I am getting the below error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'testing order by id'
Here is the main page..
echo "<div ><a href='secondpage.php?title=".urlencode($row['title'])."'>".wordwrap($row['title'], 35, "<br />\n", true)."</a></div>";
and here is the second page the error appearing on. the address bar reads http://localhost/secondpage.php?title=more+testing
<?php
$mydb = new mysqli('localhost', 'root', '', 'test');
$sql = "SELECT * FROM test where urlencode(title) =".$_GET['title']" order by id ";
$result = $mydb->query($sql);
if (!$result) {
echo $mydb->error;
}
?>
<div>
<?php
while( $row = $result->fetch_assoc() ){
echo $row['firstname'];
}
$mydb->close ();
?>
</div>
You want to use urldecode to decode the encoded string in your query:
$title = urldecode($_GET['title']);
$sql = "SELECT * FROM test where title = '$title' order by id";
I'm assuming you have a column named title in your test table. I don't think MySQL has urlencode function unless you have a procedure by that name which functions exactly like PHP's urlencode.
Update:
Thanks to #GeorgeLund, who pointed out the point of SQL Injection. Important topic which I missed earlier during answering your question. Please have a look at: https://www.owasp.org/index.php/SQL_Injection
For the very least please update your code to following:
$title = urldecode($_GET['title']);
$title = mysqli_real_escape_string($title); // Addition
$sql = "SELECT * FROM test where title = '$title' order by id";
$sql = "SELECT * FROM test where urlencode(title) ='".$_GET['title']."' order by id ";
Try like
$sql = "SELECT * FROM test WHERE urlencode(title) = ".$_GET['title']." ORDER BY id ";
You missed . leads syntax go away.
As far as I know SQL does not have function urlencode and why would you even want to urlencode the column name?
Also to store the encoded title string which is received from the last page you should decode the encoded title
So here is what I think you meant to do.
$sql = "SELECT * FROM test WHERE title = ".urldecode($_GET['title'])." order by id ";
Please try this code using urldecode
$sql = "SELECT * FROM test where title =".urldecode($_GET['title'])" order by id ";
Related
Require("dbconnect.php");//works is used on other another page
echo $Customer_id;//Displays correctly
Can anyone help?
First Check that use session variable is getting the data or not.
If the Customer id is of varchar then you are missing single inverted comma in where clause.
session_start();
$Customer_id = $_SESSION['id'];
Require("dbconnect.php");//works is used on other another page
$sql = "SELECT Job_id FROM Job";
$sql.= " WHERE Job_Customer_id = '$Customer_id'";
$stmt = $dbh->query($sql);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$Job_id = $row['Job_id'];
echo $Customer_id;//Displays correctly
echo $Job_id;//Curently dose not display anything
Change the $sql.= line to this:
$sql.= " WHERE Job_Customer_id = '$Customer_id'"
with the ' around $Customer_id.
I have a php script that is supposed to get multiple rows from a table and then wrap each row as an array into another array.
$comQy = "SELECT * FROM comments WHERE user = '$user' ORDER BY DESC;";
$comSt = $db->prepare($revQy);
$comRes = $comSt->execute();
$coms = $comSt->fetchAll();
Later in the page, I try to echo one of the elements of the array and then it doesn't work but doesn't return an error.
<div id="comUser">
<?php echo $coms[0]['user'] ?>
</div>
I appreciate all help and I am sorry if I have made a fairly simple mistake in the php script.
