Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
I have this query:
SELECT * FROM items WHERE itemcategory= 123 AND itemname LIKE '%abc%';
I want to pass parameters to itemcategory and itemname; I tried something like this:
SELECT * FROM items WHERE itemcategory=".'$categoryid'." AND itemname LIKE" ."'%$itemname%'"." AND shopid=5003;
It didn't work. Can anyone help?
What you are doing is nearly right, but you can de complicate the string concatenation, if you remember that $var is automatically expanded in a double quoted string
So this is easier to read and notice spacing issues, which is all I think that was wrong with your statement
$q = "SELECT *
FROM items
WHERE itemcategory = '$categoryid'
AND itemname LIKE '%$itemname%'
AND shopid=5003";
Assuming you have valid data in these variables this should work
The only danger with doing this rather than using prepared parameterised queries is that you risk SQL Injection Attack
Have a look at what happened to Little Bobby Tables Even
if you are escaping inputs, its not safe!
Use prepared statement and parameterized statements
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 1 year ago.
Improve this question
When I put a number myself the database gets updated to Success but when I try to access the same number from $_POST It complete the transaction but doesn't affect the rows even thought it's using the same number.
Example of a query that works perfectly and updates the database
$sql = "UPDATE `transactions` SET `status` ='Success' WHERE `transactions`.`txn_id` = 65765756";
Example of a query that doesn't work
$sql = "UPDATE `transactions` SET `status` ='Success' WHERE `transactions`.`txn_id` = ".$_POST['m_payment_id'];
First, check what's in the value, and make sure it is the same as what you are manually entering.
var_dump($_POST['m_payment_id'])
Second, the code without any other checks is a SQL injection vulnerability.
You could convert the value into an integer to protect against this, e.g. intval($_POST['m_payment_id'])
Ideally though, you would be using bindings.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 4 years ago.
Improve this question
SELECT * FROM hge_funcionarios
JOIN hospitais
ON hge_funcionarios.hospital_id = hospitais.id_hospitais
JOIN funcoes
ON hge_funcionarios.funcao_id = funcoes.id_funcoes
WHERE nome LIKE '%$search%'
ORDER BY hospital_id DESC
When I try the exact name from the database doesnt show up any results.
If i search "Larissa" or "LARISSA", I get no results even in my database having "LARISSA CAMPOS".
If I try "lar" or anything like this I can find it, but when it gets too close to the name on database like "LARISS" I can't find it any more.
I tried collate and charset but no success.
EDIT: Its not a Query error with ambiguous column name in SQL because column names are distinct.
I'm writing this answer since it's not possible to show it in the comments. Feel free to disregard it.
The problem you are facing seems to be related to the injection of parameter values into your SQL query. The easy (dangerous) way is to simply concatenate strings, as in:
$stmt = $conn->prepare(
"select * from my_table where name = '" . $param1 . "'");
Even though it works for simple cases, your case is more complicated, and confusing. Most of the time you'll use Prepared Statements as in:
$stmt = $conn->prepare("select * from my_table where name = ?");
$stmt->bind_param("sss", $param1);
This way, the parameter will be injected the right way. In your case you'll need to prepend and append % to your parameter, since it'll be used for a LIKE operator.
WHERE nome LIKE '%$search%'
May be $ is the Reason.Try Like : WHERE nome LIKE '%search%'
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I have an HTML form which is processed with PHP.
The input in the form is used as a condition in a SQL WHERE clause.
When there is no input the WHERE clause looks for an empty string and won't return anything. Instead I want to return ALL rows.
How can this be achieved? I thought about using LIKE instead but I want to match only exact input when there is indeed input.
To be clear:
I want to check if the variable that the input is stored in is empty. If so, I want to return all rows.
I wanted to know if it is possible to do such thing in SQL without having to change the statement around. Rather, by just changing the variable.
Note that there can be multiple fields of input.
EDIT:
Ignore the possibility of security risks. Is there a SQL command that can achieve this without changing the query itself, just the variables? For the record I am already checking if the variables are empty strings before the query. Also, where would the security risk be if I am checking if the variables are empty or not and I am doing proper validation otherwise?
