So I am updating my mysql database using php. Below is the end of the UPDATE, and if I have a string instead of echo $row[embedcode]"); it works fine, and this echo sets data on the page just fine retrieving the right value, but within this UPDATE it doesn't work.
...WHERE `embedcode` = echo $row[embedcode]");
I have tried using ". ." around it and adding its own php tag around it but I'm not sure what needs to be done.
Just use this:
...WHERE `embedcode` = " . $row[embedcode]);
There is no need for echo.
As a side note, you should probably parameterize or at least sanitize any strings that go into a MySQL query to prevent SQL injection and other bad things.
" ... WHERE `embedcode=` '" .$row[embedcode]. "';");
WHEREembedcode= . $row[embedcode]); will set the value.
There is not need for echo inside the sql statement. echo is used for displaying something from php to the webbrowser.
You don't use echo, perhaps it should be:
...WHERE `embedcode=` . $row[embedcode]");
Not that if $row[embedcode] is a string you have to put quotes around it.
Let say for example...
("UPDATE `tblProfile` SET `profilename` = 'abc' WHERE `embedcode` = '".$row['embedcode']."'");
to prevent SQL injection, you can pass that value as a parameter if you are using PDO or MySQLi.
For example,
$stmt = $dbConnection->prepare('...WHERE `embedcode` = :embedcode');
$stmt->execute(array(':embedcode' => $row[embedcode]));
See this for details.
Related
my query is:
$q = mysql_query("UPDATE `payment_details` SET `txnid`='$txnid',`amount`='$amount',`email`='$email',`firstname`='$firstname',`phone`='$phone',`productinfo`='$productinfo' where `id`='$id' ") or die(mysql_error());
but is is working when i change id = "1";
please any one can help with this problem.
The function mysql_query is deprecated in php 5.5.
Also it`s not very cool to put values in database like that.
You can use php PDO and bind values
Use the bindParam and prepare in the PDO to prevent SQL injection.
First of all check if $id has a value or not with var_dump($id);
Second thing is that don't put your variables inside single quotes otherwise it will be considered as a string.You need to concatenate your variables or you can use curly braces which serve as a substitution for concatenation, they are quicker to type and code looks cleaner.
Try this:-
$q = mysql_query("UPDATE `payment_details` SET `txnid`='{$txnid}',`amount`='{$amount}',
`email`='{$email}',`firstname`='{$firstname}',`phone`='{$phone}',`productinfo`='{$productinfo}'
WHERE `id`='{$id}' ") OR die(mysql_error());
It will work fine.
You should check the value of $id first and go from there.
var_dump($id);
If you get null or empty, there is your problem. If you get a non empty value, try to run the query in your mySQL client with the value that you got.
Also, it would help to see the error message that you are getting :)
Good luck.
I have the following php version:
PHP Version 5.3.2-1ubuntu4.19
and this php string:
$l_sDesc = "It doesn' t contain any dangerous substances";
If i try to make a query with db_query (Drupal) i get an error due to the apostrophe;
db_query("UPDATE mytable SET description= '$l_sDesc' where id = $id");
I've tried to use mysql_real_escape_string() but i get an empty string:
$l_sDesc = mysql_real_escape_string($l_sDesc); //i have an empty string as result
What's the problem?
Drupal use another DB Wrapper. Normally you can create prepared statements.
https://api.drupal.org/api/drupal/includes!database!database.inc/group/database/7
Here is a correct example. If you use the correct prepared statements your input will be filtered.
Otherwise use stripslashes().
http://php.net/manual/de/function.stripslashes.php
Tom, you need to "prepare" the string for SQL before you actually run the statement.
Try the PHP function mysql_real_escape_string on your strings before you actually use them.
http://php.net/manual/en/function.mysql-real-escape-string.php
I suggest to use $l_sDesc = htmlspecialchars($l_sDesc);
I want to pass a string that contains many usernames, seperated by a comma,and want to pass it to query
$name_list='kesong,nicholas,jane'; //this value would change
$select_occupy=mysql_query("SELECT * FROM user_data WHERE `username` IN('$name_list') ORDER BY `occupy_date` ");// i think this would just search for a username which is 'kesong,nicholas,jane', instead searching them seperately
echo mysql_num_rows($select_occupy); //would echo 0
I know it works only when you specify like IN('$name1','$name2','$name3'), but I need a dynamic one
As a suggestion, just hold your names into an array and do like below:
$names=array('name1','name2','name3');
$namesToCheck="";
foreach($names as $name){
$namesToCheck.="'$name',";
}
//to remove the last ,
$namesToCheck=substr($namesToCheck,0,-1);
Now, you can put $namesToCheck into your IN query.
