OK So I'm trying to access a table called emg_quote I have the Quote ID so Im trying to get the Column Subject from the same row as this ID but for some reason All I'm getting is the first row in the entire table? Can any one figure out what I'm doing wrong? Here is my coding:
$row['quote_id'] = quoteTitle($row['quote_id']);
function quoteTitle($quoteid){
global $db;
$sql = "SELECT subject FROM emg_quote WHERE ".$quoteid."";
$res = $db->query($sql);
$row = $db->fetch_row();
$output = $row['subject'];
return $output;
}
Are you using a custom object to wrap the native API's?
Either way it doesn't look right to me. You don't seem to be using the result of the query.
i.e.
$result = $mysqli->query($query);
$row = $result->fetch_row();
You have few bad practices in your code.
A. You lie on $quoteid to give you the correct where syntax. ie: ID=123
This is an highly unsafe method, because the user can change the it to Some-Important-Details='bla'
To extract more details from this table or others.
B. You should ALWAYS escape characters when receiving data from user, otherwise you easily subjected to SQL-Injections. And believe me you don't want it.
you have to use the checking after where.
use you column name before your $quoteid variable
$row['quote_id'] = quoteTitle($row['quote_id']);
function quoteTitle($quoteid){
global $db;
$sql = "SELECT subject FROM emg_quote WHERE quoteid=".$quoteid." LIMIT 1 ";
$res = $db->query($sql);
$row = $db->fetch_row();
$output = $row['subject'];
return $output;
}
Remember : USE limit 1 when you search with primary key and you know that only 1 record will be searched. it reduce your processing time.
You might be missing the where column.
$sql = "SELECT subject FROM emg_quote WHERE quote_id=".$quoteid."";
^^^^^^^^
We also do not see weather something with your Db class is wrong.
You should in any case not directly put request variables into a database query.
$sql = "SELECT subject FROM emg_quote WHERE ID='".$quoteid."'";
You had not wrote your db fieldname in where condition
Related
I work on a PHP file, and I want with one variable($time) to FIND a column on my database and print the content of the "$time" column, but I can't find the right syntax. In the end, it prints the $_GET['time'] I have passed and not the content of the column. Here is my code:
$id = $_GET['id'];
$time = $_GET['time'];
$query1 = "SELECT "."'$time'"."FROM uploads
WHERE station_id="."'$id'";
$result =mysqli_query($conn,$query1) or die(mysql_error());
$row = mysqli_fetch_array($result, MYSQLI_ASSOC) or die(mysql_error());
echo json_encode($row);
Any help or though???
First of all, your query is horrible and incredibly vulnerable to injection.
You need to rethink your dB design.
But to answer your question, it's probably because the way you're putting the variable in the statement.
Instead of:
$query1 = "SELECT "."'$time'"."FROM uploads WHERE station_id="."'$id'";
Change it to:
$query1 = "SELECT ". $time ."FROM uploads WHERE station_id=".$id;
Please rethink your database design as you have a Huge vulnerability
I'm developing an app for android that uses a DB on a server.
I wrote some script php to create new rows in some tables and get all elements from a table (using JSON to exchange data between android and mysql).
Now I have a problem:
i need to select an id from a table and then use this to insert a row in anothere table that has this foreign key.
Well, when I try to select my id, i don't know why, but look like it doesn't work.
Here a simple example how I select this id:
//connect to DB...
$result = mysql_query (*SELECT id FROM 'table' WHERE name = $name );
$row = mysql_fetch_assoc($result);
$id = $row['id'];
When i use this to select an id, and put it in another query (always on the same connectio) nothing is stored.
if I force the value manually, and so in the same second query I put a number of a preesisting id, the insert works, so the problem is in this piece of code.
Hope someone could help me.
Thank you!
The code that you have put on the question, contains syntax errors.
- Remove * from the start of query
- put the query inside " "
- remove single quote ('table') from table name
Here is the modified code:
//connect to DB...
