I have a simple method that is not working as it should - would like to use prepared statements but somehow it is not executed; instead the raw query works just fine.
What could be the problem? Should I pass some extra args to pdo methods?
$_POST['sequence'] = [
0 => 2,
1 => 1
];
if (!empty($_POST['sequence'])) {
$query = '
UPDATE '.$this->db->backtick($this->controller->table).'
SET `sequence` = CASE `id`'
;
foreach ($_POST['sequence'] as $sequence => $id) {
$values[':id'.$id] = $id;
$values[':sequence'.$sequence] = $sequence;
$query .= ' WHEN :id'.$id.' THEN :sequence'.$sequence;
}
$values[':ids'] = implode(',', array_values($_POST['sequence']));
$query .= ' END WHERE `id` IN (:ids)';
$statement = $this->db->handle->prepare($query);
$statement->execute($values); //doesn't work
//$query2 = str_replace(array_keys($values), array_values($values), $query);
//$this->db->handle->query($query2); works
}
Don't bind the param inside IN
$query .= ' END WHERE `id` IN ('.implode(',', array_values($_POST['sequence'])).')';
Related
Hi I'm trying to update user information on valid submit
in my query it's possible to update multiple columns only if it's relevant $_POST[ ] is not null
how i can do that ? used tool php , MariaDB or mysql I. I tried something like this but it returns syntax error corresponding to MariaDB
$query = " UPDATE `users`
SET name = COALESCE($name, name),
title = COALESCE($title, title),
email = COALESCE($email, email),
gender = COALESCE($gender, gender)
WHERE `id` = '" . $_SESSION['id'] . "' LIMIT 1";
You can have a helper for doing that
function getUserUpdateQuery(array $data, $userId)
{
$condition = 'WHERE id = '.$userId;
$query = 'UPDATE `users` SET ';
$updates = [];
foreach ($data as $columnName => $columnValue) {
if( !is_null($columnValue) )
{
$updates[] = sprintf('`%s` = \'%s\'', $columnName, $columnValue);
}
}
$query .= implode(' AND ', $updates).' ';
$query .= $condition;
return $query;
}
$query = getUserUpdateQuery(['title' => $title, 'email' => $email], $_SESSION['id']);
// updating codes here
Note: in production environment it is better practice to bind data. PDO is a good tool for doing that.
Trying to get a function working to create simple CRUD "Select" with multiple parameters to any table. I think I got the hardest part, but couldn't fetch the data right now. Maybe I'm doing something wrong I can't figure out.
My prepared statement function:
function prepared_query($mysqli, $sql, $params, $types = ""){
$types = $types ?: str_repeat("s", count($params));
if($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param($types, ...$params);
$stmt->execute();
return $stmt;
} else {
$error = $mysqli->errno . ' ' . $mysqli->error;
error_log($error);
}
}
The query creator:
function create_select_query($table, $condition = "", $sort = "", $order = " ASC ", $clause = ""){
$table = escape_mysql_identifier($table);
$query = "SELECT * FROM ".$table;
if(!empty($condition)){
$query .= create_select_query_where($condition,$clause);
}
if(!empty($sort)){
$query .= " ORDER BY ".$sort." $order";
}
return $query;
}
The helper function to create the WHERE clause:
function create_select_query_where($condition,$clause){
$query = " WHERE ";
if(is_array($condition)){
$pair = array();
$size = count($condition);
$i = 0;
if($size > 1){
foreach($condition as $field => $val){
$i++;
if($size-1 == $i){
$query .= $val." = ? ".$clause. " ";
}else{
$query .= $val." = ? ";
}
}
}else{
foreach($condition as $field => $val){
$query .= $val." = ? ";
}
}
}else if(is_string($condition)){
$query .= $condition;
}else{
$query = "";
}
return $query;
}
The select function itself:
function crud_select($conn, $table, $args, $sort, $order, $clause){
$sql = create_select_query($table, array_keys($args),$sort, $order, $clause);
print_r($sql);
if($stmt = prepared_query($conn, $sql, array_values($args))){
return $stmt;
}else{
$errors [] = "Something weird happened...";
}
}
When I create the query, it seems to be OK but can't fetch the data. If I create an array with only one argument the query translates into:
SELECT * FROM `teste_table` WHERE id = ?
If I create with multiple parameters, it turns like this:
SELECT * FROM `teste_table` WHERE id = ? AND username = ?
So, how can I properly fetch the data from the select. This should be used for multiple purposes, so I could get more than one result, so the best way would be fetch data as array I guess.
I guess I'm close, but can't figure it out. Thanks
I told you to limit your select function to a simple primary key lookup. And now you opened a can of worms. As a result you are getting entangled implementation code and unreadable application code.
