I have php files with SQL queries broken into multiples lines.
for example:
$sql = "select count( aa." . BOOK_ART_ID . ") as book_count
from " . BOOK_ART_TABLE . " as aa
inner join " . AUTHER_TABLE . " as l on aa." . BOOK_ART_AUTHER_ID . " = l." . AUTHER_ID . " AND
l." . AUTHER_CODE . " = '" . "'
where aa." . BOOK_ART_TITLE_ID . " = " . $book_id;
I'm trying to extract all SQL statements from the PHP files. I tried grep on $sql and only getting the first line back.
How do I extract entire SQL string from all PHP files?
I was thinking more around deleted line break until ';' character.
You can try this sed,
sed -n '/\$sql/{ :loop; N; s/ *\n *//g; /;/{p;q}; t loop}' yourfile
Test:
$ sed -n '/\$sql/{ :loop; N; s/ *\n *//g; /;/{p;q}; t loop}' yourfile
$sql = "select count( aa." . BOOK_ART_ID . ") as book_countfrom " . BOOK_ART_TABLE . " as aainner join " . AUTHER_TABLE . " as l on aa." . BOOK_ART_AUTHER_ID . " = l." . AUTHER_ID . " ANDl." . AUTHER_CODE . " = '" . "'where aa." . BOOK_ART_TITLE_ID . " = " . $book_id;
Related
The SQL below when echoed in the PHP script displays only WHERE id IN (91220,91222,91232,91233,91244,91263,91264,91277)
Please help me find what is wrong with the SQL.
$sql = "UPDATE customers SET customers.name=AES_ENCRYPT('" . self::PII_OBFUSCATE_NAME . "','" . AES_CRYPT_KEY . "')"
. ", address1=AES_ENCRYPT('" . self::PII_OBFUSCATE_ADDRESS1 . "','" . AES_CRYPT_KEY . "')"
. ", day_phone=AES_ENCRYPT('" . self::PII_OBFUSCATE_PHONE . "','" . AES_CRYPT_KEY . "')"
. ", nite_phone=AES_ENCRYPT('" . self::PII_OBFUSCATE_PHONE . "','" . AES_CRYPT_KEY . "')"
. (is_array($customers_to_obfuscate))
? " WHERE id IN (" . implode(",", $customers_to_obfuscate) . ")"
: " WHERE id = '$customers_to_obfuscate'";
You need to check your braces in the ternary operator. It must look like follows:
((is_array($orders_to_obfuscate)) ? " WHERE id IN (" . implode(",", $orders_to_obfuscate) . ")" : " WHERE id = '$orders_to_obfuscate'");
I'm writing some html+php code but this part seems to be causing error. Do you see something wrong?
$sql = "SELECT p.seccio_id, count(*), sum(r.preu)
FROM report r, persona p
WHERE r.usuari_upc = p.persona_id
and r.any = " . $_POST["any"] . "
and r.mes = " . $_POST["mes"] . "
and p.any_id = '"
if ($_POST["mes"] < 9) echo ($_POST["any"] - 1) . "-" . $_POST["any"] . "'";
else echo $_POST["any"] "-" . ($_POST["any"] + 1) . "'";
"GROUP BY p.seccio_id
ORDER BY p.seccio_id";
You have to split it up:
$sql = "SELECT p.seccio_id, count(*), sum(r.preu) FROM report r, persona p WHERE .usuari_upc = p.persona_id and r.any = " . $_POST["any"] . " and r.mes = " . _POST["mes"] . " and p.any_id = '";
if ($_POST["mes"] < 9)
$sql .= ($_POST["any"] - 1) . "-" . $_POST["any"] . "'";
else
$sql .= $_POST["any"] "-" . ($_POST["any"] + 1) . "'";
$sql .= " GROUP BY p.seccio_id ORDER BY p.seccio_id";
P.S. Your sql is vulenarable to SQL injection.
I have made a database connection in php and FETCH parts like story and id.
the URL forms ok without '&' but fails when '&' is added in the URL.
Here is my php code with '&id=' added in the URL
$fullurl = /cms/page.php . '?chapter=' . $row['story'] . '&id=' . $row['id'];
Can someone put me right about the correct syntax...
The error is pretty obvious
$fullurl = /cms/page.php . '?chapter=' . $row['story'] . '&id=' . $row['id'];
should be changed so that all text is within the citation marks..
$fullurl = '/cms/page.php?chapter=' . $row['story'] . '&id=' . $row['id'];
Otherwise you will end up in an error.
Also please, consider using error_reporting(E_ALL); when debugging.
The part: /cms/page.php is not a string.... and thus is wrong. You could just change it to something like this:
<?php
// NOTICE THAT THE PART "/cms/page.php" IS NOW EMBEDDED IN QUOTES (STRING)
$fullurl = "/cms/page.php" . '?chapter=' . $row['story'] . '&id=' . $row['id'];
// OR EVEN COMPACT IT LIKES SO:
$fullurl = "/cms/page.php?chapter=" . $row['story'] . '&id=' . $row['id'];
poiz
it still didnt work but i found i dont need to fetch from NEWS_ARTICLES. In fact my variables are already fetched as you see below...
Here is my actual code.