Since you should not use user generated strings directly inside an SQL query anyways (See PHP: SQL Injection), I would handle that in the PHP script, not in SQL:
if(isset($user_input) && !empty($user_input)) {
// add WHERE clause
}
Edit: isset() is redundant if checked for !empty(). This will do, too:
if(!empty($user_input)) {
// add WHERE clause
}
Thanks AbraCadaver!
A common method to dynamically add filters on a query is:
$sql ='select * from table where (1=1) ';
if (array_key_exists($_POST,'email'))
{
$email=mysql_real_escape_string($_POST['email']);
$sql.=" and (email='$email')";
}
if (array_key_exists($_POST,'city'))
{
$city=mysql_real_escape_string($_POST['city']);
$sql.=" and (city='$city')";
}
//.....
mysql_query($sql);
This can allow you to use the same query, and effectively ignore the parameter if blank. I am not sure I would actually recommend it in lieu of constructing a (still parameterized) query, since it might not play nice with indexes all the time, but it is possible.
WHERE ([my_parameter] = '' OR the_field = [my_parameter])
even more generalized:
WHERE ([my_parameter] = [ignore value] OR the_field = [my_parameter])
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Improve this question
mysql_query("
INSERT INTO `LMS`.`Presentation`
('Pre_Name' ,'Path' ,'PLec_ID' ,'pdatein' ,'pdesc','PSems_ID')
values
('$fname','$newname','$com',NOW(),'$filedesc','$semes')"
) or die("failed");
Dear All,
I have a table named presentation and I am going to enter value to it, it is mentionable that $com and $sems are comboboxs value, but the query show failed, anyone could help please,
thanks in advance
You're using quotes when you should be using backticks:
mysql_query("INSERT INTO `LMS`.`Presentation` (`Pre_Name`, `Path`, ...
Or simply don't use any special character. The backtick is only necessary if you do something silly like use a reserved word as a column name and I would hope people would choose their column names to be more readable.
In other words, date and in and select are silly names for columns, you should be using expiry_date, isInLocation and selectionStatus.
change or die("failed") into or die(mysql_error()) and you'll know why.
btw, consider changing from mysql functions to mysqli functions. And use parameterized queries. Otherwise you will be open to SQL injection.
mysql_query("
INSERT INTO table
(column1, column2, column3, column4 .... columnX)
VALUES(column1Data,column2Data, column3Data, column4Data ... columnXdata)
") or die(mysql_error());
> rove on this example and if there isnt a alias for a table then could not use a alias.
everything hiddends on details..
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am new to PHP and mysql and i am trying to make API's for my iphone app.
So far i have been able to connect and retrive data from my sql database now m trying to make entries to it using API's and parameters.
Can anyone help me out here please.
Thanks alot!!
If by to make entries you mean adding data to the database.
You do this in the same way that you select data.
Instead of issuing a select statement like:
SELECT x,y,z FROM table1
You do:
INSERT INTO table1 (x,y,z) VALUES ('a', 1, 'test')
Or:
UPDATE table1 SET x = 'b' WHERE x = 'a'
How you pass parameters depends on the API you use.
It is best (safest) to use PDO to pass parameters.
How to get parameters out of a url
In order to get the parameters out of the url (e.g.: example.com/test.php?username=xyz&password=!##$%) do:
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT * FROM users WHERE username = '$username'
AND passhash = sha2(CONCAT(salt,'$password'),512)";
Note that it's vital to put single quotes around the injected variable names when using mysql_real_escape_string() or the escaping will be useless. Used like this the code is 100% secure from SQL-injection.
If you're using PDO, you can drop the mysql_real_escape_string() if not you need it to prevent SQL-injection.
Links
http://dev.mysql.com/doc/refman/5.5/en/update.html
http://dev.mysql.com/doc/refman/5.5/en/insert.html
http://php.net/manual/en/ref.pdo-mysql.php
https://stackoverflow.com/search?q=%5Bphp%5D+%5Bmysql%5D+pdo
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/function.mysql-real-escape-string.php