Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I am currently using PHP and SQL to throw back some paramters I enter in a form.
I can search numbers perfectly fine and it gives me the correct results but anytime I use a search like "443265dsa44dd" it displays nothing even though it's in the database.
$searchedID = $_POST['uuid'];
$sql = "SELECT name, contact, phone, address FROM test WHERE id = '.$searchedID.'";
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
echo "Name: " . $row["name"] . "<br>" . "Contact: " . $row["contact"] . "<br>" . "Phone: " . $row["phone"] . "<br>" . "Address: " . $row["address"] . " ";
}
}
The id is a primary key and set to VARCHAR, any ideas what is happening here?
You have an error when trying to include the searchedID into the sql-string.
Either concat like this:
$sql = "SELECT name, contact, phone, address FROM test WHERE id = '" . $searchedID . "'"
// note, the additional quotes
OR
let php parse that var for you (possible only inside double-quotes):
$sql = "SELECT name, contact, phone, address FROM test WHERE id = '$searchedID'"
BUT
You are vulnerable to sql-injection. So use prepared statements!
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
Im self learning mySQL and php few days and now Im stuck on this error and cant help myself. Can you look at code, Thanks!
this is error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 7
here is the page
switch($_GET['action']) {
case 'add':
switch($_GET['type']) {
case 'movie':
$query = 'INSERT INTO
movie
(movie_name, movie_year, movie_type)
VALUES
("' . $_POST['movie_name'] . '",
' . $_POST['movie_year'] . ',
' . $_POST['movie_type'] . ')';
break;
}
break;
}
if (isset($query)) {
$result = mysql_query($query, $db) or die(mysql_error($db));
}
I think problem may be in here
<td><select name='movie_type'>
<?php
$query = 'SELECT movietype_label FROM movietype ORDER BY movietype_id';
$result = mysql_query($query, $db) or die (mysql_error($db));
while ($row = mysql_fetch_assoc($result)) {
foreach ($row as $value) {
echo '<option value="' . $row['movietype_id'] . '">';
echo $row['movietype_label'] . '</option>';
}
}
?>
</select></td>
and here is print_r on
Array(
[movie_name] => asd
[movie_type] =>
[movie_year] => 2015
[submit] => ADD)
Shouldn't you be using a double quote " instead of single quote ' like below. You are mixing single and double quote.
$query = "INSERT INTO
movie
(movie_name, movie_year, movie_type)
VALUES
('" . $_POST['movie_name'] . "',
'" . $_POST['movie_year'] . "',
'" . $_POST['movie_type'] . "')";
Granted this is ugly, but would be surprised if it fails.
$query = "INSERT INTO
movie (movie_name, movie_year, movie_type)
VALUES
('"
. $_POST['movie_name'] . "','"
. $_POST['movie_year'] . "','"
. $_POST['movie_type'] . "')";
Also, you need to cleanse your data. Data acted upon directly from user without cleansing, or sent through proper separation of code, can, and someday will, contain sql injection.
Ugly code like the above starts to take on some beauty with mysqli and pdo, plus the parameters are safely separated, and all the moaning about injection goes away.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I get this two queries with the same variables :
$query = 'UPDATE payee SET payee="oui", datePaiement=\'' . $datePaiement . '\',paiement="'.$paiement.'", typePaiement="' . utf8_decode($moyenPaiement) . '" WHERE id_commande=' . $commande->getNum() . '';
$connexion->exec($query);
$query2 = 'UPDATE commande SET mpaiement="' . utf8_decode($moyenPaiement) . '",pxttc="'.$paiement.'" WHERE noCommande=" . $commande->getNum() . "';
$connexion->exec($query2);
For the first one, my $paiement isn't save in my DB. I get a $paiement = 0 while in my second one $paiement is save as I want.
I have the same pattern in my second query $moyenPaiement, moyenPaiement is save as I want but he is not save in my first query.
Sorry for my explanation, it's maybe confused.
