Is this MySQLi safe? [closed] - php

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I wanted to do the follow thing with MySQLi statements or PDO but I experienced a lot of errors on my server.
Please check if the follow example to learn code I did myself will be okay for safety and if it is okay to use it. And hopefully the follow code will help new MySQLi users to learn at least how to start with MySQLi:
<?php
$host = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "db_name";
# $db = mysqli_connect($host, $username, $password, $dbname);
if(mysqli_connect_errno())
{
die("Connection could not be established");
}
$username = mysqli_real_escape_string($db, $_GET['user']);
$query = ("SELECT * FROM members WHERE profile='$username' ORDER BY id DESC LIMIT 1");
$result = mysqli_query($db, $query);
while($row = mysqli_fetch_array($result))
{
?>
PROFILE VIEW
<br>Name: <?php echo $row['nombre']?> ID: <?php echo $row['Age']?> <br />
<?php
}
?>
All working fine. If somebody can make it safer, I'd appreciate it.

I'd go with this.
<?php
$host = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "db_name";
$db = mysqli_connect($host, $username, $password, $dbname);
if(mysqli_connect_errno()) {
die("Connection could not be established");
}
$username = $_GET['user'];
$query = $db->prepare("SELECT * FROM `members` WHERE `profile` = ? ORDER BY `id` DESC LIMIT 1");
$query->bind_param('s', $username);
$query->execute();
while($row = $query->fetch_row()) { ?>
<br />Name: <?php echo $row['nombre']; ?> ID: <?php echo $row['Age']; ?> <br /><?php
} ?>

Related

How to use PHP SQL with where Clause? [duplicate]

This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
I want to select an email from the DB which needs to return the related Account_ID
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "connected accounts details";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT acc_id FROM users
WHERE
email = $user_email";
$result = $conn->query($sql);
echo "$result";
$conn->close();
This code returns nothing, just blank.
While using the same connection/db data is being inserted in db successfully.
Try this code
// Php Sql Select From DB....
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "connected accounts details";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT `acc_id` FROM `users` WHERE `email` = ?";
$result->$conn->prepare($sql);
$result->bind_param('s',$user_email);
$result->execute();
$data = $result->get_result();
// Fetch all
$data->fetch_all(MYSQLI_ASSOC);
print_r($data);
$mysqli -> close();
// #link http://php.net/manual/en/mysqli-result.fetch-all.php
$sql = "SELECT acc_id FROM users
WHERE
email LIKE '%$user_email%' ";
$result = mysqli_query($conn, $sql);
$row = $result->fetch_assoc();
$id = $row['acc_id'];
echo "$id";
$conn->close();
Got the wanted Record, trying this way.
Thanks everyone answering on this post.

How To Get a Single Number From a Database in PHP [duplicate]

This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
Closed 6 years ago.
I need to echo the number 1 or 0 whatever the database has in that cell. I cant seem to get it to work. What am I doing wrong people of the internet?
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "testfp";
$conn = new mysqli($servername, $username, $password, $dbname);
$sql = "SELECT hookup FROM testfp WHERE name = 100100" ;
$bob = mysql_query($sql);
echo $bob;
?>
You can not use mysql and mysqli together. So you can try the following code (using mysqli only, since mysql is deprecated) :
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "testfp";
$conn = new mysqli($servername, $username, $password, $dbname);
//Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT hookup FROM testfp WHERE name = 100100" ;
$result = $conn->query($sql);
if($result->num_rows>0)
{
while($row = $result->fetch_assoc()) {
echo $row["hookup"];
}
}
else
{
echo "No results found!";
}
?>

PHP SQL - Inserting into a table [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I have a problem dear stackoverflowers, could someone please help me out?
This is my code:
<?php
$host = "localhost";
$user = "root";
$pass = "password";
$db = "hotelcalifornia";
$room_Number = ($_POST['Room_Number']);
$room_Category = ($_POST['Room_Category']);
$room_Description = ($_POST['Room_Description']);
$room_Detail = ($_POST['Room_Detail']);
$conn = mysql_connect($host, $user, $pass);
$db = mysql_select_db($db, $conn);
mysql_select_db($db, $conn);
$sql = "INSERT TO room (roomNumber, roomCategory, roomDescription,roomDetail) VALUES ('$room_Number','$room_Category', '$room_Description','$room_Detail')";
mysql_query($sql, $conn);
?>
Can someone tell me why i can't insert this data into my table in the database?
It's not INSERT TO, it's INSERT INTO.Thus you shouldn't use mysql functions, instead use mysqli functions as your code is vulnerable to SQL injection.
$host = "localhost";
$user = "root";
$pass = "password";
$db = "hotelcalifornia";
$conn = new mysqli($host, $user, $pass, $db);
$room_Number = $_POST['Room_Number'];
$room_Category = $_POST['Room_Category'];
$room_Description = $_POST['Room_Description'];
$room_Detail = $_POST['Room_Detail'];
$sql = "INSERT INTO room (roomNumber, roomCategory, roomDescription,roomDetail) VALUES (?,?,?,?)";
$stmt = $conn->prepare($sql);
$stmt->bind_param('iiss', $room_Number, $room_Category, $room_Description, $room_Detail);
if ($stmt->execute()) {
if($stmt->affected_rows > 0){
echo "New record created successfully";
}
} else {
echo "Error: " . $sql . "<br>" . $stmt->error;
}
$stmt->close();
Within the line $stmt->bind_param('iiss', $room_Number, $room_Category, $room_Description, $room_Detail); i corresponds to the integer where s corresponds to string by the order of the variables, which I assume $room_Number and $room_Category are integer values where $room_Description and $room_Detail are string values.

why its not working to me [duplicate]

This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
Closed 7 years ago.
i want to get the backgroundColor of the Name headerBackgroud and its not printing anything, can you please help me?
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "DB#1";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT backgroundColor FROM background WHERE Name = 'headerBackground'";
$result = mysql_query($sql);
while($row = mysql_fetch_assoc($result)) {
echo $row['backgroundColor'];
}
You mix up mysqli and mysql api, so just use PDO uniformly as given:
$dbc = new PDO('mysql:host=localhost;dbname='.$database, $user, $password);
$sql = "SELECT backgroundColor FROM background WHERE Name = :n";
$stmt = $dbc->prepare($sql);
$stmt->bindParam(':n', "headerBackground");
$stmt->execute();
if($stmt->rowCount() > 0){
$data = $stmt->fetch(PDO::FETCH_ASSOC);
$headerB = $data['headerBackground'];
}

php unable to select data [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I'm trying to select a SINGLE value from the mysql database. I have run the query in phpmyadmin and it work great. But when I echo the $result, I get nothing... by the way,for the database and password I use xxx because I don't want to show it... My insert query works very well
Thanks
<?php
//Create Connection
$servername = "localhost";
$username = "root";
$password = "xxx";
$dbname = "xxx";
//Connect
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT StartPriceUnder FROM YJ_Value";
$result = $conn->query($sql);
echo hi;
echo $result;
echo ya;
$conn->close();
?>
Try this:
<?php
$servername = "localhost";
$username = "root";
$password = "xxx";
$dbname = "xxx";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT StartPriceUnder FROM YJ_Value";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "StartPriceUnder:" . $row["StartPriceUnder"];
}
}
else {
echo "0 results";
}
$conn->close();
?>
You have to fetch your result, so do something like this:
$row = $result->fetch_array(MYSQLI_ASSOC);
After this you can echo it like this:
echo $row["StartPriceUnder"];
For more information about fetch_array() see the manual: http://php.net/manual/en/mysqli-result.fetch-array.php

Categories