I am preventing content to some unauthorized users, my condition works well, but while accessing this own controller i am getting error.
Please help me out.
$offer = new Application_Model_DbTable_Offers();
$query = $offer->fetchAll($offer->select()
->from('vs_offers')
->where('id =?',$o_id)
->where('campaign_id IN (SELECT id from vs_campaign WHERE advertiser_id = ?)', $this->sessiondata->id));
if(count($query) < 1){
$this->_helper->flashMessenger->addMessage('Unauthorize access');
$this->_redirect('offers/');
exit;
}
Use of IN clause is bit different in Zend. One way is use Zend_Db_Expr to perform IN clause operation like,
->where(new Zend_Db_Expr(sprintf('campaign_id IN
(SELECT id from vs_campaign WHERE advertiser_id = %1$d)',
$this->sessiondata->id)));
Another way is using subquery.
Highly likely that one of your parameters are null
$o_id or $this->sessiondata->id
Reference to an old answer - ZF: Invalid parameter number: no parameters were bound Error
Related
I am trying to pass some parameter to my query but I get this error
Illuminate\Database\QueryException: SQLSTATE[HY093]: Invalid parameter number (SQL: select username, groupname from `radusergroup` where username like '00:00:00:00:00:00%') in file /home/gwendal/Documents/radius/vendor/laravel/framework/src/Illuminate/Database/Connection.php on line 742
My query look like this :
$user = DB::connection('freeradius')
->table('radusergroup')
->selectRaw('username, groupname')
->whereRaw("username like '?%'", [$mac])
->get();
I figured out a way to make my raw query.
I was trying to put the value of the $whereStatement variable directly in the whereRaw and this kept on giving me an error.
Putting the statement in a variable worked.
$whereStatement = "username like '". $mac ."%'";
$user = DB::connection('freeradius')
->table('radusergroup')
->whereRaw($whereStatement)
->selectRaw('username, groupname')
->get();
Hope this help someone else with the same problem.
I have this query that without the inner join it works:
$sql = 'SELECT prodotti.nome, prodotti.prezzo, prodotti.sku, prodotti.produttore, fornitori.nome
FROM prodotti INNER JOIN fornitori
ON prodotti.fornitori_id = fornitori.id
WHERE prodotti.id = :prodotti.id';
$id = 1; // for example
// $this->db-> (is connection)
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':prodotti.id', $id, PDO::PARAM_INT);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
$prodlist[$id] = $results;
var_dump($prodlist);
If I run it I get this error:
Fatal error: Uncaught PDOException: SQLSTATE [HY093]: Invalid parameter number: parameter was not defined in ........
It seems that the error lies is in the WHERE and in a particular way, reading online, I discovered that it could be a problem to do this: WHERE prodotti.id = prodotti.id;
suggest to do for example: WHERE prodotti.id =: id '; and then in the bindparam the same thing $stmt->bindParam(': id', $ id, PDO :: PARAM_INT);
in fact, doing so works halfway, in the sense that it gives me back the data called the first 'products' table ignoring the second 'suppliers'.
Can anyone tell me where am I wrong? Thanks
if I run this query on the SQL section of DB it works.
SELECT prodotti.nome, prodotti.prezzo, prodotti.sku, prodotti.produttore, fornitori.nome
FROM prodotti INNER JOIN fornitori
ON prodotti.fornitori_id = fornitori.id
WHERE prodotti.id = 1
as some users have pointed out to me elsewhere, and in fact it partially solves the problem, the point cannot be used in the binding, as reported in the guide at this link:
https://phpdelusions.net/pdo
"Note that PDO supports positional (?) and named (:email) placeholders, the latter always begins from a colon and can be written using letters, digits and underscores only. Also note that no quotes have to be ever used around placeholders."
now it works correctly! Thanks
OK, so I have gone round and round with this now for 2 hours and cannot figure out where the so-called SQL syntax error is. I finally re-wrote the prepared statement as a standard query - and it works fine, literally identical syntax.
Prepared Statement Code: (NOT working)
if ($account_info = $mysqli->prepare("SELECT users.specid, users.username ?
FROM users ? WHERE users.id = ?")) {
//A SWITCH to determine bind_param and bind_result
} else {
//Error output
}
The above results in the following MYSQL error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '? FROM users ? WHERE users.id = ?' at line 1
Now if I literally change the '?' to $variables and make the prepared statement into a normal query like:
if ($account_info = $mysqli->query("SELECT users.specid, users.username $param1
FROM users $param2 WHERE users.id = $param3")) {
//Fetch array and set variables to results
} else {
//Error output
}
The above code WORKS as expected with no errors.
For those curious what the $variables are in the specific switch case I'm testing:
$param1 = ', tenants.paper';
$param2 = ', tenants';
$param3 = $_SESSION['user_id'].' AND tenants.id = users.specid';
So why does one work but not the other when they have the same syntax??? It doesn't even get to the bind_param part!? I'd prefer to use the prepared statement method.
You can't pass object nane (tablename or columnname ) as param .
So users.username ? and users ? as you are trying to use are wrong ..
passing param is not a string substituition ..
This kind of action are disallowed by param binding
and you should avoid this ..but if you really need then try with string concatenation
You only bind values for parameter bindings. Not parts of SQL. ::bind_param
What you are trying to do with $param1 = ', tenants.paper'; is already SQL injection. Prepared statements are build to prevent this.
