I have this query:
$queryfile = "UPDATE Glasovi
SET Fotografija='$content',
MD5Slike='$checksum'
WHERE Email ='$email'";
It won't update the database.
When I write the email directly in the WHERE clause, it works:
$queryfile = "UPDATE Glasovi
SET Fotografija='$content',
MD5Slike='$checksum'
WHERE Email ='user.user#mail.com'";
I tried to echo the $email variable and it has the right value.
Where is the error in the first query?
Your query looks correct. The only issue I can see is one of the other variables contains a single quote, which could possibly result in your error.
try using addslashes escape any single quotes in your variable
$queryfile = "UPDATE Glasovi
SET Fotografija ='".addslashes($content)."',
MD5Slike ='".addslashes($checksum)."'
WHERE Email ='".addslashes($email)."'";
Doing so would also help prevent SQL injection by single quotes
your request is ok, so you should check your variables in php, use var_dump($email)
-- EDIT --
Your request doesn't seem to be secure, you should use PDO statements to secure it from SQL injections
You have not concatenated your variables with your string.
Change your code to this:
$queryfile="UPDATE Glasovi SET Fotografija=' . $content . ', MD5Slike=' . $checksum . ' WHERE Email =' . $email . '";
Related
Let's say I want to update a message row without deleting the previous message. For example: row message has the current value "hello", now I want to add "hi" without replacing the word "hello". So the result should be "hello hi".
I've tried the code below but it won't work:
$text="hi";
$sql = "UPDATE class SET message= message+'$text' WHERE id=2";
or
$sql = "UPDATE class SET message= 'message'.'$text' WHERE id=2";
sorry, im not really good at english. thanks for the help
you can do use the mysql's concat() function to append data to a field:
$sql = "update class set message = concat(ifnull(message,"")," ".'$text') where id=2";
You may also want to consider a space before appending the new content!
Well, you should first of all you should really learn about SQL injection (and how to prevent it, including Prepared Statements).
You can do this in SQL using the CONCAT() function:
$sql = "UPDATE class SET message = CONCAT(message, '$text') WHERE id=2";
Try CONCAT instead, in your mysql query.
$text = "hi";
$myQuery = "UPDATE class SET message= CONCAT(message,'".$text."') WHERE id=2";
You should use the CONCAT function which is used to concatenate strings.
Here since you are using the content of a php variable, it is good to escape the php variable from mysql query like '".$text."';
Have a look at the CONCAT() Function of MySql:
$sql = "UPDATE class SET message=CONCAT(message, '".$text."') WHERE id=2";
should do the trick.
You could try this:
$sql = "UPDATE class SET message=CONCAT(message, '$text') WHERE id='2'";
However, be aware that this is vulnerable to SQL Injections
<?php $daerah_ejen1 = "$_GET[daerah_ejen]";
$kumpulan_ejen1 ="$_GET[kumpulan_ejen]";
echo $daerah_ejen1;
echo $kumpulan_ejen1;
echo $kumpulan_ejen;
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '$daerah_ejen1' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
$result = mysql_query($sql) or #error_die("Query failed : $sql " . mysql_error());
?>
my url
laporan_kk_detail.php?daerah_ejen=HULU+LANGAT&kumpulan_ejen=Ketua Kampung
for output daerah_ejen variable has display,
but for kumpulan_ejen/kumpulan_ejen1 is not display.
i dont know where the problem
your quotes accessing $_GET variable is invalid. try this
<?php
$daerah_ejen1 = $_GET["daerah_ejen"];
$kumpulan_ejen1 =$_GET["kumpulan_ejen"];
and you should read something about security, because you can pass malicous code to your script!
edit:// you can have a look on this thread https://stackoverflow.com/questions/19539692/sanitizing-user-input-php
you are converting get values in string using double quotes so remove and try
$daerah_ejen1 = $_GET['daerah_ejen'];
$kumpulan_ejen1 =$_GET['kumpulan_ejen'];
also use mysql_real_escape_string() for prevent sql injection.
The quotes go around the parameter name. This is because $_GET[] is an associative array and its values are referenced using a string key
$daerah_ejen1 = $_GET['daerah_ejen'];
$kumpulan_ejen1 =$_GET['kumpulan_ejen'];
Always sanitize your parameter values before using them in a query to protect yourself against SQL injection.
$daerah_ejen1 = mysqli::real_escape_string($daerah_ejen1)
You face 2 problem on your code :
1st is :
$daerah_ejen1 = "$_GET[daerah_ejen]";
$kumpulan_ejen1 ="$_GET[kumpulan_ejen]";
replace it by this :
$daerah_ejen1 = $_REQUEST['daerah_ejen'];
$kumpulan_ejen1 =$_REQUEST['kumpulan_ejen'];
2nd is :
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '$daerah_ejen1' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
replace it by this :
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '".$daerah_ejen1. "' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
If you need to put the $_GET['name'] in double quotes, wrap it in {} brackets.
e.g.
$kumpulan_ejen1 ="{$_GET['kumpulan_ejen']}";
Also, as dbh pointed out, you only have $kumpulan_ejen1, not kumpulan_ejen.
I have this quick question, i have got the username variable from a form and i need to insert it in a query, can you please tell me where i'm going wrong, it says: Unknown column '$username' in 'field list'
Here is the code:
echo $HTTP_POST_VARS['username'];
echo $username;
$query = sprintf( 'SELECT $username FROM hostess' );
In the code supplied you never set $username.
You're wide open for Sql injection.
You're using sprintf without any reason - it formats a string but you're not supplying any formatting, my example below does
You're trying to 'SELECT $username FROM hostess' but that's not a valid Sql statement at all.