$table, $args, $sort, $order, $clause
What all these variables are for? How you're going to call this function - a list of gibberish SQL stubs in a random order instead of plain and simple SQL string? And how to designate a list of columns to select? How to use JOINS? SQL functions? Aliases? Why can't you just write a single SQL statement right away? You already have a function for selects, though without this barbaric error reporting code you added to it:
function prepared_query($mysqli, $sql, $params, $types = ""){
$types = $types ?: str_repeat("s", count($params));
$stmt = $mysqli->prepare($sql)) {
$stmt->bind_param($types, ...$params);
$stmt->execute();
return $stmt;
}
Just stick to it and it will serve you all right.
$sql = "SELECT * FROM `teste_table` WHERE id = ? AND username = ?";
$stmt = prepared_query($mysqli, $sql, [$id, $name]);
$row = $stmt->get_result()->fetch_assoc();
The only specific select function could be, again, a simple primary key lookup:
function crud_find($conn, $table, $id)
{
$table = escape_mysql_identifier($table);
$sql = "SELECT * FROM $table WHERE id=?";
$stmt = prepared_query($conn, $sql, [$id], "i");
return $stmt->get_result()->fetch_assoc();
}
And for the everything else just use a generic function with native SQL.
I have a function to update up to 3 fields in a mysql table. The function can receive all 3 fields to be updated or just 1 or 2
Right now I am doing it like this (it works) to construct MySQL statement.
if ($foo1){
$mysql_set = '`foo1` = :foo1';}
if ($foo2){
if ($mysql_set){$mysql_set .= ', ';}
$mysql_set .= '`foo2` = :foo2';}
if ($foo3){
if ($mysql_set){$mysql_set .= ', ';}
$mysql_set .= '`foo3` = :foo3';}
$update = $db->prepare("UPDATE `bar` SET $mysql_set WHERE `id` = :id");
if ($foo1){
$update->bindValue(':foo1', $foo1, PDO::PARAM_STR);}
if ($foo2){
$update->bindValue(':foo2', $foo2, PDO::PARAM_STR);}
if ($foo3){
$update->bindValue(':foo3', $foo3, PDO::PARAM_STR);}
$update->bindValue(':id', $id, PDO::PARAM_INT);
$update->execute();
As you can see I am repeating "if ($foo1 - $foo3){}" twice to construct this MySQL query. It looks redundant and wondering if there's a better way to handle this scenario.
You can give an associative array to execute(), instead of calling bindValue() separately for each parameter.
$param_array = array(':id' => $id);
$set_array = array();
if ($foo1) {
$param_array[':foo1'] = $foo1;
$set_array[] = "foo1 = :foo1";
}
if ($foo2) {
$param_array[':foo2'] = $foo2;
$set_array[] = "foo2 = :foo2";
}
if ($foo3) {
$param_array[':foo3'] = $foo3;
$set_array[] = "foo3 = :foo3";
}
if (!empty($set_array)) {
$set_string = implode(", ", $set_array);
$sql = "UPDATE bar SET $set_string WHERE id = :id";
$update = $db->prepare($sql);
$update->execute($param_array);
}
Try.
if ($foo1){
$mysql_set = '`foo1` = :foo1';
$update = prepareStmt($db, $mysql_set);
$update->bindValue(':foo1', $foo1, PDO::PARAM_STR);
}
if ($foo2){
if ($mysql_set){$mysql_set .= ', ';}
$mysql_set .= '`foo2` = :foo2';
$update = prepareStmt($db, $mysql_set);
$update->bindValue(':foo2', $foo2, PDO::PARAM_STR);
}
if ($foo3){
if ($mysql_set){$mysql_set .= ', ';}
$mysql_set .= '`foo3` = :foo3';
$update = prepareStmt($db, $mysql_set);
$update->bindValue(':foo3', $foo3, PDO::PARAM_STR);
}
$update->bindValue(':id', $id, PDO::PARAM_INT);
$update->execute();
function prepareStmt($db,$mysql_set){
return $db->prepare("UPDATE `bar` SET $mysql_set WHERE `id` = :id");
}
I have a problem with a "unknown" column.
This is the error I get back in firebug.
ERROR: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'admin' in 'where clause'UPDATE users SET session_key = 1234567890 WHERE username = 'admin'
this is the parameters and call statement
$table = 'users';
$fields_vals = array( 'session_key' => $session_key );
$where = array('username' => $username);
$dbResult = $this->DB->sql_update($fields_vals, $table, $where);
/*
* UPDATE
* $data -> assoc array containing (field => value) to be UPDATED.
