AS lastname = ?";
$stmt = $connection->prepare($sql);
$stmt->execute( array($firstname, $lastname) );
Dont use alias on the WHERE
$sql = "SELECT * FROM tblrecord WHERE TRIM(firstname) = ? AND TRIM(lastname) = ?";
I want to submit the query as a prepared statement, like below.
$query = $this->createQuery();
$query->getQuerySettings()->usePreparedStatement(TRUE);
$sqlParamList[] = 'test#gamil.com';
$sql = 'SELECT uid FROM table_name WHERE email = ?';
$query->statement($sql, $sqlParamList);
$result = $query->execute();
But I always get errors like below.
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near '?' at line 1'
Where I am wrong?
You need to parse your $sql to a prepared statement first:
$preparedSql = $this->objectManager->get(\TYPO3\CMS\Core\Database\PreparedStatement::class, $sql, 'table_name');
With $this->objectManager->get() you instantiiate the class PreparedStatement with the arguments $sql and 'table_name'.
This will change your $sql and parse the ? to be used as prepared statement.
Another approach:
$query = $this->createQuery();
$query->getQuerySettings()->usePreparedStatement(TRUE);
$sqlParamList = [
':email' => 'test#gamil.com'
];
$sql = 'SELECT uid FROM table_name WHERE email = :email';
$query->statement($sql, $sqlParamList);
$result = $query->execute();
Cannot test it, just an approach.
I try to add $username into MySQL query as follows. But the query fails with SQL syntax error.
$username = $this->input->post('username');
$sql = "SELECT * FROM temp_user UNION SELECT * FROM member WHERE username = ".$username."";
$query = $this->db->query($sql);
What's wrong with this query?
Here is error message Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
SELECT * FROM temp_user UNION SELECT * FROM member WHERE username =
Filename: C:/xampp/htdocs/dex/system/database/DB_driver.php
Line Number: 691
Try it like this, no need for string concatenation
$sql = "SELECT * FROM temp_user UNION SELECT * FROM member WHERE username = '$username'";
The SQL syntax error is likely due to this part:
"... WHERE username = ".$username."";
You should escape $username
That is
"... WHERE username = ".$this->db->escape($username);
where $conn is a mysqli object representing the link identifier.
Solved!!! because of i cannot use star(*) with union
$sql = "SELECT username FROM temp_user WHERE username = '".$username."' UNION SELECT username FROM member WHERE username = '".$username."'";
I have a query below which I did with mysql_query before and it executed properly.. But using PDO it's showing some error
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1'
This is my code with mysql_query :
$sql1 = "SELECT * FROM product WHERE id IN (";
foreach($_SESSION['cart'] as $id => $value){
$sql1 .= $id.',';
}
$sql1 = substr($sql1, 0, -1) .")";
$query = mysql_query($sql1);
Using PDO without prepare statement.. :
$sql1 = "SELECT * FROM product WHERE id IN (";
foreach($_SESSION['cart'] as $id => $value){
$sql1 .= $id.',';
}
$sql1 = substr($sql1, 0, -1) .")";
$query = $db->query($sql1);
You miss to "add" the string here:
$sql1 = substr($sql1, 0, -1);
$sql1 .= ")";
In the PDO tag (info) you will find the correct procedure for PDO Prepared statements and IN.
The following code uses this method to add unnamed placeholders from your SESSION array
$in = str_repeat('?,', count($_SESSION['cart']) - 1) . '?';
$sql1 = "SELECT * FROM product WHERE id IN ($in)";
$params = $_SESSION['cart'] ;
$stmt = $dbh->prepare($sql1);
$stmt->execute($params);
DEMO
I'm trying to do like this using PHP and MySql PDO:
//PHP Variables
$msg_a = 'Too Little';
$msg_b = 'Score OK';
$sql = "select if(stdScore >= stdRequired, $msg_a, $msg_b) from scores;"
$results = $conn->prepare($Sql);
$results->execute();
AFAIK this should have worked. But I keep getting the following error message:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
How can something like this be done?
$results = $conn->prepare($Sql);
---------------------------------------------^ (capital S)
it should be with a lowercase s
$results = $conn->prepare($sql);
because you have:
$sql = "select if(stdScore >= stdRequired, $msg_a, $msg_b)
from scores";(//semicolon after double quotes)
---^
with a lowercase s ($sql)
Can you try this,
$sql = "select if(stdScore >= stdRequired, $msg_a, $msg_b) from scores";
$results = $conn->prepare($sql);
Have you tried it this way ?
$sql = "select if(stdScore >= stdRequired, "'.$msg_a.'", "'.$msg_b.'") from scores;"
Since you're already using PDO don't do query string interpolation leaving your code vulnerable to sql injections and value escaping problems. Instead use prepared statements properly.
Your code could've looked something like
$msg_a = 'Too Little';
$msg_b = 'Score OK';
// use placeholders in a query string
$sql = "SELECT IF(stdScore >= stdRequired, :msg_a, :msg_b) msg FROM scores";
// prepare the statement
$query = $conn->prepare($sql);
// bind parameters and execute the query
$query->execute(array(':msg_a' => $msg_a, ':msg_b' => $msg_b));
// fetch the resultset
$rows = $query->fetchall(PDO::FETCH_ASSOC);