$checkUser1 = "SELECT * FROM users WHERE username='$username'";
$checkUser = $handler->prepare($checkUser1);
$checkUser->execute(array(':username' => $username));
$cU = ($checkUser->rowCount());
This won't work, I'm not really sure how I should fix it.
It's a PDO prepare statement.
This
$checkUser1 = "SELECT * FROM users WHERE username='$username'";
should be
$checkUser1 = "SELECT * FROM users WHERE username=:username";
This way you can bind the variable to the parameter like you are trying in your execute array.
Related
According to: https://adodb.org/dokuwiki/doku.php?id=v5:userguide:portable_sql#prepare_execute
$stmt = $db->prepare("SELECT * FROM customers WHERE custid=? AND state=?");
$rs = $db->execute($stmt, array(999,'New York'));
How does one preview the SQL that ADOdb prepares without Executing, first? Namely:
"SELECT * FROM customers WHERE custid=999 AND state='New York'"
This class provides a solution:
https://github.com/jasny/dbquery-mysql/blob/master/src/Jasny/DB/MySQL/QuerySplitter.php
$stmt = "SELECT * FROM customers WHERE custid=? AND state=?";
$params = array(999,'New York');
$split = new QuerySplitter;
$query = $split->bind($stmt , $params);
die($query);
//SELECT * FROM customers WHERE custid=99 AND state='New York'
Here I want to add another variable using AND.
$query = $db->prepare("SELECT *
FROM messages WHERE Subject_Code = ' ".$_SESSION['sub1']." ' ");
I want to add Week = ' ".$_SESSION["weekS1"]." ' to this query using AND. How can I do it?
PHP PDO supports positional (?) and named (:email) placeholders, the latter always begins from a colon and can be written using letters, digits and underscores only. Also note that no quotes have to be ever used around placeholders.
Eg:
The following becomes
$sql = "SELECT * FROM users WHERE email = '$email' AND status='$status'";
To
$sql = 'SELECT * FROM users WHERE email = ? AND status=?';
OR
$sql = 'SELECT * FROM users WHERE email = :email AND status=:status';
With placeholders, you have to prepare it, using the PDO::prepare() method
To get the query executed, you must run execute() method of this object, passing variables in it, in the form of array
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ? AND status=?');
$stmt->execute([$email, $status]);
$user = $stmt->fetch();
// or
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email AND status=:status');
$stmt->execute(['email' => $email, 'status' => $status]);
$user = $stmt->fetch();
Very Good Reference for full tutorial : https://phpdelusions.net/pdo
If you are using PHP5+, You are supposed to bind your parameters outside of the query string when executing your statement.
Example:
$query = $db->prepare('SELECT * FROM messages WHERE Subject_Code = :subj AND Week = :week')
$query->execute(array(
':subj' => $_SESSION['sub1'],
':week' => $_SESSION["weekS1"],
));
I'm trying to migrate a web to mysqli and have my first question:
In mysql I had this:
$sel_user="SELECT * FROM usuarios WHERE user='$usuario_tienda'";
$rs_user=mysql_query($sel_user);
$tienda=mysql_result($rs_user,0,"tienda");
When I change to mysqli it looks like this:
$consulta_user="SELECT * FROM members WHERE username='$usuario_tienda'";
$query_user = mysqli_query($mysqli,$consulta_user);
$resultado_user = mysqli_fetch_assoc($query_user);
$tienda= $resultado_user['tienda'];
It works, but I don't think this is the best way to do it, can I do more efficient, more compressed?
you should use prepared statement, using that you can avoid sql-injection hack
$stmt = $mysqli->prepare("SELECT * FROM usuarios WHERE user=:user");
$stmt->bindParam(':user', $usuario_tienda);
$result = $stmt->execute();
$resultado_user = $result->fetch_assoc();
echo $resultado_user['tienda'];
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
I currently have a Get varible
$name = $_GET['user'];
and I am trying to add it to my sql statement like so:
$sql = "SELECT * FROM uc_users WHERE user_name = ". $name;
and run
$result = $pdo -> query($sql);
I get an invalid column name. But that doesn't make sense because if I manually put the request like so
$sql = "SELECT * FROM uc_users WHERE user_name = 'jeff'";
I get the column data, just not when I enter it as a get variable. What am I doing wrong. I am relatively new to pdo.
