I'm trying to pass a variable in the select portion of one of my mysql statements here but am not getting the desired result. Heres a snippet of my code:
if(isset($_GET['send'])) {
$send='ra_dccr.'.$_GET['send'];
}
$query = $link->prepare("SELECT locale.id, locale.provider_num, locale.provider_name, :var as ccr
FROM `ra_dccr`
INNER JOIN `locale`
ON ra_dccr.id = locale.id
WHERE locale.report_record_num LIKE concat ('%',:recordnum,'%')
$query->bindParam(':var', $send, PDO::PARAM_STR);
$query->execute();
My issue is that ccr is displaying as ra_dccr.{value of $send}
instead of the actual value that should be pulled from the database when I fetch the result. Am I actually allowed to use variables in this way in a select statement? How can I get sql to look for the appropriate column name this way. For instance if send is ct_scan, it should look for ra_dccr.ct_scan and then pull the val.
Thanks in advance
Heres an image of what is happening
No, this is not possible. Parameters are for passing values to a query. And that's what happens here: the value you pass to :var is returned literally.
If you want to use a dynamic field name, build the query using the actual field name without using bind parameters:
"SELECT locale.id, locale.provider_num, locale.provider_name, $send as ccr
The best way to do this is to verify the value of $_GET['send'] first. Maybe you can even check it against a whitelist of allowed fields.
if (!in_array($_GET['send'], array('field1', 'field3', 'field30'))) {
die('invalid field!');
}
Related
I basically have a search box where the user types in something and the values are sent to another PHP file via GET and I am to search for the value in 2 different columns and print all the results.
$search_for= $_GET['search'];
$stmt = $pdo->prepare('SELECT DISTINCT name,location FROM answers
WHERE name LIKE "%:variable%" OR
WHERE location LIKE "%:variable%"');
$stmt->execute([':variable' => $search_for ]);
I used Distinct, in case there are repeated answers, I don't want to print them more than twice. Also, I am unsure whether the "%:variable%" part of the code is the problem.
You have several error .. remove the comma before FROM, use just one where, use concat for form the like condition properly (not "%:variable%" ) and last use use two binding param then you should pass two values
$stmt = $pdo->prepare('SELECT DISTINCT name,location
FROM answers
WHERE name LIKE concat("%", :variable1, "%") OR
location LIKE concat("%", :variable2, "%")');
$stmt->execute([':variable1' => $search_for, ':variable2' => $search_for]);
I pass two different values into the file, one which the user entered and the other which is selected from a predefined set of values in a drop down menu, which is the one i'm having trouble with.
When using a single placeholder for the query it works,for example:
$result = pg_query_params($con, "SELECT * FROM chemsub WHERE name like $1", array("%".$_REQUEST['term']."%"));
I want to alter the query so the user can change which column they are searching i can't seem to get it to work, here is what i have
$result = pg_query_params($con, "SELECT * FROM chemsub WHERE $1 like $2", array($_REQUEST['dropdown'],"%".$_REQUEST['term']."%"));
I know the correct value is being passed into the file with the correct spelling matching a column name in the database but for some reason it returns no rows.
Any help would be much appreciated.
You can't have params in place of identifiers. If you want to have a dynamic column being queried again you can either prepare the query text in php or have the sql look like ($1 = 'foo' AND foo LIKE $2) OR ($1 = 'bar' ANd bar LIKE $2.`
$content is a variable with a 'detailed description'.
product_id is column which might contain a substring of the detailed description ($content) in a MySQL table called products
I am trying to create a select statement that would find a record if the product_id is CONTAINED in the $content variable. Then I want to update another table called receive_sms with the url field from the SELECT staement
Researching on the website I have come up with the following.... But it doesn't work
$mysqlic = mysqli_connect("testsms.cloudaccess.net", "username", "password", "testsms2");
$prod_res=mysqli_query($mysqlic,"SELECT url from products
WHERE %product_id% LIKE %$content%");
mysqli_query($mysqlic,"INSERT INTO recieve_sms (comments) VALUES ('$prod_res')");
Any Ideas??
It should be:
$prod_res = mysqli_query($mysqlic, "SELECT url from products
WHERE '$content' LIKE CONCAT('%', product_id, '%')");
or:
$prod_res = mysqli_query($mysqlic, "SELECT url from products
WHERE LOCATE(product_id, '$content') != 0");
You need to put $content in quotes.
Actually, it would be better if you used a prepared query, then '$content' would become a placeholder ?.
After you query, you need to call mysqli_fetch_assoc() to get the column value:
$row = mysqli_fetch_assoc($prod_res);
$url = $row['url'];
Well, first of all, I don't understand why you're using wildcards on you field name. You want to check if a value is contained within the value of that field, consider changing this:
... WHERE %product_id% LIKE %$content%);
to
... WHERE product_id LIKE '%$content%');
Also, please, use prepared statements to avoid SQL injection. You're using MySQLi, which supports them.
EDIT
Also, the return of a mysqli_query is a MySQLi Resource. You'll have to fetch the results from the resource to gain access to the value you're looking for.
This is probably an extremely simple question, but i just cant find the answer anywhere!
I have a query that returns one row from my database.
I'm using mysqli to bind parameters and then execute it like so:
$sql_query = $mysqli->prepare("SELECT ID FROM `Author` WHERE `Name` = ? LIMIT 1;");
$sql_query->bind_param('s', $author);
$sql_query->execute();
$sql_query->store_result();
$sql_query->bind_result($authorID);
I want to store the ID into a variable to use in another query but its not working. The only way ive got it to work is with a while loop like so:
while($sql_query->fetch()){
echo "ID: $authorID";
}
But because there is only ever one row, i dont want to use a while loop. How can i use the result variable without the while loop?
I think you just need to fetch the row from the table
$sql_query->bind_result($authorID);
$sql_query->fetch();
Now you are able to print your value
echo $authorID;
I need effective some solution for the following issue:
For some reason that would be too much time-consuming to explain properly, I need a PDO prepare statemnt sorta looking this way:
'SELECT field, another field, blabla FROM table WHERE some_foreign_id = first_val AND the_same_foreign_id = second_val AND again_the_same_id = third val ......'
and Id wish to fill the values with an array of unknown size, that depends on how many fields in that foreign table fits to a certain category in yet another table.
So the querstion is: is it even possible or should I give it up and find some naive walkaround?
Thanks in advance!
Mac
You can pass an array of values into stmt ->execute($array); The only tricky part would be getting the number of question marks to enter.
$foreign_ids = array(foreign_id_1, foreign_id_2, foreign_id_3); //etc
$input_list = substr(str_repeat(',?', count($foreign_ids)), 1); //this gets you the correct number of ? to use for your query
// if you need add another value to the parameters you can use array_push($foreign_ids,$your_other_param);
$stmt= $dbh->prepare("
SELECT field, another_field
WHERE some_foreign_id = ($input_list)");
$stmt->execute($foreign_ids);
It should be possible. You'll need to generate your query dynamically with question marks for parameters, and then bind with an array at the point of execution.
See example 3 on the PDO::execute page of the PHP docs.