I only have MySQL installed right now but will these work fine when run in PgSQL, MS SQL, etc.?
SELECT MAX(field) as max_field FROM table
SELECT MIN(field) as max_field FROM table
SELECT SUM(field) as max_field FROM table
You could check for yourself, but aggregate functions are common across most, if not all, RDBMS:
H2 aggregate functions
Oracle aggregate functions
PostgreSQL aggregate functions
SQL Server aggregate functions
You get the idea.
Yes, they work well in every database.
SELECT AVG(field) as max_field FROM table -- Work fine too
All *SQL RDBMSes are designed to be used with the SQL language. ALL of them. That's why they're called *SQL RDBMSes. Aggregate functions are part of standard SQL, and therefore usable wherever SQL is usable.
Related
If I have 2 mysql_query commands in a single php file, is their a way to combine them?
For example, I have:
$a=mysql_query(SELECT * FROM table1);
$b=mysql_query(SELECT id FROM table3);
but I want to combine them into a single mysql_query, would this be more efficient? would it be faster?
multiple queries are not supported in mysql_query as descripted on php manual, so you can't combine both query in php mysql_query way
Here is another good reference from php manual notes:
Executed with multiple queries at
once, the mysql_query function will
return a result only for the first
query. The other queries will be
executed as well, but you won't have a
result for them.
UNION should work (MySQL Manual)
SELECT id FROM table1 UNION SELECT id FROM table3;
Edit:
I see: You want all ("*") from table1. This is a little bit more difficult, but UNION may help also. However, you are really sure you want to do this? Is there any relationship beetween those two tables, or should this just be a kind of micro optimization?
how can i run a query that joins two tables from TWO different Databases in mssql_query or mysql_query in php
for example
$conn=mssql_connect($ip,$username,$password);
mssql_select_db("DB1",$conn);
$q="select A.name,B.ID from DB1.dbo.T1 A, DB2.dbo.T2 B where A.ID=B.ID";
$res=mssql_query($q);
how to run such query??
Just prefix the tablenames with the database name, as you are already doing.
The user login that you are using to connect to mySQL needs to have access to both databases. Without this, it is impossible.
I think something like this:
SELECT X.field1, Y.field2
FROM database1.table_a AS X
INNER JOIN database2.table_b as Y
ON X.id=Y.id
[EDITED]
Sorry I didn't finish the post, you should use mysqli http://www.php.net/manual/en/mysqli.query.php (don't worry for the constructor, put just 1 database) and run the query as a regular query. Also, like the guy in the top said, the user that makes the query must have the permissions for both tables.
i have tableA in sql database ,
and tableB in mysql database ,
How to write the join and which function should i use for that(myssql_query or mssql_query )
Thanks
You can't do that unfortunately. Even if you connected to both via ODBC, you'd still have two separate connections. Besides MySQL knows nothing about MSSQL, and MSSQL knows nothing about MySQL.
An additional layer of abstraction would be required, but it would possibly be very inefficient.
So far as I know it is not possible with default PHP (mysql and mssql) functions, but I'm pretty sure that it is possible with ODBC on your machine.
With ODBC you can make cross DB connections between MySQL and MSSQL. So I think you can create a query like this:
SELECT
MYSQL.db.tbl_x.*
LEFT JOIN
MSSQL.db.tbl_y
ON
MYSQL.db.tbl_x.id=MSSQL.db.tbl_y=id
If you only would like to copy some data, I recommend Navicat.
this is part of a security audition, so there is no way to "change" the query.
Basically, what I found is a flaw that allows statement manipulation, so basically it goes like:
$query = "DELETE FROM `products` WHERE `products`.`whatever` = $variable";
This is PHP, so as far as I know there is no way to execute multiple queries. Using this SQL Injection, I was able to "clear" this table by running "0 OR 1=1#".
This works just fine, but it doesn't allow me to choose more tables to delete from.
