Sorry if I'm asking an already answered question, but I was not able to find my specific set-up.
I have a php file called functions.php, where I store all my functions and where I prepare my database.
A small example would be as follows:
function getUsers()
{
global $mysqli,$db_table_prefix;
$stmt = $mysqli->prepare("SELECT
id,
user_name,
FROM db_users");
$stmt->execute();
$stmt->bind_result($id, $user);
while ($stmt->fetch()){
$row[] = array('id' => $id, 'user_name' => $user);
}
$stmt->close();
return ($row);
}
I want to make a search function, with a form where I can search with OPTION VALUES, i.e values as: id, user_name.
By having functions.php I am already establishing the connection to the mysql database,
How can I search the database with my '%searchrequest%' with a search.php?
Or do you suggest another solution?
Just pass these search values into your current function. If nothing is passed,it will fetch all the data. If there is any value passed it will filter based on it.
function getUsers($id="",$user_name="")
{
global $mysqli,$db_table_prefix;
$query = "SELECT
id,
user_name,
FROM db_users WHERE 1 = 1 ";
if(trim($id))
$query .= " AND id = '".$id."'";
if(trim($user_name))
$query .= " AND user_name = '".$user_name."'";
$stmt = $mysqli->prepare($query);
$stmt->execute();
$stmt->bind_result($id, $user);
while ($stmt->fetch()){
$row[] = array('id' => $id, 'user_name' => $user);
}
$stmt->close();
return ($row);
}
Related
I have a database in which I have user_id & associated_id.There can be multiple associated_id for a single user_id. Now I want to fetch all the associated_ids into a single array. I have tried this method but don't know how to get them in array.
$stmt = $this->conn->prepare("SELECT * FROM my_contacts WHERE user_id = ?");
$stmt->bind_param("s", $user_id);
if ($stmt->execute())
{
while ($stmt->fetch())
{
//what to write here
}
//echo var_dump($user);
$stmt->close();
}
Try this:
$stmt = $mysqli->prepare("SELECT associated_id FROM my_contacts WHERE user_id = ?")) {
$stmt->bind_param('s', $user_id); // Bind "$user_id" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($associated_id);
$stmt->fetch();
The results will be stored in the $associated_id array.
You can bind parameters like this and use fetchall method to get all the results in a array
$stmt = $this->conn->prepare("SELECT * FROM my_contacts WHERE user_id = :user_id");
$stmt->bind_param(":user_id", $user_id, PDO::PARAM_INT);
if ($stmt->execute())
{
$result = $stmt->fetchall(PDO::FETCH_ASSOC);
//echo var_dump($user);
$stmt->close();
}
According to your code you used mysqli.
$stmt = $this->conn->prepare("SELECT * FROM my_contacts WHERE user_id = ?");
if($stmt->execute()){
$result = $stmt->get_result();
if($result->nom_rows > 0){
while($row = $result->fetch_assoc()){
var_dump($row)
}
}else{
echo "Sorry NO data found";
}
}else{
echo "Some thing is wrong";
}
here you can't used $stmt->bind_result(); instead of use $stmt->get_result()
$stmt->bind_result(); is only used when you define field in select query
with * you need to used $stmt->get_result()
refer this link for more information
Example of how to use bind_result vs get_result
Inserting data in oracle DB using oci_8. Sample query to insert string with special characters or quotes
update TABLENAME set COMMENTS = 'As per Mark's email dated 28-Feb-2015 - Bill Gates & Team's effort' where ID = 99;
To insert/update
$query = 'update TABLENAME set COMMENTS = '$_POST[comments]';
$result = customexecute($new_query);
public function customexecute($query)
{
$resutlt = parent::customquery($query);
return $resutlt;
}
public static function customquery($query)
{
try{
$stmt = oci_parse($conn, $query);
oci_execute($stmt,OCI_COMMIT_ON_SUCCESS);
oci_commit(db_singleton::getInstance());
oci_free_statement($stmt);
}catch (Exception $e)
{
print_r($e);
}
}
Executing it on ORACLE DB it says SQl command not properly ended. Looked into Parameterized queries mentioned here but not able to integrate it succesfully.
$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);
I can pass :bind_comments in my query which is in my controller. But $stmt resides in my db_singleton file (general for all DB queries) and can not pass seperately for a individual query.