$sql = "SELECT old,title,story,shortstory,author,origauthor,ip,timestamp,allowcomments,short,approved,viewcount,rating,archive date,neverarchive,archived,id,
" . NEWS_USERS . ".user AS authorname,
" . NEWS_USERS . ".avatar AS authoravatar,
commentcount AS comments
FROM " . NEWS_ARTICLES . " INNER JOIN " . NEWS_USERS . " ON " . NEWS_ARTICLES . ".author = " . NEWS_USERS . ".uid WHERE id IN (";
if($nocats == "1"){
$sql .= "SELECT id AS storyid FROM " . NEWS_ARTICLES . " WHERE id NOT IN (SELECT storyid FROM " . NEWS_GROUPCATS . " WHERE type = 'news') UNION ";
}
$sql .= "SELECT storyid FROM " . NEWS_GROUPCATS . " WHERE type = 'news' AND catid IN (SELECT catid FROM " . NEWS_GROUPCATS . " WHERE type = 'rss' AND storyid = ?) ) AND archived = '0' ORDER BY timestamp DESC LIMIT 0, $rssamount";
$newsstories = DataAccess::fetch($sql, $feedid);
foreach($newsstories AS $row){
if(FRIENDLY){
$fullurl = $newslocation . $prefix . $row['id'] . "-0-" . makefriendly($row[title]);
}else{
$fullurl = $newslocation . '?epic-code=' . $row['shortstory'] . '&id=' . $row['id'];
}
'&id' gives...
error on line 12 at column 85: EntityRef: expecting ';'
'id' gives...
[a link] http://www.example.com//stock-charts/share-charts.php?epic-code=ALTPid=3360
the & is missing ....
The above code is designed to display info stored in sql table. everything is corresponding to the titles in the table and in the correct order. however the page it is from is only displaying the first 2 columns and not the others. everything looks as if it is in order to me. is my statement wrong?
<?php
$con=mysqli_connect("xxx","y","y","yyyy");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM tripdata ");
while($row = mysqli_fetch_array($result))
{
echo $row['trip_id'] . " " . $row['image'] . " " . $row['date'] . " " . $row['destination'] . " " . $row['hl'] . " " . $row['cost'] . " " . $row['blurb'] . " " . $row['whatinc'] . " " . $row['whatopt'] . " " . $row['itin'] . " " . $row['depinfo'] . " " . $row['ppcode'];
echo "<br>";
}
mysqli_close($con);
?>
maybe you can try using assoc
while($row = mysqli_fetch_assoc($result))
{
echo $row['trip_id'] . " " . $row['image'] . " " . $row['date'] . " " . $row['destination'] . " " . $row['hl'] . " " . $row['cost'] . " " . $row['blurb'] . " " . $row['whatinc'] . " " . $row['whatopt'] . " " . $row['itin'] . " " . $row['depinfo'] . " " . $row['ppcode'];
echo "<br>";
}
i usual use this and no problem
assoc is index name based on field name
but array is based on number (0, 1, 2, 3)
Strange. Try do loop instead:
do {
echo $row['trip_id'] . " " . $row['image'] . " " . $row['date'] . " " . $row['destination'] . " " . $row['hl'] . " " . $row['cost'] . " " . $row['blurb'] . " " . $row['whatinc'] . " " . $row['whatopt'] . " " . $row['itin'] . " " . $row['depinfo'] . " " . $row['ppcode'];
echo "<br>";
} while($row = mysqli_fetch_array($result));
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
My code is.
$newModel = "INSERT INTO models (id," .
" firstname," .
" lastname," .
" email," .
" password," .
" group," .
" phone," .
" timeofday," .
" dayofweek," .
" address," .
" city," .
" state," .
" zip," .
" gender," .
" hair," .
" eye," .
" birthday," .
" birthmonth," .
" birthyear," .
" bustshirt," .
" cup," .
" waist," .
" hips," .
" waist," .
" hips," .
" weight," .
" inches," .
" dressjacket," .
" workxp," .
" twitter," .
" facebook," .
" joindate," .
" instagram," .
" imdb," .
" parentid," .
" error) VALUES (".
PrepSQL($modelid) . ", " .
PrepSQL($firstname) . ", " .
PrepSQL($lastname) . ", " .
PrepSQL($email) . ", " .
PrepSQL($password) . ", " .
PrepSQL($group) . ", " .
PrepSQL($phone) . ", " .
PrepSQL($timeofday) . ", " .
PrepSQL($dayofweek) . ", " .
PrepSQL($address) . ", " .
PrepSQL($city) . ", " .
PrepSQL($state) . ", " .
PrepSQL($zip) . ", " .
PrepSQL($gender) . ", " .
PrepSQL($hair) . ", " .
PrepSQL($eyes) . ", " .
PrepSQL($bday) . ", " .
PrepSQL($bmonth) . ", " .
PrepSQL($byear) . ", " .
PrepSQL($bust) . ", " .
PrepSQL($cup) . ", " .
PrepSQL($waist) . ", " .
PrepSQL($hips) . ", " .
PrepSQL($weight) . ", " .
PrepSQL($height) . ", " .
PrepSQL($dressjacket) . ", " .
PrepSQL($workxp) . ", " .
PrepSQL($twitter) . ", " .
PrepSQL($facebook) . ", " .
PrepSQL($joindate) . ", " .
PrepSQL($instagram) . ", " .
PrepSQL($imdb) . ", " .
PrepSQL($parentid) . ", " .
PrepSQL($error) . ")";
mysql_query($newModel) or die(mysql_error());
Its Shooting out an error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'group, phone, timeofday, dayofweek, address, city, state, zip,
gender, hair, eye' at line 1
group is a reserved word in MySQL. You must wrap it in backticks:
`group`,
phone
etc.
GROUP is a reserved keyword and happens to be the name of your column. To avoid syntax error, you need to escape it using backtick. eg,
`group`
MySQL Reserved Keywords List
If you have the privilege to alter the table, change the column name to which is not a reserved keyword to avoid problem from occurring again.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?