EDIT:
In this answer, this is assumed that you will prevent any possible SQL injections as current answer is just an idea about your question. The minimum suggestion to perform preventing SQL injections would be using mysql_real_escape_string function, which escapes special characters in a string for use in an SQL statement. For example:
$namesToCheck.="'".mysql_real_escape_string($name)."',";
//OR DO THIS ON FINAL STRING
NOTE THAT This extension is deprecated as of PHP 5.5.0. You can take a look at the PHP's official document in the following link:
mysql_real_escape_string
You can do it like this :
$namesToCheck = "'" .implode( "','" ,explode( ',' ,$name_list ) ) ."'";
And then use the $namesToCheck in the IN clause of your query .
The above code would convert :
kesong,nicholas,jane
to :
'kesong','nicholas','jane'
In accessing my database, I have the user fill out a form, and in the target page, the posted values are used in the resulting MySQL query.
$query = mysql_query("SELECT pass FROM database WHERE user='$_POST[user]'");
However, for some reason or another, MySQL doesn't like my using a $_POST variable in the command, and it only works if I define (for example) $user = $_POST['user'];, and then put $user directly in the SQL command.
On the other hand, I can use $_POST values in INSERT statements where specific column names are not required:
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', '$_POST[user]'");
If I try an INSERT statement where attributes are defined (e.g. user='foo'), then the same problem appears.
What am I doing wrong in my SQL query that causes the command to error out when run, but works with the specific method of formatting an INSERT command?
Hopefully, it's not "tough luck, looks like you have to assign all of your posted values". Heh.
First of, watch out for SQL Injections!
Now, to answer your question try doing this instead:
$query = mysql_query("SELECT `pass` FROM `database` WHERE `user` LIKE '" . mysql_escape_string($_POST['user']) . "';");
You were doing a couple of things wrong:
using the = operator instead of LIKE operator
not enclosing the value in the SQL query with '
not enclosing the user index in the $_POST array with '
PS: You should use mysql_real_escape_string() instead of mysql_escape_string()!
You're simply inserting a variable into a string, so it shouldn't matter which command you're putting it into.
There are a few issues to point out.
One, you might want to use the {} format for array variables. You don't use quotes around the arrray key names in this format.
$query = mysql_query("SELECT pass FROM database WHERE user='{$_POST[user]}'")
Two, you'd never want to make a query like that because you are open to sql injection holes. Consider, what if $_POST['user'] was "cow';drop table database;--"?
You must either run mysql_real_escape_string on the POST input before putting it into your query, or check out using PHP PDO with prepared statements.
One way to do format your string which provides a bit of structure is to use sprintf.
$query=mysql_query(sprintf("SELECT pass FROM database WHERE user='%s'",mysql_real_escape_string($_POST['user'])));
Use PDO - it provides much better API to communicate with DB.
If you're using mysql_*() functions always remember to filter (mysql_real_escape_string()) any data that comes from untrusted source (like user)
Pay more attention to how your code looks like. Just compare the following listings:
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ")");
$query = sprinf('INSERT INTO database VALUES ("foo", "bar", "%s", "%s", "%s")',
mysql_real_escape(...), ...);
Do I have to explain which one is better to read, modify or understand?
Why not check and see what mysql_error() has to say about it? If your query is invalid, mysql_error() will return a nice blob of text telling you exactly what went wrong.
As for MySQL not liking the POST var if you insert it directly for some runs, but not others, then you should make sure you're using consistent data and setups for each test. If some test are done using a GET, then your POST vars will be empty. If you're using different user names for each test, then see if what's consistent between the ones that fail.
And as mentioned above, read up about SQL injection and how your query is just begging to be subverted by a malicious user.
Try
$query = mysql_query("SELECT pass FROM database WHERE user=" . mysql_real_escape_string($_POST['user']));
and
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ")");
Its always a good idea to sanitize anything received through $_GET or $_POST
$result = mysql_query("UPDATE categories
SET cd_title='$docuTitle' , cd_link='$linkTitle'
WHERE c_name='$catID'");
What is wrong with this update query?
There is probably something wrong with the data in your variables — but we can't see what they contain.
You should be using parameterized queries, which would deal with any odd characters in your data that might mess up the statement.
See How can I prevent SQL injection in PHP? and When are the most recommended times to use mysql_real_escape_string()
I would change the query to this, to avoid errors if input contains apostrophes:
$result = mysql_query(
"UPDATE categories SET
cd_title='" . mysql_real_escape_string($docuTitle) . "',
cd_link='" . mysql_real_escape_string($linkTitle) . "'
WHERE
c_name='" . mysql_real_escape_string($catID) . "'");
If your data is sanitized, remove the single quotes from around the php variables.