This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
When I add a new product sold with product code 00072 it saves nice but if I update the product sold and edit the product code to 00073 etc it gets saved as 73 and the 000 are missing.
Tried with INT VARCHAR CHAR and all the same Tried with unsigned zerofill and it just added a lot of 000000000000
The code I am using to update is:
<?php include("police.php"); ?>
<?php
$old = mysqli_real_escape_string($database,$_POST['old']);
$new = mysqli_real_escape_string($database,$_POST['new']);
$updating = mysqli_query($database, "UPDATE sales SET code = $new WHERE id = $old");
?>
What can be wrong?
Currently using VARCHAR 30 latin swedish, when adding new product sale it works fine but not when updating ...
Use single quotes to surround the values. Values sent to the database without quotes surrounding them may be interpreted as numbers instead of text.
$updating = mysqli_query($database, "UPDATE sales SET code = '$new' WHERE id = '$old'");
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I want to select the name contained in the column with the same name as my variable $column_id, which I pass to the function displayed below. It's passed correctly but without putting the '' around it the query results in an error. If I put them the result of the select is the value of $column_id itself, which is wrong. (the syntax equals to the one for prepared queries because that's the next step, if I can fix this issue)
$nirk2 = $this->conn->prepare("SELECT '" .$column_id. "' FROM t_values WHERE device_id='".$device_id."'");
$nirk2->execute();
$nirk2->bind_result($Value_Description);
$nirk2->fetch();
All I want to do is basically use my variable $column_id as name of the column to search the value in.
If you want to use a string as a column name you need to ensure that this column actually exists (is whitelisted) and then wrap it using backticks.
// whitelist column name
if(!in_array($column_id, ['my_col 1', 'my_col 2'])){
throw new \Exception('Invalid column name!');
}
// V backticks V
$nirk2 = $conn->prepare("SELECT `" .$column_id. "` FROM t_values WHERE device_id=?");
$nirk2->bind_param('s', $device_id);
$nirk2->execute();
$nirk2->bind_result($Value_Description);
$nirk2->fetch();
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
How can I accept a hash mark in a URL via $_GET?
(4 answers)
Closed 4 years ago.
I have this website where users can enter stable names to compete in games against other members. Usually it's fine as I can just escape or use addslashes to handle apostrophes and other such characters. What I am having an issue with is when users use a hash/pound/number sign in the stable name like the first example below or a bunch of special characters like the second example below...
#a new rising
ΔMi−1 = −αΣn=1NDi[n][Σj∈C{i}Fji[n - 1] + Fexti[[n-1]]
When this goes over as part of a url to a second page and the stable is a appended to the URL to be used as a GET variable to pull details from the database, nothing is returned. I have tried using urlencode, rawurlencode, and percent encoding on the $stable variable as is suggested in other questions on this site but nothing seems to work. Below is a sample of the code that has the issue...
Referring URL --- mydomain.com/stable.php?stable=#a new rising&season=59
Code for stable.php...
$stable = addslashes($_GET["stable"]);
$season = $_GET['season'];
echo $stable;
$sql = "SELECT total, wins, loss, ties FROM History_Stables WHERE stable = '$stable' AND season = '$season'";
$res = $link->query($sql);
$arr = $res->fetch_array();
$pts = $arr[total];
$w = $arr[wins];
$l = $arr[loss];
$t = $arr[ties];
And so on. What exactly am I missing here to get the hash/pound/number sign to be properly encoded as %23?
This question already has answers here:
What is the size of column of int(11) in mysql in bytes?
(11 answers)
Closed 5 years ago.
I have a situation where I have to add a phone number to the database.
If I enter number something like: 868150705 It goes OK to database
If I enter something like this: 3706150705 It goes to database with value 2147483647
With this input I take the value out of form
<input type="text" class="demoInputBox" maxlength="20" name="telefonas" value="<?php if(isset($info['tel_nr'])) echo $info['tel_nr']; ?>">
And with this query I put it into database (I have the $username)
$telnr = $_POST['telefonas'];
$db_handle = new mysqli("localhost", "root", "xxx", "Database");
$query = "UPDATE table SET tel_nr = '$telnr' WHERE username = '$username'";
$result = $db_handle->query($query);
My field tel_nr has the below format:
tel_nr int(20)
Can you help me with this strange magic? Btw I know this code is unsafe but the project isn't live at the moment. Just test things.
