SQL newb here...
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = 'myid'"); works the way I want.
$compid1 = 'myid';
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = #compid1");
does not yield the same results.
I have also tried $compid1 and various other things, but without success.
Sorry for the simple question, but the answer is still eluding me. Thanks!
UPDATE: Oh yea...the question. How can I use a prestored variable for my WHERE check?
You need to use $ before a variable, not #. And you need to put quotes around it since it's a string:
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = '$compid1'");
However, it would be best if you stopped using the mysql extension. Use PDO or mysqli, and use prepared statements with parameters. E.g. in PDO it would be:
$stmt = $conn->prepare("SELECT first_name FROM gamers WHERE comp_id = :compid");
$stmt->bindParam(':compid', $compid1);
$stmt->execute();
Enclose the string variable inside a pair of quotes.
$compid1 = 'myid';
$db_result = mysql_query("SELECT first_name FROM gamers WHERE comp_id = '$compid1'");
Related
I am making an error with PHP SELECT WHERE code - which should be simple, but I have made no progress.
The code works with SELECT FROM line, but not with the SELECT FROM WHERE `line.
I have spent a few hours with no luck.
I have tried different syntax combinations with no progress.
$sql = "SELECT * FROM `customer_crm` WHERE `sales_agent` = '$username'";
//$sql = "SELECT * FROM `customer_crm`"; /* this works*/
Assuming that you set a default character encoding, you can use mysqli_real_escape_string to avoid SQL Injections. However, the comment to use a prepared statement is really the best advice here.
However, with mysqli_real_escape_string your SQL should work like that:
$sql = 'SELECT * FROM `customer_crm` WHERE `sales_agent` = "'.mysqli_real_escape_string($link,$username).'"';
You can even try this query
$sql = "SELECT * FROM customer_crm WHERE sales_agent = '".$username."'";
I am working on a friend list function and I can't figure out how to correctly receive the values.
My code looks like this:
$getuid = $mysqli->prepare("SELECT `uid` FROM `users` WHERE name = ? OR name = ?");
$getuid->bind_param("ss", $user, $friend);
$getuid->execute();
$getuid->bind_result($uid);
$getuid->fetch();
$getuid->close();
$resetpass = $mysqli->prepare("INSERT INTO `friendlist` SET `friend1`=?, `friend2`=?, `accept`=0");
$resetpass->bind_param("ss", $uid[0], $uid[1]);
With the first query I get exactly two uid values back. I want to use them in the second query. It seems like bind_result is not working, neither as array nor when using two values in bind_result. How can I do this using mysqli. I can't use get_result because I'm on PHP 5.2 .
Anyone able to help me?
I think you need something like this. I have not tested it and there are probably even better ways to do this. I just tried the quickest change i could make to your original code to get it to work.
$query = "SELECT uid FROM users WHERE name = '".$user."' OR name = '".$friend."'";
$getuid = $mysqli->query($query);
if($uid = $getuid->fetch_assoc())
{
$query = "INSERT INTO friendlist SET friend1= '".$uid['uid'][0]."', friend2='".$uid['uid'][1]."', accept=0";
$mysqli->query($query)
}
$getuid->close();
Okay I finally understood the concept of fetch.
In order to receive all the values I have to retrieve them in a while-loop.
Here is the solution:
$getuid = $mysqli->prepare("SELECT `uid` FROM `users` WHERE name = ? OR name = ?");
$getuid->bind_param("ss", $user, $friend);
$arra = array();
$getuid->execute();
$getuid->bind_result($uid);
while ($getuid->fetch()) {
$arra[] = $uid;
}
Now I can call the array values using $arra[0] and $arra[1]
$sql = "SELECT email FROM family WHERE family = '$family'";
$result = mysql_query($sqll)or die(mysql_error());
Is this the right way to get php variable into mysql query?
That could work. However, it's vulnerable to SQL injection.
