I am sending myself crazy figuring out what the issue is with the following code. All names within the database are exact as I have them here however I can't seem to get the info from the quote using $quoteid however when I type in an id static e.g. quoteid = 12 I can filter through the data.
Obviously this isn't ideal.
<?php
$quoteid = $_GET["quoteid"];
if ($_GET['quoteid']) {
$quoteid = $_GET["quoteid"];
}
$quote = $db->getRow("SELECT * FROM quotes WHERE quoteid = $quoteid");
?>
Html
<h1><?php echo $quote->description;?></h1>
Any help would be greatly appreciated.
Thanks,
Melissa
Note that you need to put the PHP variables inside single quotes when writing SQL queries. Do it like in the example:
$quote = $db->getRow("SELECT * FROM quotes WHERE quoteid = '$quoteid'");
why you getting again and again $_GET["quoteid"] and also use single for variable when writing SQL queries
<?php
$quoteid = $_GET["quoteid"];
if (!empty($quoteid)) {
$quote = $db->getRow("SELECT * FROM quotes WHERE quoteid = '$quoteid'");
}
else {
echo 'quote id is empty';
}
?>
also use mysql_real_string_escape() to prevent sql injection
You should do the following... basic debugging.
print_r or var_dump for $_GET to see if and how "quoteid" is set up
in the $_GET superglobal
echo your SQL (instead of mysql_query just echo it) and run it in
phpmyadmin if it seems ok -- you might have something you missed out
somewhere
That way you should be able to figure out your issue faster
there is mistake in query syntax with $quoteid variable. you should use this one-
global $db;
$quote = $db->get_row("SELECT * FROM quotes WHERE quoteid ='".$quoteid."'");
Related
So I'm having an issue that seems like it should be a pretty simple fix but I can't seem to figure it out.
I'm using prepared statements to query data from my SQL and the return is correct. I have var_dumped the result and confirmed the the information is there.
The table shows this: 2 'all of the way'
The array variable shows this: 2 \'all of the way\'
But when I echo it to the page, I see this: 2
I have tried htmlspecialchars, htmlentities, addslashes, stripslashes and a few combinations of those. Is there a function I'm missing here? Google isn't really helpful because the words to describe the problem are pretty generic.
Thanks in advance!
EDIT
Sorry - didn't add my code because I assumed it was a function I wasn't familiar with. Here it is.
$Res = $db -> query("SELECT * FROM 01_02_item WHERE ParID = $ParID AND active = 1 ORDER BY OrderID") -> fetchAll(PDO::FETCH_ASSOC);
if(empty($Res[0])) $return = "<span class = 'nodata'>No data</span>";
foreach($Res as $r){
$id = $r['id'];
$name = htmlspecialchars($r['Name']);
$title = stripslashes(htmlspecialchars($r['Description']));
$return .= "<li href = '$id' title = '$title' name = '$name'>$name</li>";
}
return $return;
By default htmlspecialchars() doesn't escape single quotes.
You should use htmlspecialchars('foobar', ENT_QUOTES).
<?php $daerah_ejen1 = "$_GET[daerah_ejen]";
$kumpulan_ejen1 ="$_GET[kumpulan_ejen]";
echo $daerah_ejen1;
echo $kumpulan_ejen1;
echo $kumpulan_ejen;
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '$daerah_ejen1' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
$result = mysql_query($sql) or #error_die("Query failed : $sql " . mysql_error());
?>
my url
laporan_kk_detail.php?daerah_ejen=HULU+LANGAT&kumpulan_ejen=Ketua Kampung
for output daerah_ejen variable has display,
but for kumpulan_ejen/kumpulan_ejen1 is not display.
i dont know where the problem
your quotes accessing $_GET variable is invalid. try this
<?php
$daerah_ejen1 = $_GET["daerah_ejen"];
$kumpulan_ejen1 =$_GET["kumpulan_ejen"];
and you should read something about security, because you can pass malicous code to your script!
edit:// you can have a look on this thread https://stackoverflow.com/questions/19539692/sanitizing-user-input-php
you are converting get values in string using double quotes so remove and try
$daerah_ejen1 = $_GET['daerah_ejen'];
$kumpulan_ejen1 =$_GET['kumpulan_ejen'];
also use mysql_real_escape_string() for prevent sql injection.
