This question already has answers here:
How do I migrate my site from mysql to mysqli? [duplicate]
(3 answers)
Closed 3 years ago.
How can i change this into mysqli?
// add meta_key to the query
$get_user_data = mysql_query("SELECT `meta_value`,`meta_key` FROM `table` WHERE `user_id` = $user_id", $link);
// use _assoc instead of _array, we do not need the numerical indexes.
while($row=mysql_fetch_assoc($get_user_data)){
$userdata[$row['meta_key']] = $row['meta_value'];
}
Just simple changes you have to made in your code:
// add meta_key to the query
$get_user_data = mysqli_query($link,"SELECT `meta_value`,`meta_key` FROM `table` WHERE `user_id` = $user_id");
// use _assoc instead of _array, we don't need the numerical indexes.
while($row=mysqli_fetch_assoc($get_user_data))
{
$userdata[$row['meta_key']] = $row['meta_value'];
}
Related
This question already has answers here:
How can I bind an array of strings with a mysqli prepared statement?
(7 answers)
Closed 2 years ago.
I have to select some rows from the database using IN operator. I want to do it using prepared statement. This is my code:
<?php
$lastnames = array('braun', 'piorkowski', 'mason', 'nash');
$in_statement = '"' . implode('", "', $lastnames) . '"'; //"braun", "piorkowski", "mason", "nash"
$data_res = $_DB->prepare('SELECT `id`, `name`, `age` FROM `users` WHERE `lastname` IN (?)');
$data_res->bind_param('s', $in_statement);
$data_res->execute();
$result = $data_res->get_result();
while ($data = $result->fetch_array(MYSQLI_ASSOC)) {
...
}
?>
But returns nothing although all data exists in the database.And one more: if i pass $in_statement directly to query and execute it, the data will be returned. So the problem appears on preparing.I was looking for the question in Google but it wasn't' successful. What's wrong with my code?Thanks for the help!
I've recently found the solution for my question. Maybe it's not the best way to do it, but it works nice! Prove me wrong:)
<?php
$lastnames = array('braun', 'piorkowski', 'mason', 'nash');
$arParams = array();
foreach($lastnames as $key => $value) //recreate an array with parameters explicitly passing every parameter by reference
$arParams[] = &$lastnames[$key];
$count_params = count($arParams);
$int = str_repeat('i',$count_params); //add type for each variable (i,d,s,b); you can also determine type of the variable automatically (is_int, is_float, is_string) in loop, but i don't need it
array_unshift($arParams,$int);
$q = array_fill(0,$count_params,'?'); //form string of question marks for statement
$params = implode(',',$q);
$data_res = $_DB->prepare('SELECT `id`, `name`, `age` FROM `users` WHERE `lastname` IN ('.$params.')');
call_user_func_array(array($data_res, 'bind_param'), $arParams);
$data_res->execute();
$result = $data_res->get_result();
while ($data = $result->fetch_array(MYSQLI_ASSOC)) {
...
}
$result->free();
$data_res->close();
?>
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I have a query like this:
update T_table set detail = 'XXXX' where num = 155;
which on my php file looks like this:
$sql = "update T_table set ".$_GET['field']." = '".$_GET['value']."' where num = ".$_GET['num'];
$output = mysql_query($sql);
I would like to know if it is possible to inject SQL where the XXXX are in the query. Because they will be replaced by a sting from $_GET, and if it is possible how would you do?
Important: My MYSQL database is not allowing double pipes (||) as a concatenation operator.
you should use PDO's prepared statements
$query = $db->prepare("update T_table set detail = :detail where num = :num;");
$query->bindParam(":detail", $_GET['detail']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
if you need multiple fields this gets a little more complicated as the user's input can't really be trusted with arbitrary fields:
$allowedFields = ["detail", "cost", "name"];
$field = $_GET['field'];
if(in_array($field, $allowedFields) {
$query = $db->prepare("update T_table set $field = :value where num = :num;");
$query->bindParam(":value", $_GET['value']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
}
This question already has answers here:
mysqli last insert id
(3 answers)
Closed 6 years ago.
How to get the id of the last inserted query using prepared statement ?
I wrote some PHP but I only get "0" as a result.
I tried to use the answer from this question : Similar question on SO
$locationName = $_GET['locationName'];
$locationResume = $_GET['locationResume'];
$sql = "INSERT INTO location (locationTitle, locationResume) VALUES (?,?);";
if ($locationName != null && $locationResume != null ) {
if ($stmt = $con->prepare($sql)) {
$stmt->bind_param("ss", $locationName, $locationResume);
$locationId = $con->insert_id;
#$locationId = $con->execute();
echo $locationId;
}
}
Thank you for your help.
You can get last_insert_id only after query execution.
This question already has answers here:
mysqli_fetch_array returning only one result
(3 answers)
Closed 6 years ago.
I need only the values of one column in an array. Without php I would use "SELECT valueX FROM tableY".
This does not work with php. I only get one result.
This is what I have:
$salty = "SELECT salt FROM login";
$salts = mysqli_query($connection, $salty);
$validsalts = mysqli_fetch_array($salts);
You have to make a loop iteration for fetching the all value.
for example.
$salty = "SELECT salt FROM login";
$salts = mysqli_query($connection, $salty);
while($validsalts = mysqli_fetch_array($salts))
{
echo $validsalts['salt'];
}
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?
if($_POST['ourstory']) {
foreach($_POST['ourstory'] as $id => $ourstory) {
$sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
$q = $db->prepare($sql);
$q->execute(array($id,$ourstory));
}
}
That's not how you use prepared statements. You want to use a ? in your query.
$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));