I have this string in PHP:
$str = 1,3,6,5
These numbers can change and the length of the set can change to more or less than four. I want to convert to a MySQL query like this in PHP:
$qry = mysql_query("SELECT * FROM tbl WHERE id = 1 or id = 3 or id = 6 or id = 5")
It should be easy, but I don't know how to do it.
I will be grateful for any help.
You could use IN.
$query = mysql_query("SELECT * FROM table WHERE id IN ($str)");
Make sure $str is validated first to prevent sql injection.
Related
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I looked mostly everywhere on Stackoverflow for adding multiple WHERE instances but none of them seem to work.
My Select query:
$result = mysql_query("SELECT * FROM $tableName WHERE user = $user AND column = 1"); //query
I tried IN and some other ways but I dont know why it wont get the column. If I take out the user column it works, but I want it to also restrict to the column as well..
Any help will be appreciated!
column is reserved word in mysql. You have to use ` around that kind of column_name and use ' single quotes around string data '$user'
SELECT * FROM $tableName WHERE user = '$user' AND `column` = 1
You need to wrap the username in single-quotes & as mentioned by Yogesh column is a reserved keyword in MySQL. Try this:
user = '$user' AND `column` = 1
So the whole statement becomes:
$result = mysql_query("SELECT * FROM $tableName WHERE user = '$user' AND `column` = 1");
Also, you should be using mysqli or PDO with prepared statements instead.
Rewrite your query. Use the below code:
$result = mysql_query("SELECT * FROM `".$tableName."` WHERE user = '".$user."' AND `column` = 1");
And here I am missing that what is column in query is it name of column?
And you need to give the value in single quota and table name in ` till mark.
try this one:
$sql = 'SELECT * FROM $tableName WHERE user = "'.$user.'" AND `column` = 1';
For the user I am testing with, their org_id column value is "student_life"
I am trying to have this function display whatever rows have the student_life column = 1. (so yes there is a column student_life which is a boolean, and then I also have a separate column named org_id and in this case has the value student_life)
I am pretty sure there is a syntax error but I cannot figure it out.
function org_id_users_table()
{
$org_id = mysql_real_escape_string($_POST["org_id"]);
$sql = $this->query("SELECT * FROM ".DBTBLE." WHERE '$org_id' = '1'");
$result = $sql['sql'];
$num_rows = $sql['num_rows'];
$this->create_table($result, $num_rows);
}
(when I replace $org_id in the "$sql=..." line with student_life the code works.
You're quoting the column name, which makes MySQL think it's a string.
$sql = $this->query("SELECT * FROM ".DBTBLE." WHERE $org_id = '1'");
Edit:
Based on your comments, I think what you actually want is this:
$sql = $this->query("SELECT * FROM ".DBTBLE." WHERE org_id = '$org_id'");
Change quotes.
$sql = $this->query("SELECT * FROM ".DBTBLE." WHERE `$org_id` = '1'");
P.S. Why shouldn't I use mysql_* functions in PHP?
Where is this coming from? $_POST["org_id"]
Do you have a form on the page posting that? Or are you just trying to get that from the database? If so, wouldn't you need another query to obtain that first?
$row_MyFirstQuery['org_id']
Otherwise if it is $_POST["org_id"], wouldn't it be single quotes not double? $_POST['org_id']
Alright, so basically the most simple query ever... I've done this a million times...
SELECT *
FROM purchased_items
WHERE uid = '$uid'
if $uid == 123 It works fine and returns all data in rows where uid is 123
if $uid == 351565051447743 It returns empty...
I'm positive 351565051447743 is a possible uid in some rows, i literally copied and pasted it into the table.
$uid is a string, and is being passed as a string.
This is something i've done a million times, and i've never had this simple query not work.
Any ideas why this is not working?
You're probably getting an E{some_power} representation as a string from the double.
What I mean is
$query1 = "SELECT * FROM purchased_items WHERE uid = '$uid'";
Produces:
SELECT * FROM purchased_items WHERE uid = '3.5156505144774E+14'
One way to fix it is:
$query = sprintf("SELECT * FROM purchased_items WHERE uid = '%d'", $uid);
Not sure if sql supports E format so this may or may not be the issue.
http://viper-7.com/v6MhVe
dit: Quick workaround
$format = (is_numeric($uid)) ? '%d' : '%s';
$query2 = sprintf("SELECT * FROM purchased_items WHERE uid = '{$format}'", $uid);;
What is the datatype of uid on your table? How about casting uid to another datatype?