How can I sanitize user input or do not allow data to be used in creating SQL code
From the update function, pass everything needed to the execute function:
$result = customExecute(
'update xxx set comments=:COMMENTS where id=:ID',
[
':COMMENTS' => $_POST['comment'],
':ID' => 99
]
);
Then in the execute function simply iterate the array to bind all params:
public static function customExecute($sql, array $params = [])
{
$stmt = oci_parse($conn, $sql);
foreach ($params as $key => &$value) {
oci_bind_by_name($stmt, $key, $value);
}
$result = oci_execute($stmt);
...
}
No, unsurprisingly, MySQL functions won't work with Oracle DB :)
You need to parameterise things, e.g.:
$query = 'update TABLENAME set COMMENTS = :bind_comments where id = :bind_id';
$stmt = $dbh->prepare($query);
$stmt->bindParam(':bind_comments', $_POST['comments']);
$stmt->bindParam(':bind_id', $_POST['id']);
$stmt->execute();
The correct way of using the OCI8 PHP extensions is:
$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);
More information: http://php.net/manual/book.oci8.php
When I want to find a value from a row using PDO I use the following method:
//Search whether user exists
$sqlQueryEmailLogin = $dbh->prepare("SELECT vendor_id, first_name, last_name, email_login, user_password, passport_id, login_attempts, login_last_attempt FROM $tableVendorDetails WHERE email_login = ?");
$sqlQueryEmailLogin->bindValue(1, $emailLogin);
$sqlQueryEmailLogin->execute();
and the following PHP code for the search field
$emailLogin = 'xyz#abc.com'
Now I'd like to search two columns or more and use the following code
$sql = "SELECT * FROM articles WHERE id = ? AND status = ?";
$stmt = $conn->prepare($sql);
$stmt->bindValue(1, $id);
$stmt->bindValue(2, $status);
$stmt->execute();
I'd like to search the two columns from a string. How should I go about it, please?
The string value i go is from a html form with one input box
I'd like a string that is capable of searching two values from a MySQL table e.g.
$search = $id; and
$seach = $status;
in this case both cancel each other
You could simplify it by using the method described by #gbestard. But you should also do this:
$search = 'asdf'; // fill this with your form input
$sql = "SELECT * FROM articles WHERE id = :id OR status = :status";
$stmt = $conn->prepare($sql);
$stmt->execute(array(
':id' => $search,
':status' => $search,
));
Notice the change to OR in the query, and supplying the $search multiple times...
That's what I'm using
$sql = "SELECT * FROM articles WHERE id = :id AND status = :status";
$stmt = $conn->prepare($sql);
$stmt->execute(array(':id' => $id , ':status' => $status));
Try the following
$sql = "SELECT * FROM articles WHERE id = :id AND status = :status";
$stmt = $conn->prepare($sql);
$stmt->bindValue(':id', $id);
$stmt->bindValue(':status', $status);
$stmt->execute();
See docs http://php.net/manual/en/pdostatement.bindvalue.php
You should use OR instead of AND. That way, you will get all rows that match either by id or by status.
SELECT * FROM articles WHERE id = ? OR status = ?
I'm having a mysqli data fetching problem. I will try to explain my problem by example:
I want to fetch entries (by different persons), from a table. Now I want to look for each of the fetched person's name in another table and see if he has any photo.
My code is given below, however its not working, I'm getting following errors:
mysqli::prepare() [mysqli.prepare]: All data must be fetched before a new statement prepare takes place
Call to a member function fetch() on a non-object in ...
My Code:
if ($stmt = $this->mysqli->prepare("SELECT entry, author, time FROM messages WHERE user = ?")) {
$stmt->bind_param("s", $user_name);
$stmt->execute();
$stmt->bind_result($entry, $author, $time);
while ($stmt->fetch()) {
if ($stmt = $this->mysqli->prepare("SELECT photo_id FROM photos WHERE user = ?")) {
$stmt->bind_param("s", $author);
$stmt->execute();
$stmt->bind_result($photo_id);
}
//echo $photo_id;
}
$stmt->close();
}
I'll be very thankful for any help.
Assign the second statement to new variable so it wouldn't override the first variable and cause the "all data must be fetched.." error.
if ($stmt = $this->mysqli->prepare("SELECT entry, author, time FROM messages WHERE user = ?")) {
$stmt->bind_param("s", $user_name);
$stmt->execute();
$stmt->bind_result($entry, $author, $time);
while ($stmt->fetch()) {
if ($st = $this->mysqli->prepare("SELECT photo_id FROM photos WHERE user = ?")) {
$st->bind_param("s", $author);
$st->execute();
$st->bind_result($photo_id);
}
//echo $photo_id;
$st->close();
}
$stmt->close();
}
I've tried following the PHP.net instructions for doing SELECT queries but I am not sure the best way to go about doing this.