This could be the problem of
missing the field name for the ORDER BY clause in the SQL query
missing the variable declaration $revQy
missing the object variable declaration $revSt
$comSt = $db->prepare($revQy);
$comRes = $revSt->execute();
Enabling error reporting is a good practice during development. Add these lines of code at the top of your script.
error_reporting(E_ALL);
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
$comQy = "SELECT * FROM comments WHERE user = :user ORDER BY 1 DESC;";
$comSt = $db->prepare($comQy);
$comRes = $comSt->execute(array( 'user' => $user ));
$comSt->setFetchMode(PDO::FETCH_ASSOC);
$coms = $comSt->fetchAll();
try to use msqli procedural method (im just a newbie too)
$sql = 'SELECT * FROM comments WHERE user = "'.$user.'" ORDER BY fieldname DESC';
$result = mysqli_query($db_connection, $sql);
while($row = mysqli_fetch_assoc($result)){
echo $row['user'];
}
I am having problems trying to get these queries with a WHERE clause to work. I have two tables which look like this :
What I am trying to do is return the genre that each film has. At the moment no data is returning at all from what I can see. Here are the two queries:
$film_id = $row_movie_list['film_id'];
mysql_select_db($database_fot , $fot);
$query_get_genre = "SELECT * FROM film_genre WHERE `id_film` ='". $film_id. "'";
$get_genre = mysql_query($query_get_genre, $fot) or die(mysql_error());
$row_get_genre = mysql_fetch_assoc($get_genre);
$totalRows_get_genre = mysql_num_rows($get_genre);
$genre_id = $row_get_genre['id_genre'];
mysql_select_db($database_fot , $fot);
$query_genre = "SELECT * FROM genre WHERE `id_genre` ='". $genre_id. "'";
$genre= mysql_query($query_genre, $fot) or die(mysql_error());
$row__genre = mysql_fetch_assoc($genre);
$totalRows_genre = mysql_num_rows($genre);
PHP with content area. I fairly new to PHP so any help would be appreciated.
<?php do { echo $genre['genre']; } while($row_get_genre = mysql_fetch_assoc($get_genre)); ?>
Update: I am now able to get first genre but not second it just echos the first one twice and I have tried but still no luck:
do {do { echo $row_genre['genre']; } while($row_genre = mysql_fetch_assoc($genre));} while($row_get_genre = mysql_fetch_assoc($get_genre)); ?>
Avoiding the fact that you're using a deprecated way to establish connection and interact with MySQL, what you're doing is getting a single relation genre-film and then getting the row of the genre that matches. You should surround part of your code with a while that executes while it's still genres of the film with id. Something like:
$film_id = $row_movie_list['film_id'];
mysql_select_db($database_fot , $fot);
$query_get_genre = "SELECT * FROM film_genre WHERE `id_film` ='". $film_id. "'";
$get_genre = mysql_query($query_get_genre, $fot) or die(mysql_error());
while($row_get_genre = mysql_fetch_assoc($get_genre)){
$genre_id = $row_get_genre['id_genre'];
$query_genre = "SELECT * FROM genre WHERE `id_genre` ='". $genre_id. "'";
$genre= mysql_query($query_genre, $fot) or die(mysql_error());
$row__genre = mysql_fetch_assoc($genre);
// You should do whatever you want to do with $row__genre here. Otherwise it will be cleared.
}
I must insist this is a deprecated and insecure way of communication with a MySQL Database. I recommend you read about MySQLi or PDO extensions.
MySQLi: http://www.php.net/manual/en/book.mysqli.php
PDO: http://www.php.net/manual/en/book.pdo.php
I have a MySql DB and in the Table 'Klant' I have the column names:
ID
Naam
Email
Soort
Status
I get the column names with this query:
$strSQL = "select column_name from information_schema.columns where table_name='Klant'";
And I am selecting the data from the Table with this simple query:
$strSQL1 = "SELECT * FROM NAW.Klant";
What I want to do is search a text and with str_replace I want to replace the column_names with the data from the DB. For example:
If I type in Hello Naam, your email adress is Email I would want it to display Hello Robert your email adress is robert#gmail.com. And I will put that in a loop to do it for every row. I am currently using this:
$ID = $row['Klant_ID'];
$Naam = $row['Naam'];
$Email = $row['Email'];
$Soort = $row['Soort'];
$Naam = $row['Status'];
$vaaw = array("[ID]","[Naam]", "[Email]", "[Soort]", "[Status]");
$vervang = array("$ID","$Naam", "$Email", "$Soort", "$Status");
echo str_replace($vaaw, $vervang, $message);
The reason I do not want to use this anymore is because if I ever need to change/add/delete a column the code would still work. (I know it is a bad idea to change columns but you never know.) And also this code will work with other Tables/DB's to.
