I really dislike writing SQL queries within my PHP.
Given the following example piece of PHP:
script.php
$name = 'Bill'
$query = "SELECT * FROM a_table WHERE name='$name'";
I'd like to instead write the sql query in it's own file and include (or otherwise) get the contents into my script:
query.sql
SELECT * FROM a_table WHERE name='$name'
script.php
// This doesn't work obviously
$query = '"'.include('query.sql').'"';
Note that I'd like to be able to reference PHP variables within the SQL query (e.g: $name is setup declared in script.php but used as part of the query).
nice and simple solution:
$sql = file_get_contents("query.sql");
And to reference variables, I suggest using PDO where you reference like this
$query = $db->query( "SELECT x FROM x WHERE x = :example")
$query->execute(array("example"=>$value));
...But you can do something similar to this in mysqli, etc.
query.sql:
SELECT * FROM a_table WHERE name=:name
script.php:
$query = file_get_contents('path/to/query.sql');
Then bind the parameters and execute the query.
See How can I prevent SQL-injection in PHP? for why you should bind variables instead of concatenating them into your query string.
Related
This question already has answers here:
How to insert values in a PHP array to a MySQL table?
(2 answers)
Closed 5 years ago.
I'm using PHP session variable to track character ID's between two tables, characters and character_data_store.
The session ID definitely has the correct ID as I have had to print its value before it goes into the mySQL query.
For testing I selected a user I knew had a rapsheet and used
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.`key` = 'RapSheet'
AND character_data_store.character_id = '216'";
Obviously I can't use this for all users as I need to confirm the right one has been selected so thats where the session variable comes in.
I've tried using:
$correctPlayer = $_SESSION['selpid'];
echo $correctPlayer; #confirm it's the right id and then remove
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.'key' = 'RapSheet'
AND character_data_store.character_id = '$correctPlayer'";
I did some searching on SO and I found that int's need to have double quotes around them not single quotes, I tried that and had no luck but someone else suggested putting the session ID in exactly which I tried next:
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.'key' = 'RapSheet'
AND character_data_store.character_id = {$_SESSION['selpid']}";
Each time I do this I get mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given which SO tells me is because this operation results to false, I assume because it's not accepting the playerID from selpid or $correctPlayer?
It definitely works with the testing user where the playerID is inserted directly into the query. But I can't think of a way to do that since I need to match the playerID from table "characters" where the search is done against their first and last name and then pull the rapsheet data against the same playerID in table "character_data_store".
How do I use a variable in the WHERE condition of a MySQL query using a php variable?
You have obvious error in your code. You are missing quotes in {$_SESSION['selpid']} and you are using quotes in column name. Your query should be
$usersql = "SELECT * FROM character_data_store WHERE character_data_store.`key` = 'RapSheet' AND character_data_store.character_id = '{$_SESSION['selpid']}'";
You should not use quotes in column name, instead use backquotes(`) if you really need. I recommend prepared statements.
There are multiple ways to do this. A naive way to do this would be-
$usersql = "SELECT * FROM character_data_store WHERE character_data_store.'key' = 'RapSheet' AND character_data_store.character_id = ".$correctPlayer;
But to avoid sql injections I would recommend you use bindparam function to bind paramaters in a statement.
$sql="SELECT * FROM character_data_store WHERE character_data_store.'key' = 'RapSheet' AND character_data_store.character_id = ?";
if($stmt = $dbh->prepare($sql)){
$stmt->bindParam(1, $correctPlayer, PDO::PARAM_STR);
$ql = $stmt->execute() or die("ERROR: " . implode(":", $dbh->errorInfo()));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$result['data'] = $row;
I am using Laravel 5.
I need to save some sql statements in a field of a table of the database (these statements are used to get some results).
I want to get these statements in my controller and execute them using Laravel, but the statements are only strings,
Let's suppose the following
$statement = Table::where('ID', 1);
$statement = $statement->STATEMENT;
In $statement I have a string like this
$statement = 'SELECT SUM(VAL) FROM TABLE';
What I need to know is how to execute in the database the statement saved in my string var $statement
I finally want to have something like
$result = 10 (the result of executing 'SELECT SUM(VAL) FROM TABLE', which was in $statement)
Thanks!
This is called raw queries in laravel. For example:
DB::select(DB::raw('select * from users''));
So in your case(if You've already got $statement):
DB::select(DB::raw($statement));
$ten_desc=$_REQUEST['frm_num'];
$sql = "select * from TENDER_REG where TENDER_DESC LIKE:ten_desc%'";
$stmt=oci_parse($conn,$sql);
oci_bind_by_name($stmt,':ten_desc',$ten_desc);
displaying error please help
The SQL query string will likely confuse PHP and ORACLE. The following will make more sense to both. 1) there is one clear placeholder in the query string. 2) the value passed is complete.