I would like to use a parameterized SELECT query, if possible, to return the ID in a table where the name field matches the parameter. This should return one ID because it will be unique.
I would then like to use that ID for an INSERT into another table, so I will need to determine if it was successful or not.
I also read that you can prepare the queries for reuse but I wasn't sure how this helps.
You select data like this:
$db = new PDO("...");
$statement = $db->prepare("select id from some_table where name = :name");
$statement->execute(array(':name' => "Jimbo"));
$row = $statement->fetch(); // Use fetchAll() if you want all results, or just iterate over the statement, since it implements Iterator
You insert in the same way:
$statement = $db->prepare("insert into some_other_table (some_id) values (:some_id)");
$statement->execute(array(':some_id' => $row['id']));
I recommend that you configure PDO to throw exceptions upon error. You would then get a PDOException if any of the queries fail - No need to check explicitly. To turn on exceptions, call this just after you've created the $db object:
$db = new PDO("...");
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
I've been working with PDO lately and the answer above is completely right, but I just wanted to document that the following works as well.
$nametosearch = "Tobias";
$conn = new PDO("server", "username", "password");
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sth = $conn->prepare("SELECT `id` from `tablename` WHERE `name` = :name");
$sth->bindParam(':name', $nametosearch);
// Or sth->bindParam(':name', $_POST['namefromform']); depending on application
$sth->execute();
You can use the bindParam or bindValue methods to help prepare your statement.
It makes things more clear on first sight instead of doing $check->execute(array(':name' => $name)); Especially if you are binding multiple values/variables.
Check the clear, easy to read example below:
$q = $db->prepare("SELECT id FROM table WHERE forename = :forename and surname = :surname LIMIT 1");
$q->bindValue(':forename', 'Joe');
$q->bindValue(':surname', 'Bloggs');
$q->execute();
if ($q->rowCount() > 0){
$check = $q->fetch(PDO::FETCH_ASSOC);
$row_id = $check['id'];
// do something
}
If you are expecting multiple rows remove the LIMIT 1 and change the fetch method into fetchAll:
$q = $db->prepare("SELECT id FROM table WHERE forename = :forename and surname = :surname");// removed limit 1
$q->bindValue(':forename', 'Joe');
$q->bindValue(':surname', 'Bloggs');
$q->execute();
if ($q->rowCount() > 0){
$check = $q->fetchAll(PDO::FETCH_ASSOC);
//$check will now hold an array of returned rows.
//let's say we need the second result, i.e. index of 1
$row_id = $check[1]['id'];
// do something
}
A litle bit complete answer is here with all ready for use:
$sql = "SELECT `username` FROM `users` WHERE `id` = :id";
$q = $dbh->prepare($sql);
$q->execute(array(':id' => "4"));
$done= $q->fetch();
echo $done[0];
Here $dbh is PDO db connecter, and based on id from table users we've get the username using fetch();
I hope this help someone, Enjoy!
Method 1:USE PDO query method
$stmt = $db->query('SELECT id FROM Employee where name ="'.$name.'"');
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
Getting Row Count
$stmt = $db->query('SELECT id FROM Employee where name ="'.$name.'"');
$row_count = $stmt->rowCount();
echo $row_count.' rows selected';
Method 2: Statements With Parameters
$stmt = $db->prepare("SELECT id FROM Employee WHERE name=?");
$stmt->execute(array($name));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
Method 3:Bind parameters
$stmt = $db->prepare("SELECT id FROM Employee WHERE name=?");
$stmt->bindValue(1, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
**bind with named parameters**
$stmt = $db->prepare("SELECT id FROM Employee WHERE name=:name");
$stmt->bindValue(':name', $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
or
$stmt = $db->prepare("SELECT id FROM Employee WHERE name=:name");
$stmt->execute(array(':name' => $name));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
Want to know more look at this link
if you are using inline coding in single page and not using oops than go with this full example, it will sure help
//connect to the db
$dbh = new PDO('mysql:host=localhost;dbname=mydb', dbuser, dbpw);
//build the query
$query="SELECT field1, field2
FROM ubertable
WHERE field1 > 6969";
//execute the query
$data = $dbh->query($query);
//convert result resource to array
$result = $data->fetchAll(PDO::FETCH_ASSOC);
//view the entire array (for testing)
print_r($result);
//display array elements
foreach($result as $output) {
echo output[field1] . " " . output[field1] . "<br />";
}