Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Ok so i store the column i want to update in side a variable so i need to put the variable in side the main query i try and do it like so
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
I have searched for an answer and have found a thread here on the site doing the same:
Using a passed variable in a query using PDO (Oct 2011; by Don S)
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
You can't bind the names of columns; so that isn't going to work. There's no way to use a bound variable for a column or table name, so the only way to do this is to actually interpolate the variables into the string:
$sqlltyryrt = "UPDATE user_items SET $fggdgdf = $fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array($_SESSION['username']));
But you need to be very sure that you've sanitized the variables, else you're open to SQL injection. You can use whitelisting for this, as you should be able to generate an array of possible column names and can check that the variables are present in that array.
But the fact that you're trying to bind the names of comments implies that your database design could do with looking at.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am able to navigation between a php page using ID but not using project name. Can you only use an number and not characters?
Works
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE id=$id";
'.$row['project'].'
page url: https://example.com/project.php?id=1
Doesn't work
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE project=$project";
'.$row['project'].'
page url: https://example.com/project.php?project=Test
Thanks for the help!
MySQL uses single or double quotes for strings. Your second query puts string to a query, resulting in invalid query.
This is not a valid SQL query:
SELECT `name` FROM `cats` WHERE `breed` = ordinary cat
But this is:
SELECT `name` FROM `cats` WHERE `breed` = 'ordinary cat'
Of note, be careful with using any input (including query string) in your query like you did. You should use prepared statement instead to safely escape that string for your query.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I am writing code to delete a row based on ID from a SQL Server database. I want to make sure my code is safe from accidentally deleting everything or deleting something other than what it should. My code at the moment is as follows...
$st = $conn->prepare("if (select count(*) from sometable where id = :id) = 1
delete from sometable where id = :id");
$st->bindParam(':id',$id);
$st->execute();
Is this a safe way to delete a single row without accidentally deleting everything? Is there a better, known best-practices way to do it?
Edit: I am getting an error COUNT field incorrect or syntax error when testing this code.
I have changed my code accordingly to resolve this (I was hoping I could refer to the same field more than once and bind it once but apparently not)
$st = $conn->prepare("if (select count(*) from sometable where id = ?) = 1
delete from sometable where id = ?");
$st->execute(array($id,$id));
(Might as well use my question to troubleshoot since stackoverflow won't let me delete it)
Is this a safe way to delete a single row without accidentally deleting everything?
Yes, as long as your ID's are unique for each row.
Is there a better, known best-practices way to do it?
No.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
In my MySQLi database, I have 2 columns in the table. One is 'author' and the other is 'books'. I have a variable called '$author' and an array called '$books' which contains unknown numbers of values.
I want to populate column 'books' with values inside array '$books' and in the other column variable '$author' which will remain constant in all rows.
Please help. It will be even more appreciated if you provide it in procedural way instead of OOP.
Assuming $author is a string and $books is an array of integers,
$sql = "INSERT INTO your_table (books,author) VALUES(";
foreach($books as $book_data){
$sql .= "($book_data,'$author'),";
}
$sql = rtrim($sql, ",") . ")";
//Execute the query
This will insert every $books variable as a new row with the constant $author.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Can $var[$x]['seeds'] be converted into $var? In mysql statement like the one below, how can I use it?
$length=9;
$x=0;
while ($x<$length){
$query="Select fruits in ('$var[$x]['seeds']') from edible";//This query will go 9 times different seeds.
$x++;
}
Please help me.
I hope that I understand your question correctly:
$query = "SELECT seeds FROM edible WHERE seeds IN ('" . $var[$x]['Apple'] . "')";
If you now perform: echo $query; you will see how the query looks like. But your question is not really clear in what your exactly want.
Also if you want to use variables in query, then look at parameterized queries. This prevents SQL injections.
You can store that value to variable and use in query or you can use escape string .
$query = "Select fruits in ('".$var[$x]['seeds']."') from edible"
It seems that you want to create a query that compares a value against a list of possible other values with SQL. I would do this with a single prepared statement:
$sql = 'SELECT fruits IN (?,?,?,?,?,?,?,?,?,?) FROM edible';
$stmt = $db->prepare($sql);
$stmt->execute(array_map(function($value) {
return $value['seeds'];
}, $var));
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am new to PHP and mysql and i am trying to make API's for my iphone app.
So far i have been able to connect and retrive data from my sql database now m trying to make entries to it using API's and parameters.
Can anyone help me out here please.
Thanks alot!!
If by to make entries you mean adding data to the database.
You do this in the same way that you select data.
Instead of issuing a select statement like:
SELECT x,y,z FROM table1
You do:
INSERT INTO table1 (x,y,z) VALUES ('a', 1, 'test')
Or:
UPDATE table1 SET x = 'b' WHERE x = 'a'
How you pass parameters depends on the API you use.
It is best (safest) to use PDO to pass parameters.
How to get parameters out of a url
In order to get the parameters out of the url (e.g.: example.com/test.php?username=xyz&password=!##$%) do:
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$query = "SELECT * FROM users WHERE username = '$username'
AND passhash = sha2(CONCAT(salt,'$password'),512)";
Note that it's vital to put single quotes around the injected variable names when using mysql_real_escape_string() or the escaping will be useless. Used like this the code is 100% secure from SQL-injection.
If you're using PDO, you can drop the mysql_real_escape_string() if not you need it to prevent SQL-injection.
Links
http://dev.mysql.com/doc/refman/5.5/en/update.html
http://dev.mysql.com/doc/refman/5.5/en/insert.html
http://php.net/manual/en/ref.pdo-mysql.php
https://stackoverflow.com/search?q=%5Bphp%5D+%5Bmysql%5D+pdo
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/function.mysql-real-escape-string.php