i'm having some trouble with mysql,so i posted with ajax the parameter "user" i got the sql connected for sure,but somewhy it doesnt do what i want it to do.Here's my code:
$ffs="select * from mex_szerzo where sznev=".$_POST["user"];
$vissza=mysql_query($ffs);
$sor=mysql_fetch_array($vissza);
$user=$sor["sznev"];
print ($user);
the $user is empy somewhy,the $_POST["user"] got value for sure,if i print it,it prints the actual user,i keep the users in a database,the username is stored as "sznev" for sure too,still the $user comes bk as an empy variable.
You're missing the quotes around your string value:
$ffs="select * from mex_szerzo where sznev=".$_POST["user"];
should be:
$ffs="select * from mex_szerzo where sznev='".$_POST["user"]."'";
You have no error checking in your code. That's why you didn't know what was wrong. Look into using mysql_error().
Or, better yet, stop using an obsolete API altogether. The mysql_* functions are deprecated. Look into using mysqli or PDO instead.
your query should be:
$ffs="select * from mex_szerzo where sznev='".$_POST["user"]."'";
You need to quote the string and make sure your quote types encapsulate the query properly (single vs double quotes).
$ffs="select * from mex_szerzo where sznev='".$_POST['user']."'";
Related
I have the following php version:
PHP Version 5.3.2-1ubuntu4.19
and this php string:
$l_sDesc = "It doesn' t contain any dangerous substances";
If i try to make a query with db_query (Drupal) i get an error due to the apostrophe;
db_query("UPDATE mytable SET description= '$l_sDesc' where id = $id");
I've tried to use mysql_real_escape_string() but i get an empty string:
$l_sDesc = mysql_real_escape_string($l_sDesc); //i have an empty string as result
What's the problem?
Drupal use another DB Wrapper. Normally you can create prepared statements.
https://api.drupal.org/api/drupal/includes!database!database.inc/group/database/7
Here is a correct example. If you use the correct prepared statements your input will be filtered.
Otherwise use stripslashes().
http://php.net/manual/de/function.stripslashes.php
Tom, you need to "prepare" the string for SQL before you actually run the statement.
Try the PHP function mysql_real_escape_string on your strings before you actually use them.
http://php.net/manual/en/function.mysql-real-escape-string.php
I suggest to use $l_sDesc = htmlspecialchars($l_sDesc);
My query string is
$chk_cookie="SELECT * FROM cookie_data_mst WHERE uniqid_client=5279f0addc835 AND cookie_data=3";
$chk_query=mysql_query($chk_cookie) or die(mysql_error());
this give the error unknown column.
if I put ' in value
'5279f0addc835'
It gives check manual for syntax error.
If I remove first condition i.e uniqid_client=5279f0addc835 then it runs normally.
If I do string like
$chk_cookie="SELECT * FROM cookie_data_mst WHERE uniqid_client=".5279f0addc835." AND cookie_data=3";
or
$chk_cookie="SELECT * FROM cookie_data_mst WHERE uniqid_client='".5279f0addc835."' AND cookie_data=3";
It gives the same check manual error....
Another thing if I run it on phpMyAdmin SQL it gives the desired result
what should I do ...I am not able to get error...
5279f0addc835 value I have created by php uniqid() function.
Try like this
$chk_cookie="SELECT * FROM cookie_data_mst WHERE uniqid_client='5279f0addc835' AND cookie_data=3";
I accepting all the answer but i thing should check your database data type and table data.if you have wrong datatype and blank field then it will give error.
You need to enclose uniqid_client=5279f0addc835 in single quotes as it is a VARCHAR type. Something like this
$chk_cookie="SELECT * FROM cookie_data_mst WHERE uniqid_client='5279f0addc835' AND cookie_data=3";
$chk_query=mysql_query($chk_cookie) or die(mysql_error());
Disclaimer: Stop using mysql_* functions as they are deprecated. Switch to MySQLi or PDO instead.
This is probably a common thing but I have a question. Allow apostrophes while still maintaining the mysql_real_escape_string() tag.
I have this: $name = stripslashes(mysql_real_escape_string($_POST['stadium_name']));
and I test it on this:
$getInfoX = mysql_fetch_array(mysql_query("SELECT * FROM `stadiums` WHERE `stadium_name` = '$stadium_name'")) or die(mysql_error());
I could do an example inject like x'; DROP TABLE members; -- or a name with apostrophes like Stade de l'Aube... but the name with apostrophes get me an error like:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Aube'' at line 1
What do I do?
You chain the result of mysql_real_escape_string through stripslashes which basically removes everything mysql_real_escape_string added for safety reasons.
So if you have $stadium_name= "Fred's Stadium"; as input mysql_real_escape_string($stadium_name) returns "Fred\'s Stadium" which can be included into you query safely generating
"SELECT * FROM `stadiums` WHERE `stadium_name` = 'Fred\'s Stadium'"
as MySQL-query. Calling stripslashes on the mysql_real_escape_stringoutput removes the \ in front of the ' so you send the query
"SELECT * FROM `stadiums` WHERE `stadium_name` = 'Fred's Stadium'"
to MySQL thinks your string is 'Fred' followed by some garbage (which can turn out to be dangerous).
