I'm creating a component in joomla and I'm having some problems using the database, specifically to delete rows. The code below is what I'm using
$db = JFactory::getDbo();
$query = $db->getQuery(true);
// delete if this date already exists for this user
$conditions = array(
$db->quoteName('userid') . '='.$array['userid'],
$db->quoteName('date') . '='.$date
);
$query->delete($db->quoteName('#__timereport_schedule'));
$query->where($conditions);
$db->setQuery($query);
$result = $db->execute();
So what I'm trying to do here is delete the rows that match the given userid and date, fairly simple. However it ends up not affecting the database. I know the variables $array['userid'] and $date are correct because the same are used later in the same function to do a insert (it's supposed to delete the record if it exists and make a new one) and the insert works fine which means I end up with duplicate entries.
example row that was succesfully inserted:
(userid, date, starttime, endtime, id, enddate, leave, days)
VALUES
(456, '2013-01-01', '08:00:00', '16:00:00', 448, '2013-01-01', '3', '["Tue"]')
with:
$query = $db->getQuery(true);
$columns = array('userid', 'date', 'starttime', 'endtime', 'id', 'leave');
$values = array("'".$array['userid']."'", "'".$date."'", "'".$array['starttime']."'", "'".$array['endtime']."'", "'null'", "'".$array['leave']."'");
$query
->insert($db->quoteName('#__timereport_schedule'))
->columns($db->quoteName($columns))
->values(implode(',', $values));
$db->setQuery($query);
try {
$result = $db->execute();
} catch (Exception $e) {
return $e;
}
What am I missing? I followed the http://docs.joomla.org/Inserting,_Updating_and_Removing_data_using_JDatabase#Deleting_a_Record example to create this query.
The below code should work since I've defined sample date and userid. Also, and most importantly, you should be quoting the data (much more important than the db fields, btw):
$array['userid'] = 127;
$date = date("Y-m-d H:i:s");
$db = JFactory::getDbo();
$query = $db->getQuery(true);
// delete if this date already exists for this userv
$conditions = array(
$db->quoteName('userid') . '='.$db->quote($array['userid']),
$db->quoteName('date') . '='.$db->quote($date)
);
$query->delete($db->quoteName('#__timereport_schedule'));
$query->where($conditions);
try {
$db->setQuery($query);
$result = $db->execute();
}
catch (RuntimeException $e){
echo $e->getMessage();
}
// for testing you can echo the query as
echo $db->replacePrefix($query);
If $array['userid'] is not defined or empty, and $date is not defined, the query most certainly would throw an error in this example
At the end, add echo $query;. This should print to the screen the SQL query that is actually being run. Post that so we can see the query, since this will help see what could be wrong.
Also, in many cases, Joomla redirects after saves to prevent a page refresh from resubmitting data. So it can be helpful to add an exit(); statement after the echo to actually see what it is echoing.
(Though as I type this, I'm guessing that the date needs to be quoted.)
Use below code after setQuery
$db->setQuery($query);
$result = $db->query();
Related
I'm here trying to update my DB rows without deleting/creating new ones all the time. Currently, my DB creates new entries everytime I run this block of code. Instead of spamming my DB, I just want to change some of the values.
<?php
try {
$conn = new PDO("mysql:host=localhost;port=3306;dbname=dbname", Username, password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
echo "Connection failed: " . $e->getMessage();
}
if(isset($_POST['mUsername']))
{
$mUsername = urldecode($_POST['mUsername']);
$mEvent = urldecode($_POST['mEvent']);
$mChat = urldecode($_POST['mChat']);
$mlongitude = urldecode($_POST['mlongitude']);
$mlatitude = urldecode($_POST['mlatitude']);
$sqlUPDATE = "UPDATE users
SET lastEvent=:lastEvent, lastChat=:lastChat,
lastLong=:lastLong, lastLatt=:lastLatt
WHERE name=:name";
$stmt = $conn->prepare($sqlUPDATE);
$stmt->bindParam(':lastEvent', $mEvent);
$stmt->bindParam(':lastChat', $mChat);
$stmt->bindParam(':lastLong', $mlongitude);
$stmt->bindParam(':lastLatt', $mlatitude);
$stmt->bindParam(':name', $mUsername);
$stmt->execute();
}
echo "successfully updated";
?>
My assumption is my final line, the $results area. I believe it's just treating this an a new entry instead of an update. How do I go about just replacing values? some values will not change, like the username, and sometimes longitude/latitude won't need to be changed. Would that have to be a separate query, should I split this in to two scripts? Or could I just enter a blank, null value? Or would that end up overwriting the ACTUAL last coordinates, leaving me with null values? Looking for any help or guides or tutorials. Thank you all in advance.