This is, in pseudocode what I want to do:
DELETE FROM `products` WHERE `products`.`whatever` = **0 OR 1=1, FROM `othertable` WHERE `othertable`.`othercolumn` = 0 OR 1=1**
Is this plausible anyhow?
If this isn't reliable, is there any other way I could use this?
You can't have multiple FROM clauses for the same DELETE statement, so you can't go about it exactly how you'd want to. If the MySQL db had 'allow multiple queries per statement' turned on, you could try to terminate the one DELETE query and then tack on another to the end, so that it'd look like this:
DELETE FROM `products` WHERE `products`.`whatever` = **0 OR 1=1; DELETE FROM `othertable` WHERE `othertable`.`othercolumn` = 0 OR 1=1**
But that's about it.
Perhaps I don't fully understand the question, but what I take away is that you're building a SQL command as a string and running that string directly against a MySQL database.
You can separate multiple commands using the command separator (usually ';'), so you could run pretty much any command you want as this comic aptly illustrates.
If your database configuration supports multiple commands (or might in the future if someone changes today's setting), you want to ensure you don't have a command separator as part of the input. See this article for advice on sanitizing your input to prevent this type of attack.
As you stated, multiple queries are not supported by the normal MySQL driver module. From the manual for mysql_query:
mysql_query() sends a unique query
(multiple queries are not supported)
to the currently active database on
the server that's associated with the
specified link_identifier .
Unfortunately for your injection efforts, DELETE syntax only supports multiple table deletes by specifying them in the FROM clause. Your injected variable is part of the WHERE, so the most damage you can do is to the single specified table.
Contrary to popular belief, you can actually run multiple MySQL statements from PHP, you just have to be using a different database driver module such as MySQLi. See MySQLi::multi_query().
How do I get the last insert id from a database using a ODBC connection?
I'm looking for a solution similar to the mysql_insert_id() function.
SELECT ##IDENTITY AS ID
If you're using databases with PHP I strongly recommend using PDO (simple database wrapper for a lot of common database engines, more and more supported all the time, part of PHP canon), and hence use PDO::lastInsertId if your database supports the equivalent of mysql_insert_id.
Don't use "SELECT max(id) FROM table;" as it can result in seriously freaky and hard-to-find bugs later on.
* **UPDATE : Ok, you're using ODBC, and I suspect you're after odbc_cursor. I still stand by the strong recomendation to use PDO, as it has an ODBC driver. (ODBC in my eyes is an grumpy bitter old man who mumbles under his breath driving his truck that's falling apart, as the hip and effective PDO guys race past in their sexy VOLVO S90's)
It depends on the database type, but look into the SEQUENCE syntax for your rdbm.
I used "SELECT ##IDENTITY AS LastID", while working with PHP/MSSQL, through ODBC. That brought some issues under SQL 2005 server (or was it 2000?).
Either way if you do like this:
SET NOCOUNT ON
[NOW INSERT YOUR INSERT SQL QUERY]
SELECT ##IDENTITY AS LastID
you should be just fine in any MSSQL server version.
"SET NOCOUNT ON" will prevent sql server from sending messages like '1 rows inserted', which will keep your script working properly.
If you have MySQL under ODBC - you can use the next query:
"SELECT LAST_INSERT_ID( );"
It have to be executed mmediately after executing INSERT-query.
For other database - use other specific queries...
Use in MySQL
SELECT *
FROM table_name
ORDER BY Id Desc
LIMIT 1
Use in SQL Server
SELECT top 1 *
FROM table_name
ORDER BY Id Desc
Are you inserting rows into your database via PHP? If so, perhaps you can generate a unique primary key using uniqid() - then you will know the ID without having to query the database.
If it is not possible to update the key type, perhaps you can still insert a unique id when you do the inserts, so you could do a query like this:
SELECT id FROM mytable WHERE rowid = '$myuniqueid'
That way you're ensuring that you're pulling back the correct ID from the database - a much better solution than MAX(id).
Using
SELECT max(id) FROM table;
should be fine from inside a transaction, or does ODBC not support transactions?