You'd be wanting something more like:
$query = sprintf( "SELECT * FROM hostess WHERE username='%s'", $username);
AFTER making sure you clean $username.
Uhmm about everything seems wrong..
First of all, you never defined the variable $username.
What you are doing would only be valid in a version of PHP that still supports suberglobals.
Second, why are you using sprintf for a query?
By the way, HTTP_POST_VARS is deprecated. Use POST
Correct code would be something like this;
$username = $_POST['username'];
echo $username;
$query = mysql_query("SELECT ".$username." FROM hostess");
in PHP, using the single quote for strings will not parse the string for variables. Use either concatenation or double quotes:
$query = sprintf( 'SELECT ' . $username . ' FROM hostess' );
$query = sprintf( "SELECT $username FROM hostess");
Of course, this is to say nothing about the terrible risks using a POST var this way implies.
$query = sprintf( 'SELECT %s FROM hostess', $username);
-or, if that's a string value, I suspect you may want to include that in single quotes in the query text -
$query = sprintf( "SELECT '%s' FROM hostess", $username);
NOTE: The generated SQL statement looks a bit odd, in that its going to return the same literal value for every row in the hostess table. If there's a hundred rows in the hostess table, you are going to return 100 rows with the same literal value. This may be what you want, but it strikes me as VERY odd.
NOTE: The sprintf function looks for %s, %d, etc. placeholders in the first argument, and replaces them with values from the remaining arguments.)
NOTE: If $username contains a value coming in from a form, and has not been validated, to thwart SQL injection attacks, I would use the (admittedly old school) mysql_real_escape_string function. (Others will offer suggestions for better, more modern techniques to accomplish the same result.)
$query = sprintf("SELECT '%s' FROM hostess",mysql_real_escape_string($username));
I am trying to use session variable($_SESSION['asc_id'], which holds some value like "AS0027001") in an SQL statement, but it is not working.
When I hardcode the value, it is providing results.
Can anyone please correct me.
MySQL query which is not working
$asc_id = $_SESSION['asc_id'];
$rs = mysql_query('select asc_lastname, asc_firstname, asc_middlename, lname_fname_dob
from issio_asc_workers where asc_user_type = 31
and asc_id = "$asc_id"
and lname_fname_dob like "' .
mysql_real_escape_string($_REQUEST['term']) .
'%" order by lname_fname_dob asc limit 0,10', $dblink);
Mysql query which is working
$rs = mysql_query('select asc_lastname, asc_firstname, asc_middlename, lname_fname_dob
from issio_asc_workers where asc_user_type = 31
and asc_id = "AS0027001" and lname_fname_dob like "' .
mysql_real_escape_string($_REQUEST['term']) .
'%" order by lname_fname_dob asc limit 0,10', $dblink);
Variable substitution only works within double quoted strings, not single quoted ones. In other words, you should do;
$rs = mysql_query("select .... and asc_id = '$asc_id' and ... limit 0,10", $dblink);
Btw, you did make sure the value doesn't include any characters that may lead to SQL injection, right? Otherwise you should use mysql_real_escape_string to make sure before inserting it into a query.
When you print the strings, it will be clear. When the question is reformatted to leave the SQL readable, the problem is clear. (The first rule for debugging SQL statements is "print the string". A second rule, that makes it easier to comply with the first, is always put the SQL statements into a string which you pass to the SQL function.)
You use the . notation to embed the request term in the string; you don't use that to embed the $asc_id into the string. You should also use mysql_real_escape_string() on the session ID value to prevent SQL injection.
First print the variable $asc_id . If it displays nothing, session is unavailable . In that case you missed session_start() in top of the current executing page .
From the SQL query, you cannot replace the value of a variable inside single quoted string .
Use . symbol for mixing string value with variable or use double quoted string . I prefer first one .
For troubleshooting , simplest method is printing variable values. From the result , you will understand what is missing .
Thanks
Try this. from the comment you added, I modified it like this
session_start(); //add this if you did not do it yet
$asc_id = $_SESSION['asc_id'];
$rs = mysql_query("select asc_lastname, asc_firstname, asc_middlename, lname_fname_dob
from issio_asc_workers where asc_user_type = 31
and asc_id = '$asc_id'
and lname_fname_dob like '".
mysql_real_escape_string($_REQUEST['term']) .
"%' order by lname_fname_dob asc limit 0,10", $dblink);
Let's say I have a query:
" SELECT * FROM table
WHERE donor_id = " .$this->session->userdata('id') ."
GROUP BY rating"
However, it appears that I get a mysql syntax error here, citing that $this->session->userdata('id') gives me '25' for example, instead of 25. Are there any workarounds here to prevent $this->session->userdata('id') from being quoted?
Thanks.
In CI, I do this all the time:
$id = intval($this->session->userdata('id'));
$sql = " SELECT * ".
" FROM table ".
" WHERE donor_id = {$id} ".
"GROUP BY rating ";
//process $sql below
Creating query like this will make you easier to spot bug and prevent SQL injection. Use concatenation when you need to split query to multiple lines instead of make it a long multiple string is to prevent the actual query string got too long. Indent the SQL keyword is to make it easier spot logical and syntax bug.
intval($this->session->userdata('id'))
Assuming you mean that it is returning you a string instead of an integer you could always try using settype or intval:
$var = '2';
settype($var, "integer");
$var = intval($var);
However, if you mean that the quotes are for some reason hard-coded in, you could do a string replace, if you are sure that the value will not contain quotes:
ech str_replace("'", "", "'2'"); // prints 2