lots of syntax error in your code. It is simple to use bindParam
$sqlUPDATE = "UPDATE users
SET lastEvent=:lastEvent, lastChat=:lastChat,
lastLong=:lastLong, lastLatt=:lastLatt
WHERE name=:name";// you forget to close statement in your code
$stmt = $conn->prepare($sqlUPDATE);
$stmt->bindParam(':lastEvent', $mEvent);
$stmt->bindParam(':lastChat', $mChat);
$stmt->bindParam(':lastLong', $mlongitude);
$stmt->bindParam(':lastLatt', $mlatitude);
$stmt->bindParam(':name', $mUsername);
$stmt->execute();
read http://php.net/manual/en/pdostatement.bindparam.php
When using prepared statements, you should also make a habbit of following the set rules. Use named parameters. Try this:
if(isset($_POST['mUsername']))
{
$mUsername = urldecode($_POST['mUsername']);
$mEvent = urldecode($_POST['mEvent']);
$mChat = urldecode($_POST['mChat']);
$mlongitude = urldecode($_POST['mlongitude']);
$mlatitude = urldecode($_POST['mlatitude']);
$sqlUPDATE = "UPDATE users SET lastEvent= :lastEvent, lastChat= :lastChat, lastLong= :lastLong, lastLatt= :lastLatt WHERE name= :name";
$q = $conn->prepare($sqlUPDATE);
$results = $q->execute(array(':name'=>$mUsername, ':lastEvent'=>$mEvent, ':lastChat'=>$mChat, ':lastLong'=>$mlongitude, ':lastLatt'=>$mlatitude));
}
So I'm making my own blog scripts using MYSQL and PHP.
I had the whole 'writing the blog to a database' thing working perfectly, until I realised that if you tried to write a blog with speech marks, this would prevent the INSERT statement from working (obviously - the speechmarks were ending the SQL statement).
So I tried to use real_escape_string, and now the INSERT doesn't work even if you exclude quotes.
I tried using:
sqlstate
in order to find out the issue, and it returned "42000" - which, after googling for a little bit, refers to a syntax error, which doesn't make much sense as there is no syntax error before the use of real_escape_string.
Also, I'm now getting this error:
Call to a member function close() on a non-object in /postarticle.php on line 37
Which refers to the close() call in the ELSE statement.
Please may you help? Been going round in circles for a while. Here is my code:
<?php
$host = 'CENSORED';
$user = 'CENSORED';
$pass = 'CENSORED';
$db = 'CENSORED';
$connection = new mysqli($host,$user,$pass,$db);
$_SESSION["article"] = $_POST["article"];
$date_of_blog = getdate();
$article = ($_SESSION["article"]);
$sql1 = "SELECT * FROM `Blogs`";
$res1 = $connection->query($sql1);
$newrows = $res1->num_rows + 1;
$sql2 = "INSERT INTO Blogs(BlogID, Blog_Contents, D_O_B) VALUES ('$newrows','$article','$date_of_blog')";
$sql2 = $connection->real_escape_string($sql2);
$res2 = $connection->query($sql2);
if ($res2->num_rows == $newrows)
{
$res->close();
$connection->close();
header( 'Location: adminpanel.php' );
}
else
{
echo ($connection->sqlstate);
$connection->close();
$res->close();
}
exit();
?>
Also, on a side note, the getdate() call that I've got has never worked. In the database every blog post comes up as:
0000:00:00 00:00:00
EDIT:
Issue is now solved. Find the functional code below:
<?php
$host = 'CENSORED';
$user = 'CENSORED';
$pass = 'CENSORED';
$db = 'CENSORED';
$connection = new mysqli($host,$user,$pass,$db);
$_SESSION["article"] = $_POST["article"];
$article = ($_SESSION["article"]);
$article = $connection->real_escape_string($article);
$sql1 = "SELECT * FROM `Blogs`";
$res1 = $connection->query($sql1);
$newrows = $res1->num_rows + 1;
$sql2 = "INSERT INTO Blogs(BlogID, Blog_Contents, D_O_B) VALUES (\"$newrows\",\"$article\",CURDATE())";
$res2 = $connection->query($sql2);
if ($res2 != false)
{
header( 'Location: adminpanel.php' );
}
else
{
echo ($connection->sqlstate);
}
$connection->close();
$res->close();
exit();
?>
I'm very sorry if these questions are basic and annoy the professionals around here; I've tried to follow the guidelines and I've googled for a while etc. I just haven't found any solutions that match my issue(s).
Thankyou for your time.