You should make a method per query instead of a generic query.
You cannot bind complex query parts and columns in a query. I also don't understand why you need to parametrise strings you explicitly set in your code.
Do this instead:
$param = $_SESSION['user_id'];
if ($account_info = $mysqli->prepare("SELECT users.specid, users.username, tenants.paper
FROM users JOIN tenants ON tenants.id=users.specid WHERE users.id = ?")) {
//A SWITCH to determine bind_param and bind_result
} else {
//Error output
}
If you (at any point in the future) need to escape column names from user input (though you shouldn't allow users such power to begin with) do this:
$columnNameFromUserInput = $_GET["column"];
$columnNameFromUserInput = "`".str_replace("`","",$columnNameFromUserInput)."`";
This should be enough.
Do not put query segments that have parts that need escaping in a variable. Put the parts that need escaping in their own separate variables so you can bind them is the whole idea here.
Example:
$param1 = ', tenants.paper'; //Bad has a comma in it, should be `tenants`.`paper` and the comma should go in the query itself
$param2 = ', tenants'; //Bad, though you have to use JOIN in any SQL language after 1992
//The next part is very very bad.
// You have something that needs escaping mixed with things that compose a query. Split them.
$param3 = $_SESSION['user_id'].' AND tenants.id = users.specid';
I am using PDO to retrieve data from php. I am trying to use limit function but sadly it did not work. I searched around the forum for similar questions and found answers similar to what I tried below. But I get the same warning. I am relatively new to PDO. Am I doing something wrong?
$limit = 5;
$users = $db->prepare("SELECT code,name from Portion where name LIKE '%$t%' LIMIT :limit");
$users->bindParam(':limit', $limit, PDO::PARAM_INT);
$users->execute(['query' => "{$_GET['query']}%"]);
When you want to fill in parameters of a PDO query, you either
Use bindParam() or bindValue() to bind them before calling execute(), or
Provide an array of values as an argument to execute().
You can't mix them -- when you supply the array argument, that overrides the bindParam settings. Since you're passing an array argument to execute() (although for no apparent reason, since there's no :query parameter in the SQL), the :limit parameter is being lost.
Change your code to:
$limit = 5;
$users = $db->prepare("SELECT code,name from Portion where name LIKE CONCAT('%', :pattern, '%') LIMIT :limit");
$users->execute([':pattern' => $t, ':limit' => $limit]);
I am getting mysqli_stmt::execute(): invalid object or resource mysqli_stmt error for database3 when I am trying connect with three databases,Here is my code
global $db;
$stmt = $db->stmt_init();
global $db2;
$stmt2 = $db2->stmt_init();
global $db3;
$stmt3 = $db3->stmt_init();
/*****************Database3************/
/*** Icube ***/
$stmt->prepare( "SELECT n.offer_id, n.name, n.net_provider ,s.description,p.payout,q.categories FROM affilate_offer_findall_icube n
LEFT OUTER JOIN affiliate_offe_findbyid_icube s ON s.offer_id = n.offer_id
LEFT OUTER JOIN affiliate_offer_getpayoutdetails_icube p ON p.offer_id = s.offer_id
LEFT OUTER JOIN affiliate_offer_get_categories_icube q ON q.offer_id = p.offer_id WHERE
n.visible='1'
");
$stmt->execute();
mysqli_stmt_execute($stmt); // <--------- currently missing!!!
mysqli_stmt_store_result($stmt);
$rows = mysqli_stmt_num_rows($stmt);
$stmt->bind_result($offer_id, $name, $net_provider, $description, $payout, $categories);
$storeid = 0;
while($info = $stmt->fetch())
{
$storeid+=1;
$values3_icube[] = '("'.$storeid.'", "'.$offer_id.'", "'.$name.'", "'.$net_provider.'", "'.$description.'", "'.$notes.'", "'.$payout.'", "'.$categories.'")';
}
$stmt3->prepare("REPLACE INTO main_vendor_db(store_id, offer_id, name, net_provider, description, cashback, categories) VALUES".implode(',', $values3_icube));
$stmt3->execute();
**I am getting error here **
$stmt3->prepare("REPLACE INTO main_vendor_db(store_id,offer_id, name,net_provider,description,cashback,categories) VALUES".implode(',', $values3_icube));
There are so much inconsistency in your code, that it's no wonder it fails somewhere.
First of all, you aren't actually using prepared statements, sending raw SQL instead. So, all the hassle in vain.
Second, all these things like / <--------- currently missing!!! remarks makes it positively impossible to answer. How do we expected to regard this comment?
Third, mysqli_stmt::execute(): clearly says that error occurred with execute, while you are indicating the line with prepare. And, judging by the error message, mysqli_stmt::execute() in question is likely about that commented line from above
Fourth, this is apparently incomplete code and incomplete error message.
Fifth, you are implementing auto_increment mysql's feature by hand.
Sixth, three databases, taken with all the above, seems very peculiar.
Let me advise you to ask a completely different question, regarding the task you are trying to solve and get the proper way to do so.
According to mysqli_stmt::execute documentation
Any subsequent calls to any mysqli_stmt function will fail until mysqli_stmt_prepare() was called.
Also check-
Problem with multiple prepared statements
Warning: mysqli_stmt::close() [mysqli-stmt.close]: invalid object or resource mysqli_stmt... why?