* $where -> Where clause (only a single argument)
* $table -> to be updated
*/
public function sql_update($fieldsVals, $table, $where)
{
try {
//Values to be updated in in a assoc array
//Extract values and fields and concatenate with '=' ( field = value )
$upd_string = '';
foreach($fieldsVals as $name => $value){
$upd_string .= $name .' = :'. $name .' ,';
}
//Trim last comma that was appended
$upd_string = rtrim($upd_string, ',');
// Formulate the where clause
$where_str = '';
foreach($where as $wName => $wValue){
$where_str .= "$wName = $wValue";
}
//Set Query
//$query = "UPDATE {$table} SET {$upd_string} WHERE $where_str";
// THIS IS WHERE I EXPLICITLY RAN THE QUERY, BUT GOT EXACTLY THE SAME ERROR.
$query = "UPDATE users SET session_key = 1234567890 WHERE username = 'admin'";
$stmt = $this->conn->prepare($query);
//Exec
foreach($fieldsVals as $k => &$v){
$stmt->bindParam(":{$k}", $v);
}
$stmt->execute();
return true;
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
return false;
}
}
Here is proof that the column does exist.
PLEASE NOTE -> where username = 'admin'
Try passing your WHERE attribute in as a prepared variable:
$query = "UPDATE users SET session_key = 1234567890 WHERE username = :username";
$fieldsVals[":username"] = "admin";
$where_str .= "$wName = '$wValue'";
Otherwise your query comes as "WHERE username = admin"
What you should do to use prepared statements for the whole query, so you should change your function from the current one into:
function sql_update($fieldsVals, $table, $where)
{
//Values to be updated in in a assoc array
//Extract values and fields and concatenate with '=' ( field = value )
$upd_string = '';
foreach ($fieldsVals as $name => $value) {
$upd_string .= $name . ' = :set_' . $name . ' ,';
}
//Trim last comma that was appended
$upd_string = rtrim($upd_string, ',');
// Formulate the where clause
$where_str = '';
foreach ($where as $wName => $wValue) {
$where_str .= $wName . ' = :wh_' . $wName . ' ,';
}
//Trim last comma that was appended
$where_str = rtrim($where_str, ',');
//Set Query
$query = "UPDATE {$table} SET {$upd_string} WHERE $where_str";
$stmt = $this->conn->prepare($query);
//Exec
foreach ($fieldsVals as $k => &$v) {
$stmt->bindParam(":set_{$k}", $v);
}
foreach ($where as $k => &$v) {
$stmt->bindParam(":wh_{$k}", $v);
}
$stmt->execute();
return true;
}
The correct usage would be:
$stmt = $this->conn->prepare('UPDATE users SET session_key = :session WHERE username = :username');
$stmt->bindParam(':session', session_id(), PDO::PARAM_STR);
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
Then execute.
I think your variable $fieldsVals is wrong due to the foreach's you do. Maybe you switching key und val by accident, resulting in WHERE admin=username.
Update:
#MarcinNabiaĆek is right of course you are missing quotes.
But it seems like the error is coming from a different part of the script.
It seems you don't use ' in your query in PHP. Either you don't use it or use other symbol that look similar.
If I run in phpmyAdmin query:
UPDATE users SET session_key = 1234567890 WHERE username = admin
I also get error message:
#1054 - Unknown column 'admin' in 'where clause'
but when I have
UPDATE users SET session_key = 1234567890 WHERE username = 'admin'
it works fine
In your code you should definitelly change:
$where_str .= "$wName = $wValue";
into
$where_str .= "$wName = '$wValue'";
session_key is a varchar
You have to use the query like the below,
$query = "UPDATE users SET session_key = '1234567890' WHERE username = 'admin'";
column admin doesn't exist! column administrator exists though.
I don't see any admin column in your mysql table in the screenshot that you provided.
You can simply change the name of the administrator column in your mysql table to admin and everything will work.
well my function is this
function all_products($where, $condition, $where2, $condition2) {
$query = "SELECT *
FROM `product`
WHERE
".mysql_real_escape_string($where)." = '".mysql_real_escape_string($condition)."'
and
".mysql_real_escape_string($where)." = '".mysql_real_escape_string($condition)."'
";
$query_run = mysql_query($query);
return $query_run;
}
so whenever Im trying to use this function to fetch the data from db it returns rows even if only the $where and $condition is true and $where2 and $condition2 is false.
You can support variable length of conditions.
function all_products(array $assoc) {
foreach ($assoc as $key => $value) {
$pairs[] = sprintf(
"`%s` = '%s'",
addcslashes($key, '`'),
mysql_real_escape_string($value)
);
}
$sql = empty($pairs) ?
'SELECT NULL LIMIT 0' :
'SELECT * FROM `product` WHERE ' . implode(' AND ', $pairs);
return mysql_query($sql);
}
However, all mysql_* functions are already DEPRECATED. I strongly recommend you migrate to PDO or mysqli.