There are a number issues with the code as originally posted. Chiefly, the cause of the two issues you initially identified is a misuse of mysqli::real_escape_string(). It needs to be called on each variable individually which appears in the code. So instead of calling it on the whole statement, it must be called multiple times for multiple variables like:
$article = $connection->real_escape_string($connection);
The failure of the query due to incorrect quoting (due to real_escape_string()) is the reason for the error message calling close().
As ascertained in the comments, you are using num_rows + 1 to validate that one new row has been inserted based on the previous number of rows returned. This is problematic for a few reasons. Mainly, it exposes a race condition wherein a row may be inserted from two sessions at once and one or both will fail because the expected value for $newrows doesn't match. Really BlogID should be an auto_increment column in your database. That eliminates the need for any logic around it whatsoever. You don't even need to include it in the INSERT because it will be automatically incremented.
That also completely eliminates the need for the first SELECT statement.
Substituting MySQL's native NOW() function for the date value, you can simplify the statement to:
INSERT INTO Blogs (Blog_Contents, D_O_B) VALUES ('$article', NOW())
To test success or failure of the insert, you just need to verify that its variable is not false.
Putting this together, your code can be reduced as:
if (!isset($_POST['article'])) {
// exit or handle an empty post somehow...
}
$connection = new mysqli($host,$user,$pass,$db);
$_SESSION["article"] = $_POST["article"];
// Escape $article for later use
$article = $connection->real_escape_string($_SESSION["article"]);
// Only an INSERT is needed. $article is already escaped
$sql = "INSERT INTO Blogs (Blog_Contents, D_O_B) VALUES ('$article', NOW())";
// Run the query
$res = $connection->query($sql);
// Test for failure by checking for a false value
if ($res) {
// The connection & resource closure can be omitted
// PHP will handle that automatically and implicitly.
header( 'Location: adminpanel.php' );
// Explictly exit as good practice after redirection
exit();
}
else {
// The INSERT failed. Check the error message
echo $connection->error;
}
This should bring your current code into working order. However, since you're learning this it is an excellent time to begin learning to use prepared statements via prepare()/bind_param()/execute() in MySQLi. This is a recommended best practice to prevent SQL injection, although using real_escape_string() works as long as you use it correctly and never forget.
See How can I prevent SQL injection in PHP for examples.
But it would look like:
// connection already established, etc...
// Prepare the statement using a ? placeholder for article
$stmt = $connection->prepare("INSERT INTO Blogs (Blog_Contents, D_O_B) VALUES (?, NOW())");
if ($stmt) {
// bind in the variable and execute
// Note that real_escape_string() is not needed when using
// the ? placeholder for article
$stmt->bind_param('s', $_SESSION['article']);
$stmt->execute();
// Redirect
header( 'Location: adminpanel.php' );
exit();
}
else {
echo $connection->error;
}
You need to apply the real_escape_string function to the variables not the entire SQL string.
$sql2 = "INSERT INTO Blogs(BlogID, Blog_Contents, D_O_B) VALUES ('".$connection->real_escape_string($newrows)."','".$connection->real_escape_string($article)."','".$connection->real_escape_string($date_of_blog)."')";
The purpose is to remove anything that might be misinterpreted as query functions by MySQL, but there are parts of the query that you obviously want to be interpreted as such.
I wonder if anybody can help me. I'm trying add some data to a table within a wordpress database. I'm using the $wpdb class and every time I run the code, the validation I got in place comes back positive. But when I check the table in the database, it's empty.
My Code:
// Define global $wpdb
global $wpdb;
// Retrieve information from the form
$location = $_POST['txtLocation'];
$price = $_POST['txtPrice'];
$type = $_POST['sltType'];
$revenue = $_POST['txtRevenue'];
$surgeries = $_POST['txtSurgeries'];
$tenure = $_POST['sltTenure'];
$upload = $_POST['txtUpload'];
// SQL statement to insert information from the form into the database
$sql = $wpdb->prepare("INSERT INTO practices ('Location', 'Price', 'Type', 'Revenue', 'No. of Surgeries', 'Tenure', 'PDF') VALUES (%s,%s,%s,%s,%s,%s,%s", $location, $price, $type, $revenue, $surgeries, $tenure, $upload);
$result = $wpdb->query($sql);
if (!result) {
echo '<p class="sql-error">There was a problem uploading the practice to the database</p>';
} else {
echo '<p class="sql-success">The practice was uploaded to the database</p>';
}
echo $wpdb->last_query;
Does anybody know why my code is doing this???
Thanks
Forgot a closing ) in your query.
