I am having an issue when trying to query data from my MySQL database. Here is the PHP that generates the query: $q = "SELECT * FROM tclog" . (isset($id) ? " WHERE tcuid='$id';" : ";");
Here is the query that it generates: SELECT * FROM tclog WHERE tcuid='55609bb380d9a3.92986475';
The peculiar part of this issue is that, from one page, the query runs just fine, yet from another page, the query fails. The only difference between the pages is that one page gets the entire SQL script from a form on itself (with action="" and don't worry, it's password-protected and forces SSL), while another page (the one shown above which doesn't work) generates the script using just the id variable.
Any help would be greatly appreciated.
I discovered the problem. It was actually in the code that calls mysqli_query, not in the query itself. Looks like you all enjoyed laughing at my crappy security anyway.
Enjoy,
MagikM18
Related
I got a website with a lot functions and calculations and it grows every day. Calculation errors are getting harder to solve as my loggs are really big.
The website is used by employees, so there is a lot of traffic between the website and the mysql database. Is it possible in any way to append comments to the queries so they show up in the log-files?
The standart ones (I guess #..#) get lost after the query is parsed from the mysql-server.
Im just trying to get a better overview about my log-files.
For example it could be something like this:
$query = "UPDATE something SET column = 'input' WHERE ... #ticket-calc#";
$result = mysql_query($query, $db) or die(mysql_error());
I would like to show up 'ticket-calc' for this query in the log-files.
Everything I tried hasnt worked. It looks like the server is saving just the raw-command without anything appended.
I also thought about just comparing a string (the comment) with 'true' what shouldnt change the general query.
[query] ... AND 'ticket-calc'= true
I hope there is a more clean way to get it.
Solved this by using /* comment */. Thanks!
I have same approach to log (in MySQL) where are my queryes in database. I use "--" to solve the problem.
$pdo->exec("-- GETTING USERS");
$stmt->execute();
By the way, is better make all logs in your application, inclusive, log over querys. Aka
file_put_contents('TRY TO EXECUTE QUERY: ' . $stmt->queryString);
$stmt->execute();
As no one of the ppl who helped me out in the comments want to post their solutions as an answer, Ill do so to get this topic closed.
Im using /* .. */ to mark my queries.
Thanks for the help #AlexGreg, #davidkonrad and #davidkonrad.
I wrote a script for someone where they can easily delete quiz results from a database. The general gist of the script is user enters a username, php script queries the database for quiz results pertaining to the username. Then displays results
User can click delete link. Once this link is clicked, the results are then deleted and the database is re-queried showing updated results.
Everything seems to work fine on this end until I log into phpMyadmin to see that none of the results were deleted.
Question is can this be something wrong with the database itself? Or PHPmyAdmin?
Is there something wrong with how I'm doing my script?
Here is my code in this text file: http://andreawine.ladev.co/code-example.txt
$query1 = "DELETE FROM aw_wpsqt_user_data WHERE quizID='".$_GET['quizID']." AND username='".$_GET['username']."'";
It appears that this line is missing a closing quotation mark around quizID. Try correcting it to be:
$query1 = "DELETE FROM aw_wpsqt_user_data WHERE quizID='".$_GET['quizID']."' AND username='".$_GET['username']."'";
I should also mention that this isn't exactly the safest way to delete information, since it appears that I could use SQL injection for most of these fields (especially considering these $_GET variables appear on the URI! Take a look at http://codex.wordpress.org/WordPress_Coding_Standards#Formatting_SQL_statements for WordPress's standards for SQL statements.
a very puzzling and exhausting problem of mine:
I developed an API to allow others to draw information from my database. My server collects the POSTed info, writes up a mysql query, performs the query [$query = mysql_query($string, $connection);] , and returns the results (very simple).
the problem is that sometimes (say 1 out of every 5 tries) no info is returned. My server logs say that the resource ($query) is boolean (and therefore no results). My server receives the info from the remote users of the API every single time, the problem seems to be that my queries are sometimes just not being performed...
Why is this happening?
Is it a mysql performance issue? I never seem to have even a hint of a performance issue for queries made on my own page (i.e. not from the API)!
please help...
Your query might be failing. Try doing this:
mysql_query($string, $conn)or die(mysql_error());
If the query is generating an exception/error, it will stop the script and display the MySQL error. Using that error, you can fix your query so that everything will work fine eventually.
By the way, you are using $string, but it might be a better idea to use $builtQuery, because "string" might be confusing if you are going to need to edit the script later on.
Greetings.
I just found a code like this in my new project. and i have no idea wht it does.
$q = "SELECT getnewmsg(" . $_GET['messgae'] . " result)";
i searched for getnewmsg in whole file system and i did not get it. Can you please let me know does it actually mean. i have never seen such sql statement.
If you want to know more about the procedure (in case it is a procedure), you may send the following query:
SHOW PROCEDURE STATUS LIKE 'getnewmsg';
For more information, see the MySQL manual for SHOW PROCEDURE STATUS.
"getnewmsg" is not found in a search of the Mysql site, so it is probably a stored procedure that has been added to your particular database. We have no way of telling what it does.
looks like stored function
http://dev.mysql.com/doc/refman/5.0/en/create-procedure.html
So, I almost have my delete function working, I have the page loading correctly without any fatal errors but it's still not doing the trick.
Here is the portion of my while loop:
echo "<a href='http://www.###$#%##%#.org/Profile.php?id=".$prof->id."'>";
echo " delete";
echo "</a>";
And here's the portion of my query which is obviously wrong:
$query = "UPDATE `ProfileComments` SET `status` = 'dead' WHERE `id` = '".$prof->id."' LIMIT 1";
So, how do I get this to delete the comment on the page? And mark the status dead in the database?
From your sql it looks like you are doing a soft delete, which is fine. Your select statement needs to exclude comments that have a status of 'dead'
SELECT columns FROM ProfileComments WHERE status != 'dead' AND id = {$prof->id}
Of course that's a guess without seeing how you populate prof->id when you generate the link.
There's a couple of other problems with your post though:
As others have suggested, you should use parameterized queries otherwise you leave yourself open to sql injections
You shouldn't be doing the delete via a get request (using a naked anchor). Either do the delete using AJAX or via a form. Modifying server data via a get is a bad practice.
Just because you're not seeing fatal errors, your code doesn't have to behave like you want it to.
Examine the content of $prof->id by, inside of the loop, putting it through var_dump and then die, this will let you control what the property holds at the moment you want to print it out.
The same thing applies in your query, var_dump to see what it contains.
Not seeing more of your code (and not knowing your experience level), I'm not sure where you actually need help, so forgive me if my question/advice is obvious and too basic for you:
How is $prof->id getting populated in Profile.php? Are you pulling it off of the request (like so: $id = $_REQUEST["id"])?
And as Michael said, do please use parameterized queries. (If you don't care about children, at least think of the kittens!)
Your SQL statement looks fine, and the html code is fine too. To locate the problem
You need to make sure your SQL is getting the right parameter, the id in this case. just echo it out, if the id is missing or wrong you know $prof->id needs fixing.
also check the link dumped by your php, again does it contain the right id?
Make sure you don't have any errors before you execute the SQL, basically make sure that SQL query statement is called. and make sure your db connection is live.
When mysql statement is wrong it won't throw a fatal error, you need to print the error yourself by mysql_error().