I'm working on an old mySql database, trying to insert new rows. The code is below (I know it's ugly- just trying to get it to work before making it work well!).
Everything seems to work unless the $newbuilding variable includes a space. That variable will always be a string, but if that string includes a space (for example, "Building 01"), anything after the space is omitted when it's inserted into the table. Works fine if there are no spaces.
Any idea what I'm doing wrong? Thanks for any feedback!
$SQLstmt = "insert into homes_mail_lists set " .
"`tbl_id` = ${tbl_main["tbl_id"]}, " .
"`item_id` = ${Iitem_id}, " .
"`building` = '${newbuilding}', " .
"`updt_user` = '${cp_valid_user}', " .
"`updt_dttm` = null";
Just figured out my problem- sorry for wasting anyone's time! If you're curious or run into a similar problem- my issue wasn't with the SQL, it was with the html provided to the $newbuilding variable (it was not enclosed in quotes, so wasn't recognizing two words as one string).
Related
I am using a search query for selecting names in my DB by giving a keyword.
My query is
SELECT `engine4_core_search`.* FROM `engine4_core_search` WHERE ((`engine4_core_search`.`title` LIKE "%".$text."%"))
When give " cardiff " (cardiff comes in place of $text ) as my keyword and checking the query ..it displays like
SELECT `engine4_core_search`.* FROM `engine4_core_search` WHERE ((`engine4_core_search`.`title` LIKE 'Êrdiff%'))
Is there any method to solve this.
Thanks in advance.
It seems to be you have included jQuery-mobile (because tagged in it)
In some cases jQuery-mobile replaces some strings when they attached with different patterns like " %cardiff " . It may considers to be different string set
Just remove jQuery-mobile and try for your output......
Ok, so my main issue is with anything that goes between WHERE and ORDER BY, LIMIT, etc.
I have it currently setup like the below:
SELECT " . $column_string . " FROM " . $table_name . " " . $query_join . " " . $where . " " . $query_end . " " . $query_limit
My issue is this, I have it setup to check each variable with escape string but when you come to $query_end which would hold test = '1' AND test2 = '2' etc. I have that section setup to allow you to send the whole string in one go. But of course if you check that it gets turned into test = \'1\' AND test2 = \'2\'.
The only thing I could think of doing was seperating it into some wierd array like [test2 = ],[2] but that doesn't work for (test1 = '2' OR test2 = '3') although I could make it work I really don't want to do it that way.
Can anyone suggest a better solution to the above problem? Also is there another item for checking for injection outside of mysql-real-escape-string?
The whole reason for this setup is to allow me to send multiple queries via ajax using json and then sending all the data back in a 3 level array.
Nothing actually wrong with "weird" array.
Every custom search solution is based on the similar approach - a series of conditions to assembly a WHERE clause dynamically.
I have no idea though, why would you need a fieldset or a table set by a user. But the idea would be quite the same. Just don't forget to verify all the identifiers and operators against a hardcoded white list.
I have a PHP script that is generating a MySQL select statement:
select * from words where word = 'Classic'
There is exactly one word in the words table with the variable word equal to Classic.
When my PHP page executes, I get no results from the query. If I echo the string that is being used to execute the query, cut and paste that into the SQL window in PHPMyAdmin in the database, I also get no results. However, if I re-type that EXACT string into the SQL window in PHPMyAdmin (with the same quote characters), I get the proper result of one row.
The word Classic from the select statement is gotten from a PHP GET (see code below). I can echo the $word variable, and get the correct result of 'Classic'. What am I doing wrong?
Here is my code:
<?php
require ('dbconnect.php');
$word = $_GET["word"];
$selectStr = "SELECT * FROM words WHERE word = '" . $word . "'";
if ($results = MySQL($dbName, $selectStr))
{
$rowCount = MySQL_NUMROWS($results);
}
$resultRow = MYSQL_FETCH_ROW($results);
$wordID = $resultRow[0];
?>
Please, please, please sanitize that word. mysql_real_escape_string() should do the trick.
$selectStr = "SELECT * FROM words WHERE word LIKE '" . $sanitized_word_i_promise . "'"; should work :)
Just to explain: "=" should work for exact matches. This includes uppercase / lowercase, spaces etc. You should probably trim that result first too, before using it in the query.
If you have foo stored in the database (note the space at the end) - it won't match foo, without a space. You'll want to use LIKE 'foo%' - probably.
Either way, Sourabh is right, although performance wise, this isn't a big hit when trying to match exact strings, you should look for the problem in other places first (such as, is the item in the database an exact match?).
First off you should not take any user input and directly input it into a query without sanitizing it, or using a prepared statement.
Now that we've gotten that out of the way: have you tried doing a strcmp() with the variable and your string written in? Such as
echo strcmp($_GET['word'], "Classic")
If you get a result other than 0 it means they are not the same, most likely there will be a whitespace of some sort in the $_GET variable. use trim() on it to take out whitespace. Also could be a case sensitivity issue as well.
i might be doing some idiot mistake, but i could not figure that out. i have some values coming from html and wanna insert into mysql db. problem is, the very same query does not work in regular php file (that includes other queries), but when i try on an independent php file, it does. here is a sample of the code:
$sql15="insert into body
(Article_ID, Article_Title)
values
('$article_id', '".$_POST['Article_Title']."') ";
mysql_query($sql15);
as i mentioned, the very same code works when i just copy this snippet to a new php file, and it works smoothly.. as you see, there are 20+ insert with the same php, because there are 25+ tables, but data is not much. first 14 query and following 7 queries do work by the way.
do you have any ideas?