I have tried loads of things to get this to work but I just haven't got a clue how to do this and it has been bugging me for almost 2 days now. If someone knows a function or a way to do this it would be very helpful!
Try this:
<?php
$strSQL = "select column_name from information_schema.columns where table_name='Klant'";
$con=mysqli_connect('host', 'username', 'password', 'db');
if(!$con){
//error
}
$result=mysqli_query($con,$strSQL);
if(!$result){
//error
}
$table_columns=array();
//$row=mysqli_fetch_assoc($result);
while($row=mysqli_fetch_assoc($result))
{
$table_columns[]=$row['column_name'];
}
$query="select * from NAW.Klant "; //limit 10";
$result=mysqli_query($con,$query);
if(!$result){
//error
}
$greeting_text="";
while($row=mysqli_fetch_assoc($result)){
$greeting_text.= (isset($row['naam']))? "Hello {$row['naam']}":""; // because you want the 'hello'
for($i=1;$i< count($table_columns);$i++){
$greeting_text.=" Your ".$table_columns[$i]." is ".$row[$table_columns[$i]].", ";
}
$greeting_text.="\n";
}
echo $greeting_text; //test your result
If you have a predefined string template (to be replaced by column names or their values), you need to change that code when there is any change in the table columns. I simply choose to dynamically generate the string depending on the availability of columns. But if you need to use a predefined string, it is not difficult to do so.
I solved it using the script that HamZa linked in the comments. Since he is not posting it as an answer I will do it myself because I think it could help others.
The code that solved the problem is this:
$connection = mysql_connect('localhost', 'root', 'pw') or die('couldn\'t connect to the database.<br>'. mysql_error());
mysql_select_db("NAW");
$strSQL1 = "SELECT * FROM Klant";
$result = mysql_query($strSQL1, $connection) or die('Something went wrong with the query.<br>'. mysql_error());
while($row = mysql_fetch_assoc($result)){
$text = $_POST['naam'];
foreach($row as $k => $v){
$text = str_replace('['.$k.']', $v, $text);
}
echo $text;
echo "<br>";
}
I am trying to display an entry from a MySql database which is selected by GET data.
if (isset($_GET["id"])){
$id=$_GET["id"];
$result = getSelectedBlog($id);
while($row = mysqli_fetch_array($result))
{
extract($row);
?>
<div class="headline"><?php echo $headline ?></div>
<div class="subtitle"><?php echo $subTitle ?></div>
<div class="content"><?php echo $content ?></div>
<?php
}
Here is the SQL statement:
function getSelectedBlog($id){
$con = mysqli_connect('localhost', 'root', '', 'michaelWebsite') or die('could not connect');
$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "$id"';
$result = mysqli_query($con, $sql) or die('entry does not exist.:' . mysqli_error($con));
return $result;
}
As you can see, I am passing the get data as $id to the method that returns the result. However nothing is being returned. There are three entries at the moment, if I change $id in the SQL statement to either 1, 2 or 3 it will show the corresponding data but it just will not work with the $id variable.
The URL does end with the correct info ?id=1.
Please excuse me if it is something stupid, I have just been stuck on this for hours now!!
All of these answers will solve your problem, but none have mentioned or prevented SQL Injection.
In your case I recommend (assuming articleID is an integer field).
$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "' . (int)$id . '"';
I'm also curious why you are using LIKE for an id field.
Note: Since you are using MySQLi, I'd encourage you to look at prepared statements.
$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "'.$id.'"';
escape your var in simple quote
Try with this:
$sql = "SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE '$id'";
or with
$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "' . $id . '"';
You need to use double quotes in order for php to correctly expand your variables :) so change your query to
$sql = "SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE '$id'";
Change
'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "$id"'
to
"SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE '$id'"
Variables will be evaluated only if they're between double quotes "