php get query quotation marks [duplicate] - php

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I've written a $_GET query that passes strings on from a URL to a select query used to find information in MySQL.
The problem is, unless the URL query includes quotation marks, it won't work.
Is there any way to pass a string without the quotation marks ?
Here's the relevant code:
$query = $_GET['query'];
connect to database code..
$sql = "SELECT * FROM table1 WHERE col1 RLIKE $query";
result code ...

$sql = "SELECT * FROM table1 WHERE col1 LIKE '".addslashes($_GET['query'])."'";

Related

How to put variable in a query? [duplicate]

This question already has answers here:
What is the difference between single-quoted and double-quoted strings in PHP?
(7 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I am trying to filter data from database by adding a variable into the query. The query that I have made is like this:
$data = $this->db->query('SELECT channel, MIN(product_name) as product_name, SUM(revenue) AS revenue FROM my_test_table WHERE channel = "chanel1" AND province=$area GROUP BY SUBSTRING(product_name, 1, 3)')->result();
But it result in this message:
Error Number: 1054
Unknown column '$area' in 'where clause'
I use the "$area" variable in the query to make it dynamically filter the data based on the input from the user. So the $area is a variable that assign any value from the input.
the codeigniter way for your example is:
$data = $this->db->select('channel, MIN(product_name) as product_name, SUM(revenue) AS revenue')
->where('channel','chanel1')
->where('province',$area)
->group_by('SUBSTRING(product_name, 1, 3)')
->get('my_test_table')
->result();
Codeigniter Query Builder Class, it creates a query string, which escapes the columns properly
$data = $this->db->query('SELECT channel, MIN(product_name) as
product_name, SUM(revenue) AS revenue FROM my_test_table WHERE channel
= "chanel1" AND province='.$area.' GROUP BY SUBSTRING(product_name, 1, 3)')->result();
Note this solution probably is not secure. The variable can be SQL injected. I write the solution under your consideration.

prepared statement without values and before html output [duplicate]

This question already has answers here:
Can you omit PDO prepare if there's no placeholder/dynamic data in a query?
(3 answers)
Closed 4 years ago.
$sql = "select col1, col2, col3 from t1 order by date desc limit 500"
There is no place for binding anything, so do I need (and how) to make a prepared statement?
Another example:
$sql = "select col1 from t1 where col1 = 'val1' order by date desc"
If this code is placed before html output (while loading the page, without any user input values), do I need the prepared statement?
I suppose sql injection is not possible if there is no yet any interaction with users.
You don't need prepared statements if the query isn't expecting user supplied arguments.

PHP - SQL Select filter between two tables on id [duplicate]

This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Reference - What does this error mean in PHP?
(38 answers)
Closed 4 years ago.
could someone help me fix the below code please:
$decision = mysqli_real_escape_string($conn, $_POST['decision']);
$sql = "SELECT * FROM user1 WHERE 'fao' LIKE '%decision%' AND id NOT IN
(SELECT id FROM assigned)";
$result=mysqli_query($conn, $sql);
fao field only ever has two values, Nurse or Dietitian. The issue is with my SELECT statement. In the assigned table, there are two columns, an id value and the name of a user. What I am trying to do is if the id value exists in 'assigned' table, then I would like to remove this from the results of SELECTing all from 'user1'. I am then echoing these results into a table. Thanks!

mysql where clause resitriction? [duplicate]

This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I use below php code to generate a random id number
md5(uniqid(rand(), true)
the type of string it generate is something like this
9a423553ce53c4d7a6199fa9254bfdc5
I use that as an ID in Mysql table then I do a standard select query
SELECT * FROM table WHERE id = 9a423553ce53c4d7a6199fa9254bfdc5
I get this error
Unknown column '9a423553ce53c4d7a6199fa9254bfdc5' in 'where clause'
if I just change the id to a simple number like 1 it works.
Why is this?
Have you tried encapsulating that in quotes? In your query id = 9a423553ce53c4d7a6199fa9254bfdc5 You can compare two columns like id = other_id .. MySQL needs to know how to handle your query.
For clarification, should be: SELECT * FROM table WHERE id = '9a423553ce53c4d7a6199fa9254bfdc5';

mysqli select all rows starting with letter [duplicate]

This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I'm converting all MySQL to MySQLi pages. I need to select all rows where a column starts with a letter.
On MySql If I want all rows starting with P, I used to add % to P, so I'll search all entries LIKE P%, but it's not working on MySQLi
If $type = P%
$result = $mysqli->query("SELECT * FROM my_table WHERE column LIKE $type");
I get no results.
I appreciate any help you can provide.
Try putting quotes around the variable in the query so that it looks like this :
$result = $mysqli->query("SELECT * FROM my_table WHERE column LIKE '$type'");
This will probably solve the problem.

Categories