Solution is to use a separate variable to store the result of mysql_real_escape_string, as it is correct for usage in database queries but unsuitable to be displayed back to the user.
I hope this helps.
Regards
TC
Your problem is this:
$name = stripslashes(mysql_real_escape_string($_POST['stadium_name']));
stripslashes() undoes the escaping.
You've probably seen that function used as workaround for magic_quotes. If you were to apply it, then do so before the database escaping function.
I'm trying to use odbc_prepare and odbc_execute in PHP as follows:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name='?'");
$res=odbc_execute($pstmt,array('version'));
var_dump($res); //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row); //bool(false)
The first var_dump returns true so the execute succeeds, but there is no row returned. A row does indeed exist with the param_name = 'version'. Why is no row returned?
To make things interesting, I ran another very simple example in php using a prepared insert.
$pstmt=odbc_prepare($odb_con,"insert into tmp1 values(?,'?')");
This line, by itself, inserted a row into the database!! Surely this is just wrong? The data entered was col 1 = blank, col 2 = ?
Any advice on where to start fixing this would be appreciated, thanks.
Edit: This is in PHP 5.2.8
Try removing the single quotes from the query string and adding them to the parameter value itself:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));
var_dump($res); //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row); //bool(false)
The single space character at the beginning of the parameter value is very important--if the space is not there, it will treat the variable as a path to a file.
From http://www.php.net/manual/en/function.odbc-execute.php:
If you wish to store a string which
actually begins and ends with single
quotes, you must add a space or other
non-single-quote character to the
beginning or end of the parameter,
which will prevent the parameter from
being taken as a file name.
when I read this paragraph
Any parameters in parameter_array which start and end with single quotes will be taken as the name of a file to read and send to the database server as the data for the appropriate placeholder.
If you wish to store a string which actually begins and ends with single quotes, you must add a space or other non-single-quote character to the beginning or end of the parameter, which will prevent the parameter from being taken as a file name. If this is not an option, then you must use another mechanism to store the string, such as executing the query directly with odbc_exec()).
It seems to me that it isn't necessary to add single quotes ' to a string, only if you really want to have the quotes as text in the DB
Therefore if I only want to insert the text, without the single quotes I would write something like that ...
see this example from odbc-prepare
http://www.php.net/manual/en/function.odbc-prepare.php
Use this example for IBM DB/2:
$q = "update TABLE set PASS=? where NAME=?";
$res = odbc_prepare ($con, $q);
$a = "secret"; $b="user";
$exc = odbc_execute($res, array($a, $b));
This would result in the following statement
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$name = "version";
$params = array($name);
$res=odbc_execute($pstmt,$params);
var_dump($res); //bool(true)
$row = odbc_fetch_array($pstmt);
var_dump($row); //bool(false)
See that I not only removed the qoutes for the value in the params array but also removed the qoutes in the SQL statement.
please give feedback if this was right
You should not enclose variables in quotes in a prepared statement:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array(" 'version'"));
should be:
$pstmt=odbc_prepare($odb_con,"select * from configured where param_name=?");
$res=odbc_execute($pstmt,array("version"));
Question marks represent parameter placeholders, the value passed is meant to represent an unescaped, unenclosed value, which will be properly escaped by the SQL interpreter.
EDIT:
Gah, ignore me, misread php.net
odbc_fetch_array accepts as it's parameter the result of odbc_execute, you seem to be passing in the prepared statement.
What DBMS are you using? The fact that the lone insert prepare statement seems to be executed against the database rather than being prepared points to either a poor implementation of php (unlikely) or the DBMS not supporting prepared sql. If the latter is the case it is possible that their way of supporting the command with out the functionality is just to execute the statement leading to the results you get. If the DBMS does support prepared statements and the php implementation handles it properly there is some kind of issue with the insert being executed which also needs some investigation.
Did you try using double quotes? i.e.
$res=odbc_execute($pstmt,array("version"));
I have read many about SQL-Injection. But it does not work with this code:
$inputform= $_GET["password"];
$query = "INSERT INTO user(password) VALUES ('".mysql_real_escape_string($inputform)."')";
For example I use this example: O'Conner. When I submit it and look in my table there is O'Connor and not O\'Conner.
thanks
The quote is escaped so that MySQL doesn't interpret it as a string delimiter. The backslash doesn't get stored in the database, and it's not supposed to either. What you're seeing is the correct, expected and documented behaviour.
The best solution, BTW, is to use PDO and parametrized queries.
mysql_real_escape_string() escapes the value so that the SQL parser for MySQL can interpret the value correctly when it stores the value, it is not actually stored in the database as an escaped string
If you get O'Connor in your table, it's working properly. But try echo $query and you'll see the results of the escaping.
It works just fine! There shouldn't be "O\'Conner" in your database, just in the query. If it didn't work, your query wouldn't succeed, because the ' in O'Conner would ruin your query.
When you look in the table, it should be O'Connor - that means the string was escaped properly in the SQL. If it hadn't been escaped by mysql_real_escape_string, you probably would have ended up with a syntax error.
The query would end up as:
INSERT INTO user(password) VALUES ('O'Connor)
If you want the backslashes in the DB, try using addslashes before you pass it to mysql_real_escape_string, but you probably don't.