Update:
Now I have the following:
$name = $_GET['user'];
and
$sql = "SELECT * FROM uc_users WHERE user_name = :name";
//run the query and save the data to the $bio variable
$result = $pdo -> query($sql);
$result->bindParam( ":name", $name, PDO::PARAM_STR );
$result->execute();
but I am getting
> SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
> error in your SQL syntax; check the manual that corresponds to your
> MySQL server version for the right syntax to use near ':name' at line
> 1
For your query with the variable to work like the one without the variable, you need to put quotes around the variable, so change your query to this:
$sql = "SELECT * FROM uc_users WHERE user_name = '$name'";
However, this is vulnerable to SQL injection, so what you really want is to use a placeholder, like this:
$sql = "SELECT * FROM uc_users WHERE user_name = :name";
And then prepare it as you have:
$result = $pdo->prepare( $sql );
Next, bind the parameter:
$result->bindParam( ":name", $name, PDO::PARAM_STR );
And lastly, execute it:
$result->execute();
I find this best for my taste while preventing SQL injection:
Edit: As pointed out by #YourCommonSense you should use a safe connection as per these guidelines
// $conn = mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
$sql = 'SELECT * FROM uc_users WHERE user_name = ?';
$stmt = $conn->prepare($sql);
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
// perhaps you'll need these as well
$count = $result->num_rows;
$row = $result->fetch_assoc();
/* you can also use it for multiple rows results like this
while ($row = $result->fetch_assoc()) {
// code here...
} */
BTW, if you had more parameters e.g.
$sql = 'SELECT * FROM table WHERE id_user = ? AND date = ? AND location = ?'
where first ? is integer and second ? and third ? are string/date/... you would bind them with
$stmt->bind_param('iss', $id_user, $date, $location);
/*
* i - corresponding variable has type integer
* d - corresponding variable has type double
* s - corresponding variable has type string
* b - corresponding variable is a blob and will be sent in packets
*/
Source: php.net
EDIT:
Beware! You cannot concatenate $variables inside bind_param
Instead you concatenate before:
$full_name = $family_name . ' ' . $given_name;
$stmt->bind_param('s', $full_name);
Try this .You didn't put sigle quote against variable.
$sql = "SELECT * FROM uc_users WHERE user_name = '". $name."'";
Note: Try to use Binding method.This is not valid way of fetching data.
$sql = "SELECT * FROM 'uc_users' WHERE user_name = '". $name."' ";
Hi guys I have a program built using mysql_* and I am trying to convert it to PDO for security and depreciative reasons
So I have a load of mysql_* functions setup like
return select_from_where('users', '*', "username = '$username' AND password = '$pass'", "LIMIT 1");
Which I have converted to PDO
return $conn -> query("SELECT * FROM users WHERE username = '$username' AND password = '$pass' LIMIT 1");
However the program does not feed the right result, I'm not sure if it is even returning data
My question is, do I have to set the PDO response to a variable that I can then use, or is it possible to have it return values which I can use in my program using a similar method to above?
I have included global $conn for each function query so I'm sure it is connecting like it should, its just not feeding the result as intended..
Does anyone have a quick fix for this issue as my program is almost done and is pending release :D
Thanks in advance
Luke
** EDIT LINE *
$sql = ("SELECT * FROM users WHERE username = '$username' AND password = '$pass' LIMIT 1");
$stm = $conn->prepare($sql);
$stm->execute(array($username,$pass)); $user = $stm->fetch(); echo $user['username'];
First, Personally I see no point in having a function like select_from_where
You actually save yourself nothing - you just moved words "SELECT, FROM and WHERE" from query to function name, yet made this function extremely limited - say, no joins or stuff.
Second, PDO::query() function shouldn't be used anyway - it doesn't support prepared statements.
So, the code have to be
global $conn;
$sql = "SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1";
$stm = $conn->prepare($sql);
$stm->execute(array($username,$pass));
return $stm->fetch();
You have to also configure your PHP and PDO in order to be able to see every error occurred.
Change this
return $conn -> query("SELECT * FROM users WHERE username = '$username' AND password = '$pass' LIMIT 1");
to:
$username = 'user';
$password ='password';
$stmt =$conn->prepare("SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1");
$stmt->execute(array($username, $password));
echo $stmt->rowCount();