Here
VALUES (%s,%s,%s,%s,%s,%s,%s
^
Try:
$sql = $wpdb->prepare("INSERT INTO practices ('Location', 'Price', 'Type', 'Revenue', 'No. of Surgeries', 'Tenure', 'PDF') VALUES (%s,%s,%s,%s,%s,%s,%s)", $location, $price, $type, $revenue, $surgeries, $tenure, $upload);
Also it is
if (!$result) {
^
In addition to closing the VALUES statement in your query as has been suggested, you might find that referencing the column names using ' would also give you issues.
MySQL expects column identifiers to be enclosed using backticks: `.
Here's the problematic PHP function:
//Get data associated with $criteria from db
function getUserData($criteria, $value) {
//obtain user data from db based on $criteria=$value
global $pdo;
//echo $criteria . " " . $value;
try {
$sql = 'SELECT id, first, last, email, userid FROM users WHERE :criteria= :value';
//var_dump($sql);
$st = $pdo->prepare($sql);
$st->bindValue(':criteria', $criteria);
$st->bindValue(':value', $value);
$st->execute();
}
catch (PDOException $ex) {
$error = "Failed to obtain user data.";
$errorDetails = $ex->getMessage();
include 'error.html.php';
exit();
}
$row = $st->fetch();
//var_dump($row);
if ($row)
{
$userdata = array();
$userdata['id'] = $row['id'];
$userdata['first'] = $row['first'];
$userdata['last'] = $row['last'];
$userdata['email'] = $row['email'];
$userdata['userid'] = $row['userid'];
return $userdata;
}
return FALSE;
}
I use this function to return a whole row of data associated with specific column in it.
When used at it's current state, with a call like that getUserData("email", "John_Stewart_2013"), it returns false, meaning an empty result, while the same query runs fine in MySQL CLI.
If I, on the other hand, substitute the query string $sql with :
$sql = "SELECT id, first, last, email, userid FROM users WHERE $criteria='$value'";
And comment out the bindValue calls, Every thing runs fine in PHP, and the query returns as desired.
But the problem is, those function arguments are user-submitted form data, meaning the solution is vulnerable to SQL Injection.
What's wrong here in the first query form?
You can't use bindValue with column names I'm afraid.
If you think about what a prepared statement is, this should become more obvious. Basically, when you prepare a statement with the database server, it creates an execution plan for the query beforehand, rather than generating it at the time of running the query. This makes it not only faster but more secure, as it knows where it's going, and the datatypes that it will be using and which are going to be input.
If the column/table names were bindable in any way, it would not be able to generate this execution plan, making the whole prepared statement idea somewhat redundant.
The best way would be to use a hybrid query like so:
$sql = "SELECT id, first, last, email, userid FROM users WHERE $criteria = :value";
I'm going to hope that the $criteria column isn't entirely free form from the client anyway. If it is, you'd be best limiting it to a specific set of allowed options. A simplistic way to do would be to build an array of allowed columns, and check if it's valid with in_array, like so:
$allowed_columns = array('email', 'telephone', 'somethingelse');
if (!in_array($criteria, $allowed_columns))
{
$error = "The column name passed was not allowed.";
$errorDetails = $ex->getMessage();
include 'error.html.php';
exit;
}
Other people have asked this question, but mine is a little more specific.
I have this query:
$sql = "UPDATE table SET option=? WHERE number=?";
$q = $conn->prepare($sql);
$q->execute(array($option, $number));
$q->setFetchMode(PDO::FETCH_BOTH);
echo $q->rowCount();
If the WHERE number already exists and the SET option is same, $q->rowCount() equals 0
If the WHERE number doesnt exist and the row does not update, $q->rowCount() equals 0
How can I distinguish between these non-updates?
On recent PHP versions, it's controlled by the PDO::MYSQL_ATTR_FOUND_ROWS attribute.
When set to true, according to the doc, the effect is:
Return the number of found (matched) rows, not the number of changed rows.
Will be better check before if exists? I use a common function for this in my miniclass for manage PDO, but i dont know if is the best solution because make one query more...
function checkExistsInDatabase($id, $table, $where = null){
// Connect
$Database = Database::connect();
// Query
$sql = "SELECT id
FROM $table
WHERE id = :id $where
LIMIT 1";
$params = array(
':id' => array(
'value' => $id,
'type' => 'int'
)
);
$q = $Database->query($sql, $params);
// Ha encontrado algo?
$resultados = $Database->fetchArray($q);
if(count($resultados) === 1){
return true;
}else{
return false;
}
}
You can try using REPLACE which work's like insert but if the row already exists its first deleted and then inserted. This has overwork from mysql side
Add this:
$db = new PDO($dsn, $username, $password, array(PDO::MYSQL_ATTR_FOUND_ROWS => true));
to the first "try {" part of your databasefunctions.php file