In my database I have a column "first_name" and "last_name" (there is more in there but not related to my question)
Here is the code :
//Get variables for email
$qry_get = mysql_query("SELECT * FROM members WHERE id = $id");
while($row_get = mysql_fetch_array($qry_get))
{
$id = $row_get['id'];
$name = $row_get['first_name'];
$email = $row_get['email'];
$password = $row_get['password'];
}
And this works fine. But im trying to get $name to fetch both first_name and last_name. Is it possible?
It is so when the details are inserted into the database it will show both names rather than just the first name.
I have tried to do it like
//Get variables for email
$qry_get = mysql_query("SELECT * FROM members WHERE id = $id");
while($row_get = mysql_fetch_array($qry_get))
{
$id = $row_get['id'];
$name = $row_get['first_name'],['last_name'];
$email = $row_get['email'];
$password = $row_get['password'];
}
But it failed.
You can't get two values at once like you did, you have to concatenate the value of $row_get['first_name'] and the value of $row_get['last_name'] :
//Get variables for email
$qry_get = mysql_query("SELECT * FROM members WHERE id = $id");
while($row_get = mysql_fetch_array($qry_get))
{
$id = $row_get['id'];
$name = $row_get['first_name'] . ' ' .$row_get['last_name'];
$email = $row_get['email'];
$password = $row_get['password'];
}
You shouldn't use SQL, it's open to attack and is deprecated, Look into SQLi or PHP PDO data objects. Why are you selecting all in your query when you only need 2 fields ? I will work with your code though
SELECT first_name,last_name FROM members WHERE id = $id"
Related
I am trying to update multiple rows in a single query. Data doesnt get updated in my code. I am trying to join the two tables. When user enters a no. The data from the 2 tables will be displayed which is connected through the foreign key.The data from the table1 gets updated. Where as the columns from the table 2 doesnt get updated. I need to update the second table based on unique id
if($_REQUEST["profile"] == "profile")
{
$Id = $_REQUEST["id"];
$firstname = mysql_real_escape_string($_REQUEST["firstname"]);
$serial = mysql_real_escape_string($_REQUEST["serial"]);
$dom = mysql_real_escape_string($_REQUEST["dom"]);
$idno = $_REQUEST["idno"];
$pow = mysql_real_escape_string(stripslashes($_REQUEST["pow"]));
$address = mysql_real_escape_string(stripslashes($_REQUEST["address"]));
$bookno = mysql_real_escape_string(stripslashes($_REQUEST["bookno"]));
$zone = mysql_real_escape_string(stripslashes($_REQUEST["zone"]));
$mobile = mysql_real_escape_string(stripslashes($_REQUEST["phone"]));
$phone = mysql_real_escape_string(stripslashes($_REQUEST["mobile"]));
$mothertongue=mysql_real_escape_string(stripslashes($_REQUEST["mothertongue"]));
$nof=mysql_real_escape_string(stripslashes($_REQUEST["nof"]));
$email=mysql_real_escape_string(stripslashes($_REQUEST["email"]));
$nom=$_REQUEST["nom"];
$nofemale=$_REQUEST["nofemale"];
mysql_query("UPDATE profile SET firstname='".$firstname."',serial='".$serial."',dom='".$dom."',idno='".$idno."',pow='".$pow."',address='".$address."',bookno='".$bookno."',
zone='".$zone."',phone='".$mobile."',mobile='".$phone."',mothertongue='".$mothertongue."',email='".$email."',nof='".$nof."',nom='".$nom."',nofemale='".$nofemale."' WHERE id = '".$_POST['id']."' " ) or die(mysql_error());
for($i=0;$i<count($_REQUEST['slno1']);$i++)
{