You're trying to put integer greater than int limit to the database. I'd suggest using VARCHAR for this (phone number isn't integer anyway - consider something like +420 730 500 600). Also, you are not escaping the data you get before trying to put it in the database, so it is vulnerable to SQL injection.
Hope this helps you, comment if you have any questions
I would recommend switching to a BIGINT for the tel_nr since it is 64bit by default and int is 32 bit (2147483647=2^31-1). the 20 in INT(20) specifies the number of characters mysql displays so in your case with zero fill on it would display 2147483647 preceded by 10 zeros
UPDATE:
found where i had read it
https://stackoverflow.com/a/4769436/6054257
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I have the following INSERT Statement but it doesn't insert a record in the table. It works when i add only the CALC_STOCK_NO field but not when i add Description field to the insert statement.
Here sample Description value: DSSY68678/787-15.5 14 328 I3 TL 8-8-6.01 ABC
$itemid = $data2['fields']['CALC STOCK NO'];
$pdesc = $data2['fields']['Item Description'];
mysqli_query($con,
"INSERT INTO 600XXX
(CALC_STOCK_NO, pdesc) VALUES
($itemid, $pdesc)"
);
here is what my table looks like:
You are not writing the correct field name for the description field. You placed pdesc instead of Description_for_Purchases in your sql statement. You also need to have apostrophes before and after your string values, which is the case for your second field. To correct these problems:
change this code:
mysqli_query($con,
"INSERT INTO 600XXX
(CALC_STOCK_NO, pdesc) VALUES
($itemid, $pdesc)"
);
to this code:
mysqli_query($con,
"INSERT INTO 600XXX
(CALC_STOCK_NO, Description_for_Purchases) VALUES
({$itemid}, '{$pdesc}')"
);
I am used to adding {} as well when I insert values into strings directly. You don't need to do it to work in this case, though since there are situations in which it is needed, I like to remain consistent and do it everywhere :). Let me know if that worked for you.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I have a problem in that someone is using a bot to exploit my site. It would appear from logs that he is able to send multiple requests very quickly before the code is able to deduct the amount requested from his balance.
I had thought about stating a random value for every time it executes, which then gets put into his account row and compared against itself. This way it would be different every time its run.
Below is the head of the code:
$player=mysql_fetch_array(mysql_query("SELECT `id`,`time`,`ex`,`btc`,`string` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"));
$random = base64_encode(openssl_random_pseudo_bytes(10));
$setstring = $random;
mysql_query("UPDATE `players` SET `string` = $setstring WHERE `id`=$player[id] LIMIT 1");
$playersec=mysql_fetch_array(mysql_query("SELECT `string` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"));
if (!is_numeric($_GET['amount']) || (double)$_GET['amount']>$player['btc'] || (double)$_GET['amount']< 0 || $setstring != $playersec['string'] ) {
$error='yes';
$con=1;
}
I'm pretty sure this is the problem, as when it executes it doesn't put anything in thestring field i.e. it's left empty.
mysql_query("UPDATE `players` SET `string` = $setstring WHERE `id`=$player[id] LIMIT 1");
Yet when I run:
<?php
$random = base64_encode(openssl_random_pseudo_bytes(10));
$setstring = $random;
echo $setstring;
?>
It outputs fine with: IAXUqtKraNDb1Q==
Does anyone have any ideas?
Thanks
At this moment you are creating a work around. To prevent this kind of abuse, it is best to stop it at the root cause and to do that to use database transactions.
Steps:
1) Use INNODB
2) Use transaction encapsulation on php.
Update and retrieve your totals from the database. Since they are now in a transaction, the next transaction has to wait on the first, with as result that only the real available values can be retrieved.