$result = mysql_query ("SELECT id FROM table WHERE name = $name" );
$row = mysql_fetch_assoc($result);
$id = $row['id'];
Also you should escape the parameter $name in query. And you should use mysqli or PDO instead of mysql extension.
try this:
$result = mysql_query (*SELECT id FROM 'table' WHERE name = $name );
$row = mysql_fetch_assoc($result);
while($row > 0){
$id = $row['id'];
}
My update form script works only, if I use numbers but, if I try use any words it won't work. I need help, thanks!
<?php
if(isset($_POST['teams'])){
$home_team = $_POST['home_team'];
$visitor_team = $_POST['visitor_team'];
$sql = mysql_query("UPDATE table1
SET home_team = $home_team, visitor_team = $visitor_team
WHERE active = 1") ;
$retval = mysql_query( $sql, $conn );
if(! $retval ){
die("<p>Error! Could not update team names. Click return button.</p>");
}
echo "<p>Team names set successfully!</p>";
mysql_close($conn);
}
?>
try with use of '' into your query,
$sql = mysql_query("UPDATE table1 SET
home_team = '".mysql_real_escape_string($home_team)."',
visitor_team = '".mysql_real_escape_string($visitor_team)."'
WHERE active = '1'") ;
also add mysql_real_escape_string() to prevent from SQL Enjection..
Every string passed to a SQL statement must be enclosed within a ''; if they are not, it will result in an error.
That being said, throwing content straight from a form into the database is very, very, very, very (I need another very) bad. Your database can simply be wiped by anyone; it's called SQL injection
To protect your database, you can start with this good article on PDO
I have a query on my page that uses a GET variable to pull data from my table...
If I echo my GET var the data is there so im doing something wrong with my query, instead of or die can I show an error in the browser?
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!');
$sql = "SELECT * FROM persons WHERE id = $userID";
You must use double quotes to use variables inside the query string.
You can also do this:
$sql = "SELECT * FROM persons WHERE id = ".$userID;
What you should do is this (to protect yourself from sql injection):
$safeuid = $conn->prepare($userID);
$sql = "SELECT * FROM persons WHERE id = ".$safeuid;
You can always debug using this at the top of your php page:
ini_set('display_errors',1);
error_reporting(E_ALL);
Have you tried $q = $conn->query($sql) or die($conn->error()); ?
Yes you can, but you should only do it for debugging. Crackers can gain a lot of insight by purposefully feeding bad input and reading the error.
I'm assuming you're using MySQLi; the command is $conn->error(). So your line would be:
$q = $conn->query($sql) or die($conn->error());
Also, what you're doing wrong is you're using single quotes to define $sql. You need to use double quotes to write $userID into the string. So what you want is:
$sql = "SELECT * FROM persons WHERE id = $userID";
or
$sql = 'SELECT * FROM persons WHERE id = ' . $userID;
You need to use double quotes to evaluate variables within the string. That is,
$sql = 'SELECT * FROM persons WHERE id = $userID';
should be
$sql = "SELECT * FROM persons WHERE id = $userID";
Rather than removing the die you should make sure the query is always valid. In other words: validate the userID parameter. $_GET can contain anything the user wants to provide - it could be an array, it could be a string, it could be a string with a malicious payload that can drop your tables. So check it is an integer. If not, return a relevant message to the user.
Not a php expert but you might try:
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!' . mysql_error());
The error should append to the end of your die message.
Hi I'm trying to create a shopping cart for a college assignment, I'm trying to load a table from the contents of a variable but regardless of what I do it won't recognise its contents.
Here the code snippet
$sql = sprintf("SELECT name, description, price FROM %s WHERE id = %d;",$table, $product_id);
$result = mysql_query($sql);
The table variables contents is being missed out so its looking a nameless table, I've searched Google and found a couple of examples but are working for me.
Does anyone have any ideas?
Thanks Scott.
Try this, it should recognize your variable:
$sql = sprintf("SELECT name, description, price FROM " .$table. " WHERE id = %d", product_id);
$result = mysql_query($sql);
mysql_query take 2 parameters, one is your query and other is connection to your database so you need to do the following
$result = mysql_query($sql,your connection variable); `
Try taking off the semicolon after WHERE id = %d