The quotes go around the parameter name. This is because $_GET[] is an associative array and its values are referenced using a string key
$daerah_ejen1 = $_GET['daerah_ejen'];
$kumpulan_ejen1 =$_GET['kumpulan_ejen'];
Always sanitize your parameter values before using them in a query to protect yourself against SQL injection.
$daerah_ejen1 = mysqli::real_escape_string($daerah_ejen1)
You face 2 problem on your code :
1st is :
$daerah_ejen1 = "$_GET[daerah_ejen]";
$kumpulan_ejen1 ="$_GET[kumpulan_ejen]";
replace it by this :
$daerah_ejen1 = $_REQUEST['daerah_ejen'];
$kumpulan_ejen1 =$_REQUEST['kumpulan_ejen'];
2nd is :
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '$daerah_ejen1' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
replace it by this :
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '".$daerah_ejen1. "' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
If you need to put the $_GET['name'] in double quotes, wrap it in {} brackets.
e.g.
$kumpulan_ejen1 ="{$_GET['kumpulan_ejen']}";
Also, as dbh pointed out, you only have $kumpulan_ejen1, not kumpulan_ejen.
I have multiple values passed through a POST form (from multiple check boxes of previous page) and I stored them into an array $vals. Now I want to write a query string (in a while loop) that generates a slightly different query depending on how far in the loop it has been.
<?php
$vals=($_POST['selectedIDs']);
$i=0;
while($vals[$i] != NULL){
$query = "SELECT * FROM List foo WHERE foo.fooID = echo $vals[$i]";
$result = mysqli_query($link, $query);
if($result) echo "YES IT WORKS!";
$i += 1;
}?>
But it doesn't seem to work this way? I thought that by having double quotes for query, the
echo $vals[$i]
would generate the actual value of the current index in $vals[$i] and not the literal string? Is this what's happening? Can I not have php inside a query string that the mysql servers would accept?
lets just say i have a fooID in my server table that is '12345'. Even if I set $vals='12345' and write:
$query = "SELECT * FROM List foo WHERE foo.fooID = $vals";
$result = mysqli_query($link, $query);
if($result) echo "YES IT WORKS!";
it still doesn't work. I guess my general question would be: is it possible to write/get values of variables in a query string, and if not, is there another way around my situation? Any help is appreciated. Thanks!
You should not be placing the un-sanitized $_POSTed values into a SQL query. Look into using paramaterized arguments and mysqli.
You can output variables using the syntax:
$myVar = 'toast';
$combined = "I like $myVar";
However, this will not work as you would like for an array.
For an array, you'll want to look into using something like php's implode() to convert your array into a string first.
first of all never do queries in loop.
Second of all never use straight $_POST or $_GET or whatever client is passing in queries because you can be harmed by sql injections.wiki and also clearing data for mysql in php
ok so how it should be done (i am saying only about first one. second one i dont know how to make it without oop ).
<?php
$vals=($_POST['selectedIDs']);
$vals = implode(',',$vals);
$query = "SELECT * FROM List foo WHERE foo.fooID IN ($vals)";
$result = mysqli_query($link, $query);
while ($row = mysqli_fetch_row($result)) {
echo "YES IT WORKS!";
var_dump($row); //you will see all the data in one row
}
}?>
You have an extra echo in your SQL string:
$query = "SELECT * FROM List foo WHERE foo.fooID = echo $vals[$i]";
It should be:
$query = "SELECT * FROM List foo WHERE foo.fooID = $vals[$i]";
Generally, it's a BAD idea to construct SQL strings from user input. Use prepared statements instead. Check here for more info on prepared statements:
http://php.net/manual/en/pdo.prepared-statements.php
Thanks you guys for the advice but it turned out, my code didn't execute correctly because of a syntax error (and the extra echo statement). my original code was missing quotation marks around $vals[$i]. This is a mysql syntax mistake because it didn't accept foo.fooID=12345 but did for foo.fooID='12345'. Here is the final code that solved it
<?php
$vals=($_POST['selectedIDs']);
$i=0;
while($vals[$i] != NULL){
$query = "SELECT * FROM List foo WHERE foo.fooID = '$vals[$i]'";
$result = mysqli_query($link, $query);
if($result) echo "YES IT WORKS!";
$i += 1;
}?>
I'm trying to create an update function in PHP but the records don't seem to be changing as per the update. I've created a JSON object to hold the values being passed over to this file and according to the Firebug Lite console I've running these values are outputted just fine so it's prob something wrong with the sql side. Can anyone spot a problem? I'd appreciate the help!