SELECT *
FROM purchased_items
WHERE CAST(uid AS VARCHAR(25)) = '$uid'
Alright, so if you use AMFPHP apparently when you use the browser for testing it doesn't matter if you 'cast' the value as a string in the query. You need to pass it with quotes in the string in the browser interface.
I have 3 id in a string:
let $x="6,3,5"
I want to get all color information from tbl_color where color id are
6, 3 and 5.
I made this query, but does not work. What's wrong with this?
$sql=" SELECT * FROM tbl_color WHERE color_id IN(".explode(',',$x).")
please suggest the right query
explode() takes a string and turns it into an array. You already have a string. All you need to do is change your statement and just include $x in your string. You don't need to explode it.
UPDATE:
Per your comment, here is how I would do it:
$x="3,4,5";
$sql=" SELECT * FROM tbl_color WHERE color_id IN(".$x.");";
HTH,
-aj
You are concatenating an array with a string. The explode is not needed:
$sql = "SELECT * FROM tbl_color WHERE color_id IN ($x)";
A full example assuming you get the input from a user or it is sent from the browser to the server:
$x = $_GET['colors']; // 6,3,5
$x = mysql_real_escape_string( $x ); // Prevent SQL Injection attack
$sql = "SELECT * FROM tbl_color WHERE color_id IN ($x)";
If $x is a string, then you don't need to use explode, just use it as is
$sql="SELECT * FROM tbl_color WHERE color_id IN($x)";
Alt A below is a statement from a php-mysql tutorial. It works as it should.
I found the id-value rather obfuscated and tested alt B. This also worked!
What is the point with the id-value of alt A?
MySQL 5.0.51, PHP 5.2.6
// Alt A :
$sql = "SELECT * FROM example WHERE id = '".$q."'";
// Alt B :
$sql = "SELECT * FROM example WHERE id = $q";
This are just two different approaches to building a string from static and variable data.
Alternative A uses concatenation, or the joining of string and variable tokens using the concatenation operator.
Alternative B uses variable expansion, wherein the variables inside a double-quote-delimited string are expanded to their values at evaluation time.
Neither is necessarily better or preferred, but if you have to have single-quote-delimited strings, for example, then you would need to use alternative A.
Of course, neither of these is preferable to building SQL queries with bound parameters, as not doing so leaves you vulnerable to SQL injection attacks.
Theres two reasons to use the example in 'Alt A'. First is if the string is enclosed in single quotes '', the variable's name will be used in the string instead of it's value.
$id = 7;
'SELECT * FROM table WHERE id = $id' //works out to: WHERE id = $id
"SELECT * FROM table WHERE id = $id" //works out to: WHERE id = 7
Secondly, it's useful to combine strings with the results of a function call.
"SELECT * FROM table WHERE id = '".getPrimaryId()."'"
Outside of what has already been said I've found it best practice, if I'm writing a query, to write it as so:
$sql = "SELECT * FROM table WHERE uid=" . $uid . " LIMIT 1";
The reason for writing SQL like this is that 1. MySQL query doesn't have to parse the PHP variables in the Query and 2 you now easily read and manage the query.
When PHP communicates with MySQL, it is actually (in essence) two languages communicating with each other. This means that a string will be processed by the first language before being sent to the other. It also means that it is important to think in terms of the receiving language
In this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = $q";<br/>
you are telling MySQL to
"SELECT * FROM example1 WHERE id = some_name.
In this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '$q'";<br/>
and this case:
$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '".$q."'";<br/>
you are telling MySQL to
"SELECT * FROM example1 WHERE id = 'some_name'.
The first example should cause an error as some_name is not a valid part of a MySQL query (in that context). On the other hand, the next two will work fine, because MySQL will look for the String "some_name".
You can also do this:
$sql="SELECT * FROM exempel WHERE id = {$q}";
which is useful for setting off things like:
$sql="SELECT * FROM exempel WHERE id = {$row[id]}";
in 'alt B', $q must be an int or float or other numeric
in 'alt A', $q can be anything a string, int, etc.
The single quote makes that possible. It's just hard to see sometimes if you are looking at it for the first time.