Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Is it safe to use this code ?
$check = mysql_query("SELECT id FROM table WHERE nick='asd'");
$count = mysql_num_rows($check);
I just need number of rows. id is AUTO_INCREMENT
If 'asd' is a constant and not related to any (user) input, then yes it is safe.
Otherwise you should replace it with bind a variable and use prepared statements or at least escape it properly. (But it is easy to forget escaping, so it is a better practice to try to use bind variables instead.)
NO. Absolutely not.
First of all, read up on MySQLi. The i stands for improved. Secondly, use prepared statements. This prevents injection. Read up on that here.
$db = new mysqli("localhost", "DATABASE-NAME", "DATABASE-USER", "DATABASE-PASS");
$check = $db->prepare("SELECT `id` FROM `table` WHERE `nick` = ?");
$check->bind_param('s', $nickVar);
$check->execute();
Don't take the easy way out. Keep doing things safe until it comes naturally. I used to be all about quick hacks, quickly get it to work, quickly write some things down, but in the end, it's best to get used to good practice.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Just wondering if it's possible to run a INSERT INTO sql command through an if statement?
I've got a few test groups that contain test members and I want to add the group id to a db table if the group_id equals 3. I'm unsure how the INSERT INTO sql would be written.
I'm currently passing the group_id number into a variable called $groupIDResult.
The only code I have currently got is:
if ($groupIDResult[0] == 3) {}
Just wondering if it's possible to run a INSERT INTO sql command
through an if statement?
Yes. An if statement is just a condition that checks criteria you set such as whether $groupIDResult[0] is equal to 3. So just do this and all is good:
if ($groupIDResult[0] == 3) {
// INSERT INTO query & related PHP logic to run that query goes here.
}
But you state:
I'm unsure how the INSERT INTO sql would be written.
So what is the real question? Is it about a SQL query or an if condition? Because you are on the right track but it’s unclear why you are having problems.
The insert statement would go in your curly braces and would be of the form
INSERT INTO table_name(column_name) VALUES(your_value)
Consult the PHP manual or the manuals for any framework you're using for specific syntax.
W3Schools.com also has some intro to SQL material you may find useful.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Improve this question
I want to select the user from my database using email or username, my code is:
$sql = "SELECT * FROM `users` WHERE (`Email`='".$User."' OR `Username`='".$User."'') AND `Password`='".$Password."'";
My Code Worked
Code:
$sql = "SELECT * FROM users WHERE (Email = '$User' or Username ='$User') AND Password='$Password'";
Note: I would have posted this in a comment (believe me), because the comment box doesn't show backticks properly (I know there's a trick to it, but I don't know it, yet.)
Use this:
$sql = "SELECT * FROM `users`
WHERE (`Email`='".$User."' OR `Username`='".$User."')
AND `Password`='".$Password."'";
You had one too many quotes in '".$User."''
$sql = "SELECT * FROM `users`
WHERE (`Email`='".$User."' OR `Username`='".$User."'')
----^
AND `Password`='".$Password."'";
And do consider reading this article on how to prevent injection.
Footnote: And if by the slightest chance that you would be using the now-deprecated mysql_* functions, STOP and start using mysqli_* functions with prepared statements and/or PDO.
Try this :
$sql = "SELECT * FROM `users` WHERE (`Email`='".$User."' OR `Username`='".$User."') AND `Password`='".$Password."'";
There was an extra quote after $user variable.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I have this code that inserts user data into a database.
mysql_connect("server address","username","password");
mysql_select_db("login");
mysql_query("INSERT INTO login(name,username,password,email)VALUES('$_POST[fname]','$_POST[username]','$_POST[pw]','$_POST[email]')") or die("cannot execute the query");
I have an issue here. There is a username and password to enter into my server and there is also another username and password to use my database.
Where should I mention both username's and password's?
The mysql_connect() has absolutely nothing to do with server logins, and only has to do with MySQL login.
That being said, you have a number of issues:
You are using deprecated mysql_* functions. You should use mysqli extension of PDO instead.
You are horribly vulnerable to SQL injection attackes. NEVER, EVER, EVER use directly input data from the user (like $POST, $_GET, etc.) without first sanitizing/validating it.
You really should get in the habit of checking the response for each function and handling errors appropriately. For example, you should never even get to mysql_query() line of code if you mysql_connect() and mysql_select_db() calls are not successful.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am a beginner with MySQL. I have this code and I would like an explanation on how the function knows which database to use since $conn and $db are defined?
$conn = mysql_connect("localhost","primeb5_mysql","***");
$db = mysql_select_db("primeb5_unigis");
$query = "SELECT * FROM lesson3";
$result = mysql_query($query);"
From PHP manual:
http://php.net/manual/en/function.mysql-query.php
The MySQL connection. If the link identifier is not specified, the
last link opened by mysql_connect() is assumed.
So, In case you don't specify the connection (second parameter) to the mysql_query() function, the last one is used.
On the side note, I'd like to notify you, that mysql_* functions have been deprecated in PHP 5.5.0. Do not use them, because if you do, your site might stop working soon.
mysql is deprecated use mysqli or PDO instead
You don't have to use an PHP function to select your database
just use this
mysqli_query("SELECT * FROM primeb5_unigis.lesson3");
or join example between multiple databases after ON missing...
mysqli_query("SELECT * FROM database1.table1 INNER JOIN database2.table2 ON ...");
edit
i think topicstarter means connection to database but i leave the answer could be helpfull
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Could anyone give me examples of how to use parameterized queries with MySQL/PHP please?
A parameterized query is essentially a query which abstracts away all the input. This has several good side effects, like making all input harmless (ie. no harmful injections are possible) and making it faster when used repeatedly, since it is pre-parsed and compiled, so the engine knows how to apply the input given. An example in pure mysql is:
PREPARE qry FROM "INSERT INTO tbl VALUES (?)";
The statement is now compiled and cached, and can be executed repeatedly without needing to recompile and interpret it:
SET #var = "some input";
EXECUTE qry USING #var;
SET #var = "some other input";
EXECUTE qry USING #var;
When used in PHP, it's usually like this (shortened):
$stmt = prepare('INSERT INTO tbl VALUES(?)');
execute($stmt, array("some input"));
execute($stmt, array("some other input"));
execute($stmt, array("some more input"));
PREPARE stmt_name FROM "SELECT name FROM Country WHERE code = ?";
SET #test_parm = "FIN";
EXECUTE stmt_name USING #test_parm;
Source: MySQL Dev: Prepared Statements