I have an array $friends and I used $friend_new = join(',',$friends ); to get name1,name2,name3.
But when I use this query I got error:
$query = mysqli_query($connect_db, "SELECT * FROM post WHERE name IN ($friend_new )");
Does anyone know where the problem is?
You should use implode("','", $friends) and IN ('$friends_new') as these are string values.
Your code is vulnerable to injection. You should use properly parameterized queries with PDO / mysqli
Your list has to look like:
... IN ('friend1','friend2','friend3')
If you have an array of friends such as:
$friends = array("friend1","friend2","friend3");
You can use implode to prepare for use with an IN:
$friend_new = "'" . implode("','", $friends) . "'";
Finally,
SELECT * FROM post WHERE name IN ($friend_new)
The way you do it the individual strings won't be quoted, and that causes the error. As join allows you to specify a "glue" longer than 1 character you can do as follows:
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('".join("', '", $friends)."') ";
or
$friend_new = join("', '", $friends);
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('$friend_new') ";
that is, have join write the intermediate ', ' , and surround with ''
Related
I would like to modify the function below to filter records in the table that have column "type" equal to "hod"
public function getHOD() {
$query = $this->pdo->prepare('SELECT * FROM `' . $this->table . 'WHERE type=hod`;');
$query->execute();
if ($query->rowCount() == 0) return null;
}
I am having trouble figuring out how to add WHERE type=hod into the query?
Here are multiple things that you need to fix:
You added ` before table name, but not after
You need a space before WHERE
You need to add ' around hod
If I did not miss anything your query should look like this:
$query = $this->pdo->prepare("SELECT * FROM `" . $this->table . "` WHERE type='hod'");
It looks like a space is missing in 'WHERE, which should say ' WHERE.
And hod, if it's a string should have quotes in SQL.
Try this
$query = $this->pdo->prepare("SELECT * FROM `" .$this->table. "` WHERE type='hod'");
Use in quotes
$query = $this->pdo->prepare("SELECT * FROM `" . $this->table . "` WHERE type='hod'");
$option_meno = ["Lukas", "Ivka"];
$sql = "SELECT *
FROM uctovnictvo
WHERE meno IN ('$option_meno[1]', '$option_meno[0]')
AND datum BETWEEN '$date_start' AND '$date_end'
ORDER BY $order ";
For sure there has to be a better way how to select user based on name (meno). There can be more or fewer names in the $option_meno array.
I would like to make especially this more simple than listing out each index in the option array ('$option_meno[1]','$option_meno[0]').
You could use some array functions to auto generate the correct IN statement
$option_meno = ["Lukas","Ivka"];
$in = implode(',', array_map(function($item) use ($pdo) {
return '"' . $pdo->quote($item) . '"';
}, $option_meno);
$sql = "SELECT * FROM uctovnictvo WHERE meno IN ($in)...";
instead of PDO::quote you could use also mysqli_real_escape_string, etc. (depends on your connection).
You can use implode() :
$sql = " SELECT *
FROM uctovnictvo
WHERE meno IN ('" . implode('\', \'', $option_meno) . "')
AND datum BETWEEN '$date_start' AND '$date_end'
ORDER BY $order ";
i have a simple search box but I am trying to avoid the result page returning all results in table when the query is %. how can that be done?
I think you want to use \%...
In your PHP,
$query = str_replace ( '%' , '\%' , $query )
$sql = "SELECT * FROM table WHERE column LIKE '%" . mysqli_real_escape_string($query) . "%'"
Are you sanitizing your inputs?
You can start with mysqli_real_escape_string()
$query = "SELECT * FROM table WHERE column LIKE '" . mysqli_real_escape_string($input) . "'";
Is it possible to add WHERE id = '$id' to the end of my $query string? My $query string reads as:
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
Thanks
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = "' . $id . '"';
If $id is just a number (most likely) you can do...
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = ' . $id;
Also use mysql_real_escape_string() as ZombieHunter replied in his answer.
Do not append variables directly. Use mysql_real_escape_string() to avoid potential SQL injections!
I strongly encourage you to read this page about SQL injections:
http://www.php.net/manual/en/security.database.sql-injection.php
If $sqlConditions contains more than one condition (as the variable name states), this is a dangerous operation. Anyway, if you really want to use it this way, you need to put it after the WHERE condition.
$query = 'UPDATE students SET column = value WHERE ' . join(' , ', $sqlConditions) . ' AND id = ' . mysql_real_escape_string($id);
If $sqlConditions contains the SET statement this is a dangerous operation too. Use the actual column names together with mysql_real_escape_string():
$query = 'UPDATE students SET column1 = value1, column2 = value2 WHERE id = ' . mysql_real_escape_string($id);
I've got a SQL query within a foreach loop. Sometimes there can be many, and I mean a lot of queries to do, depending on several criteria, up to 78 queries potentially.
Now, I know that premature optimisation is root cause of all evil, but I don't want to see 78 queries - it's just not healthy.
Here's the code:
$crumbs = explode(",", $user['data']['depts']);
foreach ($crumbs as &$value) {
$data = $db->query("SELECT id FROM tbl_depts WHERE id = '" . $value . "'");
$crumb = $data->fetch_assoc();
$dsn = $db->query("SELECT msg, datetime FROM tbl_motd WHERE deptid = '" . $value . "'");
$motd = $dsn->fetch_assoc();
if ($motd['msg'] != "") {
<?php echo $motd['msg']; ?>
}
}
Can I make it any better?
Use IN MySQL operator to search over a set of values for id:
$ids = '"' . implode('", "',$crumbs) . '"';
$query1 = "SELECT id FROM tbl_depts WHERE id IN (" . $ids . ")";
$query2 = "SELECT msg, datetime FROM tbl_motd WHERE deptid IN (" . $ids . ")";
And so you will not need to retrieve all data you need using foreach loop, so you will have only 2 queries instead of 78.
Example: I have a table named table with 10 records which ids are: 1,2,3,4,5,6,7,8,9,10 (auto-incremented). I know I need records with ids 1,5,8. My query will be:
$sql = "SELECT * FROM `table` WHERE id in (1,5,8);";
And I don't understand why do you need to use & operator in foreach loop if you don't modify the $crubms arrays values.
I think this is want you want.
SELECT msg, datetime
FROM tbl_depts td
INNER JOIN tbl_motd tm ON td.id = tm.deptid