<?php
$var1 = $_REQUEST['action']; // We dont need action for this tutorial, but in a complex code you need a way to determine ajax action nature
$jsonObject = json_decode($_REQUEST['outputJSON']); // Decode JSON object into readable PHP object
$name = $jsonObject->{'name'}; // Get name from object
$desc = $jsonObject->{'desc'}; // Get desc from object
$did = $jsonObject->{'did'};// Get id object
mysql_connect("localhost","root",""); // Conect to mysql, first parameter is location, second is mysql username and a third one is a mysql password
#mysql_select_db("findadeal") or die( "Unable to select database"); // Connect to database called test
$query = "UPDATE deal SET dname = {'$name'}, desc={'$desc'} WHERE dealid = {'$did'}";
$add = mysql_query($query);
$num = mysql_num_rows($add);
if($num != 0) {
echo "true";
} else {
echo "false";
}
?>
I believe you are misusing the curly braces. The single quote should go on the outside of them.:
"UPDATE deal SET dname = {'$name'}, desc={'$desc'} WHERE dealid = {'$did'}"
Becomes
"UPDATE deal SET dname = '{$name}', desc='{$desc}' WHERE dealid = '{$did}'"
On a side note, using any mysql_* functions isn't really good security-wise. I would recommend looking into php's mysqli or pdo extensions.
You need to escape reserved words in MySQL like desc with backticks
UPDATE deal
SET dname = {'$name'}, `desc`= {'$desc'} ....
^----^--------------------------here
you need to use mysql_affected_rows() after update not mysql_num_rows
Currently I have a piece of code that functions fine as it is. But what I really want to do is take the <?php if strval ..?> part and place it into the "SELECT * FROM projects" part as a WHERE clause. I am not sure whether this is possible or how to go about it. Any thoughts would be really valued. Hope this makes sense.
<?php
// ** User ID
$userid = $row_listelements ['id'];
// ** Projects
mysql_select_db($database_db, $db);
$query_activeusers = "SELECT * FROM projects ";
$activeusers = mysql_query($query_activeusers, $db) or die(mysql_error());
$row_activeusers = mysql_fetch_assoc($activeusers);
$totalRows_activeusers = mysql_num_rows($activeusers);
?>
<? do {?>
<?php if (!(strpos($row_activeusers['assignedto'], strval(",".$userid.",")) === false)) { ?>
<div><?=$row_activeusers['jobnumberdisplay'];?></div>
<?php } ?>
<? } while ($row_activeusers = mysql_fetch_assoc($activeusers)); ?>
<strong><?php echo $totalRows_activeusers; ?></strong>
In case your userid is a unique number, and I understand your question correctly, you could reach this by:
using IN - can handle strings and numbers (they have to be unique to make this work):
$query_activeusers = "SELECT * FROM projects WHERE ".$userid." IN (assignedto)";
or using FIND_IN_SET - can handle Strings and numbers is case sensitive:
$query_activeusers = "SELECT * FROM projects WHERE FIND_IN_SET('".$userid."', assignedto)"
But I think you should look at your database design. The trouble with including Foreign Keys in a delimited list like this is that whole point of a foreign key is to enable you to locate the information in the other table quickly, using Indexes. By implementing a database as it sounds you have, you have all sorts of issues to resolve.
i m not sure but maybe this will help you.
if(strval ...)
{
$where = "where field = $value";
}
Now you can use this $where variable in your select query. it will execute only if your if condition is satisfy.
If I understand your code correctly, you should use SQL LIKE, i.e. something like:
$query_activeusers = "SELECT * FROM projects WHERE assignedto LIKE '%," .
((int) $userid) . ",%'";
The cast to (int) here is done to ensure you have no special SQL characters in $userid - kind of cheap SQL quoting for values that are integers. You do not really need to use strval as concatenation into the string will convert that number into a string.