There are some things to check and do.
Sanitize user input:
"('$article_id', '".mysql_real_escape_string($_POST['Article_Title'])."')";
You might also want to check if the value is what you expect.
Is your $article_id correct for column Article_ID?
Are your table and column names correct?
Check for errors:
$res = mysql_query($sql15);
if (!$res)
echo mysql_errno($link) . ": " . mysql_error($link);
Show us you complete query:
echo $sql15;
First of all i would suggest you to write your insert query like below
$sql15="insert into body SET Article_ID = '$article_id', Article_Title = '".$_POST['Article_Title']."'";
echo $sql15;
mysql_query($sql15);
so that each time when you add new column to database it would be easy for u to change insert query. echo your query and see it in browser. in it seems to o.k then copy it and paste it in SQL section under your phpmyadmin (see you are choosing proper database) and run it. if one row inserted successfully then your query is alright.
I hope this would help you a little.
$sql15="insert into body
(Article_ID, Article_Title)
values
('$article_id', '".$_POST['Article_Title']."') ";
mysql_query($sql15) or die(mysql_error());
use like this u will be get the error. then u will be find the issue
I think using mysql_real_escape_string may solve your problem.I also recommend you to store your form data in a string.
$article_title= mysql_real_escape_string($_POST['Article_Title']);
$sql15="insert into body
(Article_ID, Article_Title)
values
('$article_id', '$article_title') ";
mysql_query($sql15) or die(mysql_error());
I am trying to make an update query to update a user to have a password. The update statement is extremely easy and it has been baffling me for about 12 hours now.
I have read everything having to do with this on 3.5 pages of google searches. but for some reason, none of the suggestions work for me!
Here is the UPDATE query in its 'original' form:
$sql_update = "UPDATE users_sensitive SET password = '$password_hash', ch_password = '$password_hash' WHERE email_hash = '$email_hash'";
$result_update = mysql_query($sql_update) or die(mysql_error());
When I do this update Query, I get no errors or anything back. It also just does not update.
Here's another rendition of the same code:
$sql_update = "UPDATE users_sensitive SET password = '" . $password_hash . "', ch_password = '" . $password_hash. "' WHERE email_hash = '" . $email_hash . "'";
$result_update = mysql_query($sql_update) or die(mysql_error());
Again, nothing happens.
When I put the actual numbers in here instead of the php variables:
$sql_update = "UPDATE users_sensitive SET password = '700b5b23b511d974fe9eeb17ad350b33', ch_password = '700b5b23b511d974fe9eeb17ad350b33' WHERE email_hash = 'ac24dab060a172d8c0b3679d8ae61cac'";
$result_update = mysql_query($sql_update) or die(mysql_error());
(don't worry, it's not sensitive info) It does actually update...
So, I'm assuming my syntax is wrong? I know these are Strings instead of just numbers, so I need the single quotes around them. I have the two variables I need echoed and they are both showing exactly what they should be. I have even tried to use backticks around the column name but that didn't do anything?
I did a var_dump and it came back "true".
When I do a print on my $sql_update, I get:
UPDATE users_sensitive SET password = '700b5b23b511d974fe9eeb17ad350b33', ch_password = '700b5b23b511d974fe9eeb17ad350b33' WHERE email_hash = 'ac24dab060a172d8c0b3679d8ae61cac'
There is no whitespace here.
When I print the $result_update, it comes up with: 1
ANSWER
Thank you to bemace, James Anderson, VolkerK, alex and the others!
The problem was that there was a strange line break in the code creating whitespace that was not the same as on the database.
After backtracking, I noticed at the very beginning of my code on this page, I used a GET to get a hash number from the URL. While making a variable, during testing, I added a line break to the variable for testing purposes only. I (stupidly) left the line break in there. When using that variable in a hidden form field, it included the line break.
After taking the line break out of the first line, everything matched up and all is good.
If you are reading this and plan on posting later, Posting the entire code is probably worth it. This problem would have been fixed earlier if I had.
Again, Thank you to the quick responses and trouble shooting!
No errors and no updates tells me that your where clause isn't matching anything. Make sure $email_hash doesn't have any leading or trailing whitespace and isn't being truncated.
A less likely possibility is that the update is part of a transaction that is being rolled back.
Another less likely possibility: are you connected to the right server?
Thank you to bemace, James Anderson, VolkerK, alex and the others!
The problem was that there was a strange line break in the code creating whitespace that was not the same as on the database.
After backtracking, I noticed at the very beginning of my code on this page, I used a GET to get a hash number from the URL. While making a variable, during testing, I added a line break to the variable for testing purposes only. I (stupidly) left the line break in there. When using that variable in a hidden form field, it included the line break.
After taking the line break out of the first line, everything matched up and all is good.
If you are reading this and plan on posting later, Posting the entire code is probably worth it. This problem would have been fixed earlier if I had.
Again, Thank you to the quick responses and trouble shooting!