You should not combine both single and double quotes, it will be confusing. Try this:
$query = 'UPDATE payee SET payee="oui", datePaiement="' . $datePaiement . '", paiement="'.$paiement.'", typePaiement="' . utf8_decode($moyenPaiement) . '" WHERE id_commande="' . $commande->getNum() . '"';
$connexion->exec($query);
$query2 = 'UPDATE commande SET mpaiement="' . utf8_decode($moyenPaiement) . '", pxttc="'.$paiement.'" WHERE noCommande="' . $commande->getNum() . '"';
$connexion->exec($query2);
Later edit:
Don't forget to print your queries if something weird happens. These queries can be tested in phpMyAdmin too.
print_r($query);
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have this function.
public function selection($table, $condition_var,$condition_val)
{
if ($condition_var != '') {
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var=.":".$condition_var. " ");
$stm->bindParam(":".$condition_var, $condition_val);
return $stm->execute();
}
}
I am getting here in this below line
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var=.":".$condition_var. " ");
dont know what I am doing wrong here. kindly please check
Please refer to this: http://php.net/manual/en/pdostatement.bindparam.php
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var."=:condition_val");
$stm->bindParam(":condition_val", $condition_val);
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var . " = :param");
$stm->bindParam(":param", $condition_val);
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have this code:
$list_summoners = $con->query("SELECT * FROM verified_users WHERE Username='" . $search_user . "'");
and I was wondering how I could format it, like:
$list_summoners = mysqli_query($con, "SELECT * FROM verified_users WHERE Username='" . $search_user . "'");
echo '<table align="center" style="text-align:center;"><tr><th>User</th><th>Summoner ID</th><th>Summoner Region</th><th>View Summoner</th></tr>';
while($row = mysqli_fetch_array($list_summoners)) {
echo '<tr><td>' . $row['username'] . '</td><td>' . $row['summoner_id'] . '</td><td>' . $row['summoner_region'] . '</td><td><span class="button color_dark">View</span></td></tr>';
}
echo '</table>';
I am asking this, because I know mysqli_query is open to abuse.
Thanks in advance.
mysqli_query($con, 'SELECT...') called in procedural mode, vs $con->query('SELECT...') called in object-oriented mode perform exactly the same function. In both modes, $con is the same object - a mysqli connection object, but the MySQLi API offers two methods of interacting with it.
So, the use of mysqli_query() and $con->query() are both equally insecure when used the way you are using them, concatenating in a variable $search_user. The secure method would be to avoid mysqli_query() entirely and instead use a prepared statement:
$stmt = $con->prepare('SELECT * FROM verified_users WHERE Username = ?');
if ($stmt) {
$stmt->bind_param('s', $search_user);
$stmt->execute();
// Then bind & fetch()...
}
else echo $con->error;
See How can I prevent SQL injection in PHP for more details & examples on executing and fetching from the prepared statement.
Using $con->query() as you are, to fetch rows with a while loop you may call $list_summoners->fetch_array() as it is an object of class mysqli_result
if ($list_summoners) {
while ($row = $list_summoners->fetch_array()) {
echo '<table align="center" style="text-align:center;"><tr><th>User</th><th>Summoner ID</th><th>Summoner Region</th><th>View Summoner</th></tr>';
echo '<tr><td>' . htmlspecialchars($row['username']) . '</td><td>' . htmlspecialchars($row['summoner_id']) . '</td><td>' . htmlspecialchars($row['summoner_region']) . '</td><td><span class="button color_dark">View</span></td></tr>';
echo '</table>';
}
}
Note the addition of htmlspecialchars() to those values, when sent to output as HTML. Even if these were not originated from user input, it is an important habit to be in as it will prevent cross-site scripting when outputting values originating from user input, or values which contain characters requiring entity encoding in HTML.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Improve this question
I am trying to insert some data in the database but it gives me a really confusing error
Now the error is:
Parse error: syntax error, unexpected ')'
Code:
$query = mysql_query("INSERT INTO `members` VALUES (''," .$username ."," . $password . "," . $date . "," .$email . ",1'"));
You forgot some dots over there.
$query = mysql_query("INSERT INTO `members` VALUES (" .$username ."," . $password . "," . $date . "," .$email . ",1)");
you have many mistakes , you forgot points . you forget ) .
you should also specify the columns names
this should work for you
$query = mysql_query("INSERT INTO `members` (firstcolumn ,username , password ,date,email , lastcolumn) VALUES ('' ,'$username','$password','$date','$email',1 ) ");
^----------^--------^-----^----^-----^^---your columns
HERE genaeral rule how to use insert :
INSERT into table (column1 , column2 , column3) VALUES (value1 , value2 , value3)
Try this (replace x,y,z,a,b with column name):
$query = mysql_query("INSERT INTO `members` (`x`,`y`,`z`,`a`,`b`) VALUES ('','.$username.','.$password.','.$date .','.$email.','1'"));
You haven't used ' and " in correct place.
write your query and add at the end
or die(mysql_error());
what it says?
I've worked it out now.
No more answers