$mid=$_REQUEST['mid'][$i];
$slno1 = mysql_real_escape_string(stripslashes($_REQUEST["slno1"][$i]));
$name1 = mysql_real_escape_string(stripslashes($_REQUEST["name1"][$i]));
$rhof1 = mysql_real_escape_string(stripslashes($_REQUEST["rhof1"][$i]));
$dob1 = mysql_real_escape_string(stripslashes($_REQUEST["dob1"][$i]));
$dobapt1 = mysql_real_escape_string(stripslashes($_REQUEST["dobapt1"][$i]));
$doc1 = mysql_real_escape_string(stripslashes($_REQUEST["doc1"][$i]));
$doconf1 = mysql_real_escape_string(stripslashes($_REQUEST["doconf1"][$i]));
$qualification1 = mysql_real_escape_string(stripslashes($_REQUEST["qualification1"][$i]));
$school1 = mysql_real_escape_string(stripslashes($_REQUEST["school1"][$i]));
$occupation1 = mysql_real_escape_string(stripslashes($_REQUEST["occupation1"][$i]));
$run=mysql_query("UPDATE member SET
slno1='".$slno1."',name1='".$name1."',rhof1='".$rhof1."',dob1='".$dob1."',dobapt1='".$dobapt1."',doc1='".$doc1."',doconf1='".$doconf1."',qualification1='".$qualification1."' WHERE mid = '".$mid."' " ) or die(mysql_error());
}
}
Please use PDO so you won't have to escape strings and so your code gets simpler to read. Your query has too many quotes used and this alone can make it easy to fail. Please use following examples and this should help you succeed.
Basic PDO update:
https://www.w3schools.com/php/php_mysql_update.asp
Bind Params:
https://www.w3schools.com/php/php_mysql_prepared_statements.asp
In your query you are using $_POST['mid'] instead of that you should use $mid which you are already reading as
$mid=$_REQUEST['mid'][$i];
As per my understanding UPDATE query is used to update a limited number of records if using the where condition. So the only way that I can think of is using an INSERT query with ON DUPLICATE KEY UPDATE clause. Try the below code:
for($i=0;$i<count($_REQUEST['mid']);$i++) {
$mid[] = $_REQUEST['mid'][$i];
$slno1[] = mysql_real_escape_string(stripslashes($_REQUEST["slno1"][$i]));
$name1[] = mysql_real_escape_string(stripslashes($_REQUEST["name1"][$i]));
$rhof1[] = mysql_real_escape_string(stripslashes($_REQUEST["rhof1"][$i]));
$dob1[] = mysql_real_escape_string(stripslashes($_REQUEST["dob1"][$i]));
$dobapt1[] = mysql_real_escape_string(stripslashes($_REQUEST["dobapt1"][$i]));
$doc1[] = mysql_real_escape_string(stripslashes($_REQUEST["doc1"][$i]));
$doconf1[] = mysql_real_escape_string(stripslashes($_REQUEST["doconf1"][$i]));
$qualification1[] = mysql_real_escape_string(stripslashes($_REQUEST["qualification1"][$i]));
$school1[] = mysql_real_escape_string(stripslashes($_REQUEST["school1"][$i]));
$occupation1[] = mysql_real_escape_string(stripslashes($_REQUEST["occupation1"][$i]));
}
$query = "INSERT INTO `member` (`mid`,`slno1`,`name1`,`rhof1`,`dob1`,`dobapt1`,`doc1`,`doconf1`,`qualification1`) VALUES ";
for ($i = 0; $i < count($mid); $i++) {
$query .= "('".$mid[$i]."','".$slno1[$i]."','".$name1[$i]."','".$rhof1[$i]."','".$dob1[$i]."','".$dobapt1[$i]."','".$doc1[$i]."','".$doconf1[$i]."','".$qualification1[$i]."')";
if ($i != (count($mid) - 1)) {
$query .= ',';
}
}
$query .= ' ON DUPLICATE KEY UPDATE `slno1` = VALUES(`slno1`), `name1` = VALUES(`name1`), `rhof1` = VALUES(`rhof1`), `dob1` = VALUES(`dob1`), `dobapt1` = VALUES(`dobapt1`), `doc1` = VALUES(`doc1`), `doconf1` = VALUES(`doconf1`), `qualification1` = VALUES(`qualification1`);';
$run=mysql_query($query) or die(mysql_error());
Hope This Helps.