This is safer:
$sql = sprintf("SELECT email FROM family WHERE family = '%s'",
mysql_real_escape_string($family));
$result = mysql_query($sql);
If you starting with PHP/MySQL I would recommend you to check PDO or MySQLi extension as it allows you to use more smart database queries and easier to maintain.
The code has a type error
$sqll is not defined.it must be $result = mysql_query($sql).
I believe this is the reason you are looking for...(since the question is too vague which is probably because you got an error that you couldnt track)
From my knowledge best way to use like this:
if $family is not string
$sql = "SELECT email FROM family WHERE family = ".$family;
if there is a string comparison then,
$sql = "SELECT email FROM family WHERE family = '".$family."'";
'$family' no need of single quotes here
I have 2 values that I'm suppling my script - I want to search for any one of those datas. How do I write my query like this:
SELECT * FROM table WHERE id = '".$id."' or "name='".$name."';
my problem is escaping the quotes in the query.
Any help will be appreciated.
There are a few ways to do it, a lot of them frowned on but generally I would stick to using MySQLi and using the
mysqli_real_escape_string($id)
function or in OOP
$mysqli = new mysqli('host', 'user', 'pass', 'database');
$id = $mysqli -> real_escape_string($id);
$name = $mysqli -> real_escape_string($name);
$results = $mysqli -> query("SELECT * FROM table WHERE id = '{$id}' or "name='{$name}'");
You may use curly brackets to avoid confusion with escaping characters as follows:
$query = "SELECT * FROM table WHERE id = '{$id}' or name = '{$name}' ";
You may also consider using wildcards such as %$letter% to search for word anywhere in the name field as:
$query = "SELECT * FROM table WHERE id = '{$id}' or name LIKE '%{$name}%' ";
SUGGESTTION:
You should always use id fields as integer for better performance.
Use this fancy function, mayhaps? The examples have what you're looking for.
You've got an extra quote; if you want to stick with your original code (not recommended), try something like this:
$query = "SELECT * FROM table WHERE id = '".$id."' or name='".$name."'";
But really you should be using parameterised queries so that you avoid possible SQL injection security issues!
Write it as:
$name = mysql_real_escape_string($name);
$id = mysql_real_escape_string($id);
$query = "SELECT * FROM table WHERE id = '$id' or name= '$name' ";
Because you started with double quotes the single quotes are part of the query and the $vars are expanded.
Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?
Say i have a form on a page asking for someone's age. They enter their age and hit submit. The following php code deals with the form submission: (age is an int field in the db table.)
$Number = mysqli_real_escape_string($dbc, $_POST["age"]);
$Query = "INSERT INTO details (age) VALUES ($Number)";
$Result = mysqli_query($dbc, $Query);
Instead of this, is there anything to be gained to enclosing the user input in single quotes, even though it is not a string? Like this:
...
$Query = "INSERT INTO details (age) VALUES ('$Number')"; <-- quotes
...
What about performing a SELECT? Is this:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = '$ID'";
$Result = mysqli_query($dbc, $Query);
better than:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = $ID"; <-- no quotes
$Result = mysqli_query($dbc, $Query);
NOTE: I am aware of prepared statements and usually use them over string concatenation but this is legacy code i'm dealing with. I want to secure it as best as i can.
If you add numbers, use the intval/floatval functions, don't use mysql_real_escape_string for those.
For everything you use mysql_real_escape_string for, you must use quotes, example:
$input = "foo'bar";
$input = mysql_real_escape_string($input);
//foo\'bar
mysql_query("SELECT $input");
//SELECT foo\'bar
//which is still an SQL syntax error.
You really shoud use sprintf, even if in legacy code it takes 2 mins to modify and is in my opinion totally worth the time.
Shamelessly ripped from php.net:
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
Your query is now pretty much safe from being passed the wrong types to it's fields and unescaped caracters.
You SHOULD use the PHP filters, and filter for numbers - even for ranges, regular expressions; with default values, NULL on failure, etc.
http://hu.php.net/manual/en/ref.filter.php
if the values come from a request variable, e.g. $_POST, see:
http://hu.php.net/manual/en/function.filter-input.php