I have a DB table. I want to make a text input where the user can input the "uid" and the query will return the row associated with that uid.
So let's say I have something like this:
$query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1";
$result = mysql_query($query);
$res = mysql_fetch_assoc($result);
echo $res["age"];
how would I modify that query to something like..
SELECT name, age
FROM people
WHERE uid = $_POST['blahblah'] LIMIT 0,1
Thanks in advance for your help!
In reality...
// Read input from $_POST
$uid = (isset($_POST['uid']) ? $_POST['uid'] : '');
// Build query. Properly escape input data.
$query =
"SELECT name,age " .
"FROM people " .
"WHERE uid = '" . mysql_real_escape_string($uid) . "' " .
"LIMIT 0,1";
Its advisable to escape characters in the variable for security reasons. Take a look at this document for some of the reasons:
http://en.wikipedia.org/wiki/SQL_injection
To save from SQL injection attack, use:
$search_query = mysql_real_escape_string($_POST['blahblah']);
$query = "SELECT name, age FROM people WHERE uid = '".$search_query."' LIMIT 0 , 1";
There are so many ways to do the same
But first escape it and store it in one variable
$blahblah = mysql_real_escape_string($_POST['blahblah']);
And then There are
First:
As #Mett Lo mentioned:
$query = "SELECT name,age FROM people WHERE uid = '" . $blahblah . "' LIMIT 0,1";
Second:
$query = "SELECT name,age FROM people WHERE uid = '{$blahblah}' LIMIT 0,1";
Third:
$query = "SELECT name,age FROM people WHERE uid = '$blahblah' LIMIT 0,1";
and if blahblah is an int value in db table then Fourth:
$query = "SELECT name,age FROM people WHERE uid = $blahblah LIMIT 0,1";
You may use the sprintf function to create the query.
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
$_POST['blahblah'] );
The rest will be the same. It is highly recommended that you escape the $_POST data before running the query to prevent SQL attacks. You may re phrase the query as follows.
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
mysql_escape_string($_POST['blahblah']) );
Related
I want to order data by Id, how can i do this ?
if($_GET["grupid"]>0){
$DUZEN = array();
$sql = "SELECT * FROM siparis_ana WHERE grupid =".$_GET["grupid"];
$rsDuzen = mysql_query($sql, $conn) or die(mysql_error());
while ($r = mysql_fetch_assoc($rsDuzen)) {
$DUZEN[] = $r;
}
}
i can read all data with this code which have same group id. But data aline random.
You have to use mysql order clause in your query like order by id asc. Which you can use at the end of your query.
$sql = "SELECT * FROM siparis_ana WHERE grupid =".$_GET["grupid"]." order by id asc";
Your sql query should be like given below...
$sql = "SELECT * FROM siparis_ana where grupid = " . $_GET['grupid'] . " ORDER BY id asc ";
I got the following Mysql command:
// Call on a random style ID to display in rating window which user hasn't seen yet.
$resultSet = $conn->query("SELECT pictureID,userID FROM styles WHERE NOT
viewedByUser = (NOT LIKE '%$userID%') ORDER BY RAND() LIMIT 1");
while($rows = $resultSet->fetch_assoc() ){
$rateableUserID = $rows['userID'];
$rateablePictureID = $rows['pictureID'];
}
I want to use the WHERE NOT function to search through the field "viewedByUser" after a string that does not contain the same string as the variable $userID.
What options have I got here?
Try This :-
$resultSet = $conn->query("SELECT pictureID,userID FROM styles WHERE
viewedByUser NOT LIKE '%$userID%' ORDER BY RAND() LIMIT 1");
while($rows = $resultSet->fetch_assoc() ){
$rateableUserID = $rows['userID'];
$rateablePictureID = $rows['pictureID'];
}
You can directly use != instead of NOT LIKE and there is nothing called WHERE NOT
$resultSet = $conn->query("SELECT pictureID, userID FROM styles WHERE viewedByUser != $userID ORDER BY RAND() LIMIT 1");
Since they are email addresses, you can do:
$userId = 'abc#abc.com xyz#xyz.com';
$userId = explode(' ', $userId);
echo $userStr = implode("', '", $userId);
$resultSet = $conn->query("SELECT pictureID, userID FROM styles WHERE viewedByUser NOT IN ('" . $userStr . "') ORDER BY RAND() LIMIT 1");
If you need a (not) like on the viewedByUser you can simply use
"SELECT pictureID,userID
FROM styles W
WHERE viewedByUser = NOT LIKE '%$userID%'
ORDER BY RAND()
LIMIT 1";
I have problem with PHP and MySQL please help..