I want to select email address from DB to send a email. Following is my query that I have made.
$userID=$_SESSION['userID'];
$select_query = mysql_query("SELECT * FROM employee WHERE emp_id = '$userID'");
$select_sql = mysql_fetch_array($select_query);
$name=$select_sql['manager_name'];
$select_query1 = mysql_query("SELECT email FROM employee WHERE employee.name='$name'");
$select_sql1 = mysql_fetch_array($select_query1);
$email=$select_sql1['email'];
But $select_query1 return "NULL Invalid address:" instead of the correct value. I could not found the problem with this. Please help !
You are using $_SESSION['userID'] to get all data from table employee so instead of doing two queries simply try this
$empID = $_SESSION['userID'];
$query = mysql_query("SELECT * FROM employee WHERE emp_id=$empID");
$result = mysql_fetch_array($query);
$email = $result['email'];
hi i am new to php mysql. I have created a form where the user can search the database, and the result depends on how the user fills in the form. form has 6 search fields. where user can choose / fill any of one or more fields to make his search. i have coded it as follows
php
<?php require_once('Connections/osrc.php'); ?>
<?php
$maxRows_search_result = 10;
$pageNum_search_result = 0;
if (isset($_GET['pageNum_search_result'])) {
$pageNum_search_result = $_GET['pageNum_search_result'];
}
$startRow_search_result = $pageNum_search_result * $maxRows_search_result;
mysql_select_db($database_osrc, $osrc);
$propertyid = $_POST['propertyid'];
$offered = $_POST['offered'];
$property_type = $_POST['property_type'];
$beds = $_POST['beds'];
$city = $_POST['city'];
$locality = $_POST['locality'];
$query_search_result = "SELECT * FROM osrc_data WHERE propertyid LIKE '%$propertyid%' OR offered LIKE '%$offered%' AND property_type LIKE '%$property_type%' AND beds LIKE '%$beds%' AND city LIKE '%$city%' AND locality LIKE '%$locality%' ";
$query_limit_search_result = sprintf("%s LIMIT %d, %d", $query_search_result, $startRow_search_result, $maxRows_search_result);
$search_result = mysql_query($query_limit_search_result, $osrc) or die(mysql_error());
$row_search_result = mysql_fetch_assoc($search_result);
if (isset($_GET['totalRows_search_result'])) {
$totalRows_search_result = $_GET['totalRows_search_result'];
} else {
$all_search_result = mysql_query($query_search_result);
$totalRows_search_result = mysql_num_rows($all_search_result);
}
$totalPages_search_result = ceil($totalRows_search_result/$maxRows_search_result)-1;
?>
now when user It works but it shows all rows in database table.
for example user fills up three fields beds, city, locality and rest of three are blank.
search result page shows all rows in data base with all records.
pls help me to correct my codes. Thanks in advance
First, I agree with #VaaChar, you should be using mysqli or even better yet PDO.
You will have determine IF a value has been placed in a field and if so use it in your query. If no value was placed in the field ignore it in your query.
Something like this...
$sqlid = "";
$sqloffered = "";
$sqltype = "";
$sqlbeds = "";
$sqlcity = "";
$sqllocality = "";
if(isset($propertyid)) {
$sqlid = " propertyid LIKE '%$propertyid%'";
}
if(isset($propertyid) && isset($offered)) {
$sqloffered = " OR offered LIKE '%$offered%'";
}
if(!isset($propertyid) && isset($offered)) {
$sqloffered = " offered LIKE '%$offered%'";
}
if(isset($property_type)) {
$sqltype = " AND property_type LIKE '%$property_type%'";
}
if(isset($beds)) {
$sqlbeds = " AND beds LIKE '%$beds%'";
}
if(isset($city)) {
$sqlcity = " AND city LIKE '%$city%'";
}
if(isset($locality)) {
$sqllocality = " AND locality LIKE '%$locality%'";
}
$sql = "SELECT * FROM osrc_data WHERE {$sqlid}{$sqloffered}{$sqltype}{$sqlbeds}{$sqlcity}{$sqllocality} ";
When you build the sql query with (say) $propertyid empty, you get this :
.... LIKE '%%' ...,
which is like saying "anything". You must build your query only with the fields that have been filled.
