Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have this function.
public function selection($table, $condition_var,$condition_val)
{
if ($condition_var != '') {
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var=.":".$condition_var. " ");
$stm->bindParam(":".$condition_var, $condition_val);
return $stm->execute();
}
}
I am getting here in this below line
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var=.":".$condition_var. " ");
dont know what I am doing wrong here. kindly please check
Please refer to this: http://php.net/manual/en/pdostatement.bindparam.php
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var."=:condition_val");
$stm->bindParam(":condition_val", $condition_val);
$stm = $this->dbh->prepare("SELECT * FROM " . $table . " WHERE " . $condition_var . " = :param");
$stm->bindParam(":param", $condition_val);
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I am currently using PHP and SQL to throw back some paramters I enter in a form.
I can search numbers perfectly fine and it gives me the correct results but anytime I use a search like "443265dsa44dd" it displays nothing even though it's in the database.
$searchedID = $_POST['uuid'];
$sql = "SELECT name, contact, phone, address FROM test WHERE id = '.$searchedID.'";
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
echo "Name: " . $row["name"] . "<br>" . "Contact: " . $row["contact"] . "<br>" . "Phone: " . $row["phone"] . "<br>" . "Address: " . $row["address"] . " ";
}
}
The id is a primary key and set to VARCHAR, any ideas what is happening here?
You have an error when trying to include the searchedID into the sql-string.
Either concat like this:
$sql = "SELECT name, contact, phone, address FROM test WHERE id = '" . $searchedID . "'"
// note, the additional quotes
OR
let php parse that var for you (possible only inside double-quotes):
$sql = "SELECT name, contact, phone, address FROM test WHERE id = '$searchedID'"
BUT
You are vulnerable to sql-injection. So use prepared statements!
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
Im self learning mySQL and php few days and now Im stuck on this error and cant help myself. Can you look at code, Thanks!
this is error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 7
here is the page
switch($_GET['action']) {
case 'add':
switch($_GET['type']) {
case 'movie':
$query = 'INSERT INTO
movie
(movie_name, movie_year, movie_type)
VALUES
("' . $_POST['movie_name'] . '",
' . $_POST['movie_year'] . ',
' . $_POST['movie_type'] . ')';
break;
}
break;
}
if (isset($query)) {
$result = mysql_query($query, $db) or die(mysql_error($db));
}
I think problem may be in here
<td><select name='movie_type'>
<?php
$query = 'SELECT movietype_label FROM movietype ORDER BY movietype_id';
$result = mysql_query($query, $db) or die (mysql_error($db));
while ($row = mysql_fetch_assoc($result)) {
foreach ($row as $value) {
echo '<option value="' . $row['movietype_id'] . '">';
echo $row['movietype_label'] . '</option>';
}
}
?>
</select></td>
and here is print_r on
Array(
[movie_name] => asd
[movie_type] =>
[movie_year] => 2015
[submit] => ADD)
Shouldn't you be using a double quote " instead of single quote ' like below. You are mixing single and double quote.
$query = "INSERT INTO
movie
(movie_name, movie_year, movie_type)
VALUES
('" . $_POST['movie_name'] . "',
'" . $_POST['movie_year'] . "',
'" . $_POST['movie_type'] . "')";
Granted this is ugly, but would be surprised if it fails.
$query = "INSERT INTO
movie (movie_name, movie_year, movie_type)
VALUES
('"
. $_POST['movie_name'] . "','"
. $_POST['movie_year'] . "','"
. $_POST['movie_type'] . "')";
Also, you need to cleanse your data. Data acted upon directly from user without cleansing, or sent through proper separation of code, can, and someday will, contain sql injection.
Ugly code like the above starts to take on some beauty with mysqli and pdo, plus the parameters are safely separated, and all the moaning about injection goes away.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I get this two queries with the same variables :
$query = 'UPDATE payee SET payee="oui", datePaiement=\'' . $datePaiement . '\',paiement="'.$paiement.'", typePaiement="' . utf8_decode($moyenPaiement) . '" WHERE id_commande=' . $commande->getNum() . '';
$connexion->exec($query);
$query2 = 'UPDATE commande SET mpaiement="' . utf8_decode($moyenPaiement) . '",pxttc="'.$paiement.'" WHERE noCommande=" . $commande->getNum() . "';
$connexion->exec($query2);
For the first one, my $paiement isn't save in my DB. I get a $paiement = 0 while in my second one $paiement is save as I want.
I have the same pattern in my second query $moyenPaiement, moyenPaiement is save as I want but he is not save in my first query.
Sorry for my explanation, it's maybe confused.
You should not combine both single and double quotes, it will be confusing. Try this:
$query = 'UPDATE payee SET payee="oui", datePaiement="' . $datePaiement . '", paiement="'.$paiement.'", typePaiement="' . utf8_decode($moyenPaiement) . '" WHERE id_commande="' . $commande->getNum() . '"';
$connexion->exec($query);
$query2 = 'UPDATE commande SET mpaiement="' . utf8_decode($moyenPaiement) . '", pxttc="'.$paiement.'" WHERE noCommande="' . $commande->getNum() . '"';
$connexion->exec($query2);
Later edit:
Don't forget to print your queries if something weird happens. These queries can be tested in phpMyAdmin too.
print_r($query);
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have a problem with quotes. I can't use " or ' for $gname. What can I do for this.
$new_post = array( 'post_content' => ' ..CODES.. $result = mysqli_query($con,"SELECT * FROM wp_games WHERE name = $gname "); ..CODES..
I'm trying to create a post on wordpress.I have a plugin to use php on posts. [insert_php] is this plugin. And I also can't use quote like \" ... \" .Here is more code.
$new_post = array(
'post_content' => '[insert_php]$con=mysqli_connect("localhost","root","","wordpress");
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM wp_games WHERE name = '$gname' ");
while($row = mysqli_fetch_assoc($result)) {
echo $row["name"];
}
mysqli_close($con);
[/insert_php]',
You can create a single quote using chr(39) and append it to the string. You should also escape the contents of $gname
mysqli_query($con,"SELECT * FROM wp_games WHERE name = " . chr(39) . mysqli_real_escape_string($con, $gname) . chr(39));
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
EDIT/AWNSER: It was a bloody typo, dont mind me facedesking, thanks Sadikhasan
For some reason, the function mysqli_query in my code below, doesnt work, when i open the page, it returns an error.
Fatal error: Call to undefined function msqli_query() in
**/**/**/**/**db.php on line 16
I double checked the script, but couldnt find any typo's or ";" misplacements, the login part works, its purly the query that derps.
<?php
$sqlhost = '*****';
$sqlname = '*****';
$sqlpass = '*****';
$sqldbname = '*****';
$con=mysqli_connect($sqlhost,$sqlname,$sqlpass,$sqldbname);
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}else{
echo "connection successfull!";
}
$result = msqli_query($con,"SELECT * FROM PEOPLE");
while($row = mysqli_fetch_array($result)) {
echo $row['ID'] . "<br>";
echo $row['NAME'] . "<br>";
echo $row['AGE'] . "<br>";
echo $row['SEX'] . "<br>";
echo "<hr>";
}
mysqli_close($con);
?>
The names are in capitals in the database, i checked that too :)
thanks for the help in advance!
Correct spelling to mysqli in this line
$result = msqli_query($con,"SELECT * FROM PEOPLE");