I am having with my query because Insert into value and select is not working, Is this the proper way of using it? thankyou!
This is my query line
$sql = "INSERT INTO `stud_class` (`stud_fullname`, `stud_uid`,`stud_code`, `stud_subject`, `stud_cname`,`stat`) VALUES ('$stud_full','$stud_uid',(SELECT subject_code,subsubject,class_Name FROM subject WHERE subject_code = '$subcode'),1)";
A subquery that's used as an expression is only allowed to return one value, not multiple columns.
You need to use the SELECT query as the source of all the values, not as an expression inside the VALUES list.
$sql = "INSERT INTO `stud_class` (`stud_fullname`, `stud_uid`,`stud_code`, `stud_subject`, `stud_cname`,`stat`)
SELECT '$stud_full','$stud_uid', subject_code,subsubject,class_Name, 1
FROM subject WHERE subject_code = '$subcode')";
You should also use a prepared statement rather than substituting variables into the SQL string. See How can I prevent SQL injection in PHP?
Can someone help me get the SELECT query (2). below to work?
This string used for both SELECT statements:
$seller_items = ('6','9','12','13','14','15','16','17','18','19','20','22','23','24','25','26','28','27','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','53','54','55','57','58','59','60','62','63','64','65','61','67','56','69','70','74','73','75','78','80','76','72','95','94','101','102','71','103','2','104','4','81','21','10','11','3','79','5','8','7','97','93','96','98');
(1). This SELECT query is working fine:
if ($stmt = $mysqli->prepare("SELECT info FROM items WHERE item_id IN $seller_items AND active = ?")){
$stmt->bind_param("s",$active);
(2). This SELECT query is not working:
if ($stmt = $mysqli->prepare("SELECT info FROM items WHERE item_id IN ? AND active = ?")){
$stmt->bind_param("ss",$seller_items,$active);
I think placing the variable in the SELECT query itself may defeat the purpose of a prepared statement.
I can get the IN predicate to work just fine with a non-prepared statement. It's the prepared statement with which I am having the problem.
Thank you in advance.
As #Dai mentioned the IN cannot be parameterized with just one variable. Sure it can be done with a series of parameters but the number of them is fixed. The idea with prepare statements is that the insertion of values are expected the same position, the same number of parameters and the same kind.
If the amount of parameter inside of the IN is fixed, something like this works:
$a=[1,2,3];
$s=$mysqli->prepare("SELECT id FROM users WHERE role_id IN (?,?,?)");
$s->bind_param('iii',$a[0],$a[1],$a[2]);
$s->execute();
$s->bind_result($id);
$c=[];
while($s->fetch()){
$c[]=$id;
}
var_dump($c);
Maybe this is not the answer that you are looking for, but if the amount of variables is not know better insert the imploded array string inside the original SQL command.
$a=[1,2,3];
$b="('".implode("','",$a)."')";
$s=$mysqli->prepare("SELECT id FROM users WHERE role_id IN {$b}");
$s->execute();
$s->bind_result($id);
$c=[];
while($s->fetch()){
$c[]=$id;
}
var_dump($c);
I am trying to select exact json value in mysql query condition, currently i am using LIKE and it work but like returns false positive.
my code is::
$id='1';
json data example:: ["1","12","38"]
$sql="SELECT * FROM `posts` WHERE `json_column` LIKE '%".$id."%' ";
with this query, it returns both 1 and 12. how can i get just 1?
Note the extra quotes:
$sql="SELECT * FROM posts WHERE json_column LIKE '%\"$id\"%'";
However, this is wide open to SQL inject if $id comes from user input. Be careful.
The more secure method would be to use parameterised queries with PHPs prepared statements as follows:
$stmt = $dbh->prepare("SELECT * FROM posts WHERE json_column LIKE '%\"?\"%'");
$stmt->bindParam(1, $id);
Let's consider i have this line of code
$result = $mysqli->query("SELECT * from myTable where field='".$_GET['var']."');
IMHO this is vulnerable to SQL injections.
So I'd like to prove it trying by sending via Get / URL a "var" param that will inject the query, with potential malicious code.
I actually tryed this:
var = "1'; TRUNCATE myTable; ";
I tryed to print out the SQL string query before executing it and it's actually 2 SQL valid statements.
SELECT * from myTable where field='1'; TRUNCATE myTable;
1st problem
But actually itseems that mysqli->query will not execute 2 statements at once. Isn't it?
2nd problem
I see that a common technique to Inject queries is to per form injection then add comment chars to get rid of the tail of the SQL.
Example:
"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"
Can be injected with :
var = "1'; TRUNCATE myTable; # ";
But this problem arise and I'm missing the trick to get rid of it
if the SQL string in the code have new lines e.g. :
"SELECT * from myTable where field='".$_GET['var']."'
AND field2 IS NOT NULL"
If i use the above "var" the final result is
SELECT * from myTable where field='1'; TRUNCATE myTable; #
AND field2 IS NOT NULL
Second line won't be commented
How to test injection on this?
Many thanks.
1st problem But actually it seems that mysqli->query will not execute 2
statements at once. Isn't it?
That's right, if you want to execute multiple statements you need to use mysqli->multi_query. You can find a good explanation about multiple statements here: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php
But this problem arise and I'm missing the trick to get rid of it
The problem arises because you are using multiple statements, and mysqli->query does not support them.
About your queries:
$result = $mysqli->query("SELECT * from myTable where field='".$_GET['var']."');
You can inject this using for example 1' OR 1=1; that would return all entries of myTable on the query result.
"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"
Here you could use 1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1
Nowadays there are tools that can automatically check SQL injection for you, take a look at SQL Inject Me (Firefox Addon) for example.
I'm trying to do a SELECT * from a table, where the name of that table is itself taken from another query. I think I'm tying myself in knots. Here's what I've got:
SELECT options_table INTO #tableName FROM registrant_fields WHERE id = 9;
SET #sql_text_1 = concat('CREATE TABLE tmp_options LIKE ', #tableName);
PREPARE stmt_1 FROM #sql_text_1 ;
EXECUTE stmt_1;
SET #sql_text_2 = concat('INSERT tmp_options SELECT * FROM ', #tableName);
PREPARE stmt_2 FROM #sql_text_2;
EXECUTE stmt_2;
SELECT * FROM tmp_options;
DEALLOCATE PREPARE stmt_1;
DEALLOCATE PREPARE stmt_2;
So... when I paste that lot into PHPMyAdmin and run it, I get the results of each statement appended respectively, and learn that yep, my "SELECT * FROM tmp_options;" has indeed got some rows. But how do I GET them??
All I want to do is drop that query into a PHP string and run it with mysqli_query(). Is that not going to work?
I have no clue about PHP, but I happen to know that mysqli_query() works with one SQL statement only (for security reasons).
I'd suggest you do (pseudo code, except SQL parts)
somePHPvariableForTableName = ("SELECT options_table FROM registrant_fields WHERE id = 9;");
query("CREATE TABLE whyDoIneedAtmpTable AS SELECT * FROM $somePHPvariableForTableName");
query("SELECT * FROM whyDoIneedAtmpTable;");
and that's it. No need for that extra INSERT step. And it's not clear, why and if you really need a temp table.