I Have the following PHP code (which works) for pulling the clients email address from our MySQL DB based on their $_SESSION clientid variable and storing it on $myemail:
mysql_select_db($dn) or die(mysql_error());
$clientid = ($_SESSION['clientid']);
$result = mysql_query("SELECT emailaddress FROM clients WHERE clientid = '" . $clientid . "'");
while ($row = mysql_fetch_array($result)) {
$myemail = $row[0];
}
mysql_close($con);
But was wondering whether or not there was a better way of doing this?
First of all don't use mysql_* functions as they are deprecated. Better to use PDO or mysqli.
And regarding your question i would write
$clientId = $_SESSION['clientid'];
$res = mysql_fetch_object(mysql_query("SELECT emailaddress FROM clients WHERE clientid = '{$clientId}'"));
$email = $res->emailaddress;
One more thing why do you need while loop? While loop is not at all necessary as we are fetching a single record.
It seems your code is vulnerable from sql injection. use prepare statement or use mysql_real_escape_string. here is the code...
mysql_select_db($dn) or die(mysql_error());
$clientid = ($_SESSION['clientid']);
$result = mysql_query("SELECT emailaddress FROM clients WHERE clientid = '" . $clientid . "'");
while ($row = mysql_fetch_array($result)) {
$myemail = mysql_real_escape_string($row['emailaddress']);
}
mysql_close($con);
Replace
$myemail = $row[0];
With
$myemail = $row['emailaddress'];
What is wrong with this code:
$q = query("select * from users where email = '$_POST['email']' and name = '$_POST['name']'");
Parse error: parse error, expecting T_STRING' orT_VARIABLE' or `T_NUM_STRING' in C:\wamp\www\conn\index.php on line 16
Thanks in advance.
$q = query("select * from users where email = '{$_POST['email']}' and name = '{$_POST['name']'}");
You missed two quotes. Also:
1) Always escape user input (for security reasons):
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$q = query("select * from users where email = '{$email}' and name = '{$name}'");
2) Get an editor with code highlighting, so you don't get similar problems in the future. I recommend Notepad++.
You should surround your inline vars with curly braces.
Like this:
$q = query("select * from users where email = '{$_POST['email']}' and name = '{$_POST['name']}'");
You use $_POST directly in the SQL Query which is very bad.
Use:
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$q = query("SELECT ... $name ... $email");
I'd recommend using string concatenation instead of embedding variables in strings as it is (imho) easier to read
$q = query("SELECT ... " . $name . " ... " . $email);
SELECT * is bad (unless you really, really want all fields)
Try this:
$q = query("select * from users where email = '" . $_POST['email'] . "' and name = '" . $_POST['name'] . "'");
You are using double quoting you put quotes around $_POST['email'] and inside it making it get interpreted the wrong way
This would work the right way:
$q = query('select * from users where email = '.$_POST['email'].' and name = '.$_POST['name']);
But even if it works it is still wrong to pass post variables right into a query. As a developer you need to learn to 'never trust the users'. So the best thing is to clean it by escaping it like this:
$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$q = query("select * from users where email = $email and name = $name");
or this:
$q = query('select * from users where email = '.mysql_real_escape_string($email).' and name = '.mysql_real_escape_string($name));
(what way you prefer)
Pease don't do it that way. It is a perfect example for SQL injections.
A better Version:
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$q = query("select * from users where email = '$email' and name = '$name'");
Parse error: parse error, expecting T_STRING' orT_VARIABLE' or `T_NUM_STRING'
Get used to this error. Always means there is a quotation problem.
Get familiar w/ using " and '