Untested:
replace:
$sql = "select * from TENDER_REG where TENDER_DESC LIKE:ten_desc%'";
with:
$sql = "select * from TENDER_REG where TENDER_DESC LIKE :ten_desc";
and:
oci_bind_by_name($stmt,':ten_desc',$ten_desc);
with:
oci_bind_by_name($stmt,':ten_desc', $ten_desc .'%');
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Correct way to use LIKE '%{$var}%' with prepared statements?
(1 answer)
Closed 1 year ago.
I am trying to find the number of rows that match a specific pattern. In this example, all that START with "123":
This is working:
$query = mysql_query("SELECT * FROM table WHERE the_number LIKE '123%'");
$count = mysql_num_rows($query);
The problem is the LIKE will vary, so I'm trying to define it in the script, then execute the query, but this is NOT working:
$prefix = "123";
$query = mysql_query("SELECT * FROM table WHERE the_number LIKE $prefix.'%'");
$count = mysql_num_rows($query);
How can I get this query to work properly in the second example?
EDIT: I've also tried it without the period (also not working):
$query = mysql_query("SELECT * FROM table WHERE the_number LIKE $prefix'%'");
You have the syntax wrong; there is no need to place a period inside a double-quoted string. Instead, it should be more like
$query = mysql_query("SELECT * FROM table WHERE the_number LIKE '$prefix%'");
You can confirm this by printing out the string to see that it turns out identical to the first case.
Of course it's not a good idea to simply inject variables into the query string like this because of the danger of SQL injection. At the very least you should manually escape the contents of the variable with mysql_real_escape_string, which would make it look perhaps like this:
$sql = sprintf("SELECT * FROM table WHERE the_number LIKE '%s%%'",
mysql_real_escape_string($prefix));
$query = mysql_query($sql);
Note that inside the first argument of sprintf the percent sign needs to be doubled to end up appearing once in the result.
DO it like
$query = mysql_query("SELECT * FROM table WHERE the_number LIKE '$yourPHPVAR%'");
Do not forget the % at the end
Alt A below is a statement from a php-mysql tutorial. It works as it should.
I found the id-value rather obfuscated and tested alt B. This also worked!
What is the point with the id-value of alt A?
MySQL 5.0.51, PHP 5.2.6
// Alt A :
$sql = "SELECT * FROM example WHERE id = '".$q."'";
// Alt B :
$sql = "SELECT * FROM example WHERE id = $q";
This are just two different approaches to building a string from static and variable data.
Alternative A uses concatenation, or the joining of string and variable tokens using the concatenation operator.
Alternative B uses variable expansion, wherein the variables inside a double-quote-delimited string are expanded to their values at evaluation time.
Neither is necessarily better or preferred, but if you have to have single-quote-delimited strings, for example, then you would need to use alternative A.
Of course, neither of these is preferable to building SQL queries with bound parameters, as not doing so leaves you vulnerable to SQL injection attacks.
Theres two reasons to use the example in 'Alt A'. First is if the string is enclosed in single quotes '', the variable's name will be used in the string instead of it's value.
$id = 7;
'SELECT * FROM table WHERE id = $id' //works out to: WHERE id = $id
"SELECT * FROM table WHERE id = $id" //works out to: WHERE id = 7
Secondly, it's useful to combine strings with the results of a function call.
"SELECT * FROM table WHERE id = '".getPrimaryId()."'"
Outside of what has already been said I've found it best practice, if I'm writing a query, to write it as so:
$sql = "SELECT * FROM table WHERE uid=" . $uid . " LIMIT 1";
The reason for writing SQL like this is that 1. MySQL query doesn't have to parse the PHP variables in the Query and 2 you now easily read and manage the query.
When PHP communicates with MySQL, it is actually (in essence) two languages communicating with each other. This means that a string will be processed by the first language before being sent to the other. It also means that it is important to think in terms of the receiving language
In this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = $q";<br/>
you are telling MySQL to
"SELECT * FROM example1 WHERE id = some_name.
In this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '$q'";<br/>
and this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '".$q."'";<br/>
you are telling MySQL to
"SELECT * FROM example1 WHERE id = 'some_name'.
The first example should cause an error as some_name is not a valid part of a MySQL query (in that context). On the other hand, the next two will work fine, because MySQL will look for the String "some_name".
You can also do this:
$sql="SELECT * FROM exempel WHERE id = {$q}";
which is useful for setting off things like:
$sql="SELECT * FROM exempel WHERE id = {$row[id]}";
in 'alt B', $q must be an int or float or other numeric
in 'alt A', $q can be anything a string, int, etc.
The single quote makes that possible. It's just hard to see sometimes if you are looking at it for the first time.