$lokalita_s = $_POST['lokalita_s'];
$query = "SELECT nazov, lokalita FROM reality WHERE lokalita = '".$lokalita_s."' ORDER BY id";
............
But if ($lokalita_s == "nezáleží")... then i want to select every thing from database..
something like this :
$query = "SELECT nazov, lokalita FROM reality ORDER BY id";
............
This is not working :
$lokalita_s = 0;
$lokalita_s = NULL;
$lokalita_s = *;
I really dont want to use it like if else.. because i want to use more variables in that query and it won't be effective
Try
$lokalita_s = $_POST['lokalita_s'];
$wherClause = null;
if($lokalita_s != "nezáleží") {
$wherClause = "WHERE lokalita = '" . $lokalita_s . "'";
}
$query = "SELECT nazov, lokalita FROM reality $wherClause ORDER BY id";
Something along these lines? (This works in Oracle)
$lokalita_s = $_POST['lokalita_s'];
$query = "
SELECT nazov, lokalita FROM reality WHERE lokalita = '". $lokalita_s."'
UNION
select nazov,lokalita from reality where '". $lokalita_s. "' = 'nezáleží'
order by id
"
Try to select use "where" clause in a mysql statement:
e.g.
Table: X with a ID column which is BINARY data type. Then save in a variable in php
$aid = $row["id"];
How do i use this variable later when I try to select from table
$where = "where `ID` = '$aid'";
$query = "SELECT * FROM X ".$where;
Return 0 row.
Does anyone know why?
Answering my own question.
Just figured out:
$where = "where HEX(ID) = 'bin2hex($aid)'";
$query = "SELECT * FROM X ".$where;
Does anyone know better solution?
Try below :
add BINARY in where clause.
$where = "where BINARY ID = '$aid'";
$query = "SELECT * FROM X ".$where;
I'm having a little trouble getting this query to work:
$userId = mysql_real_escape_string( $_SESSION['user_id'] );
$userPassProvided = mysql_real_escape_string( $_POST['oldPassword'] );
$query = "SELECT user_id, AES_DECRYPT( user_pass, '".$db_aes_key."' ) AS user_pass ";
$query .= "FROM users_tbl WHERE MATCH( user_id, user_pass ) ";
$query .= "AGAINST( '".$userId."', '".$userPassProvided."' IN BOOLEAN MODE ) LIMIT 1";
$result = mysql_query( $query, $mysql_db );
What I would like to do is query users_tbl for the record wherein user_id and user_pass are the same as $userId and $userPassProvided, respectively. Can someone please tell me what is wrong with my query?
Thanks. :)
The following is functionally equivalent to what you seem to want to do. (Do read "however..." below)
$query = "SELECT user_id, AES_DECRYPT( user_pass, '".$db_aes_key."' ) AS user_pass ";
$query .= "FROM users_tbl ";
$query .= "WHERE user_id = '".$userId."' ";
$query .= " AND AES_DECRYPT(user_pass, '".$db_aes_key."' ) = '".$userPassProvided."' ";
$query .= "LIMIT 1";
...however MySQL would have to AES-decript every single encoded password in the database. This will be both computationally expensive and prevent using any SQL index.
Alternatively, you may consider encrypting the supplied password, and match it to the ones stored in the database. Maybe something like that (note: untested):
$query = "SELECT user_id, AES_DECRYPT( user_pass, '".$db_aes_key."' ) AS user_pass ";
$query .= "FROM users_tbl ";
$query .= "WHERE user_id = '".$userId."' ";
$query .= " AND user_pass = AES_ENCRYPT('".$userPassProvided."', '".$db_aes_key."' ) ";
$query .= "LIMIT 1";
MATCH () AGAINST () doesn't work like you're expecting it to. What it does is attempts to match a single string in AGAINST() against each of the columns provided in MATCH(), rather than comparing value1 against column1 and value2 against column2.
Have you tried ...WHERE user_id = '".$userId."' AND user_pass = '"$userPassProvided"' LIMIT 1?