I will be sending a request to the PHP code through a GET request. it will have several parameters passed. I will be using these parameters in the WHERE clause of my select statement.
GET REQUEST
http:// localhost/server/person.php?Id=1&age=12&hieght=100
PHP code
<?php
$connection = mysql_connect("localhost","user","pwd");
if (!$connection )
{
die('FAIL: ' . mysql_error());
}
mysql_select_db("db", $connection );
$result = mysql_query("SELECT * FROM Person where hieght='$_GET[hieght]");
$num_rows = mysql_num_rows($result);
?>
i think my PHP code is wrong. I am not sure if this is the way to grab variables from a GET request.
To get a variable from $_GET use, as an example to get height from $_GET array you can write
$height=$_GET['height'];
so you can write
$result = mysql_query("SELECT * FROM Person where hieght='".$hieght."'");
or you can write
$result = mysql_query("SELECT * FROM Person where hieght='".$_GET['height']."'");
Update:
Use mysql_real_escape_string to prevent sql injection, like
$height=$_GET['height'];
$result = mysql_query("SELECT * FROM Person where hieght='".mysql_real_escape_string($hieght)."'");
or
$result = mysql_query("SELECT * FROM Person where hieght='".mysql_real_escape_string($_GET['height'])."'");
$result = mysql_query("SELECT * FROM Person where hieght='".$_GET['hieght']."'");
A good debug technique when you are feeling your your is to put the SQL into a string
that you can log and see if it is what you expected.
Using mysql_error() after the query may have given you a hint too...
$sql = "SELECT * FROM Person where hieght='".$_GET['hieght']."'";
$result = mysql_query($sql);
#Not for production code, but handy while learning - error goes into web server log.
error_log("SQL=$sql, error=".mysql_error());
You should be parsing input like that for injections:
<?php
$myHeight = mysql_reaL_escape_string($_GET['height']);
$connection = mysql_connect("localhost","user","pwd");
if (!$connection )
{
die('FAIL: ' . mysql_error());
}
mysql_select_db("db", $connection );
$result = mysql_query("SELECT * FROM Person where height=$myHeight");
$num_rows = mysql_num_rows($result);
?>
Secondly, you should also be using the PHP PDO object rather than the old mysql_query etc.
Use this
$height = $_GET['hieght'];
$result = mysql_query("SELECT * FROM Person where hieght='$height'");
Instead of
$result = mysql_query("SELECT * FROM Person where hieght='$_GET[hieght]");
Note that with this code it is very likely to be victim of sql
injection
you may also wanna use this concat:
mysql_query("SELECT * FROM Person where hieght='".$_GET['hieght']."'");
Related
I am having problems trying to get these queries with a WHERE clause to work. I have two tables which look like this :
What I am trying to do is return the genre that each film has. At the moment no data is returning at all from what I can see. Here are the two queries:
$film_id = $row_movie_list['film_id'];
mysql_select_db($database_fot , $fot);
$query_get_genre = "SELECT * FROM film_genre WHERE `id_film` ='". $film_id. "'";
$get_genre = mysql_query($query_get_genre, $fot) or die(mysql_error());
$row_get_genre = mysql_fetch_assoc($get_genre);
$totalRows_get_genre = mysql_num_rows($get_genre);
$genre_id = $row_get_genre['id_genre'];
mysql_select_db($database_fot , $fot);
$query_genre = "SELECT * FROM genre WHERE `id_genre` ='". $genre_id. "'";
$genre= mysql_query($query_genre, $fot) or die(mysql_error());
$row__genre = mysql_fetch_assoc($genre);
$totalRows_genre = mysql_num_rows($genre);
PHP with content area. I fairly new to PHP so any help would be appreciated.
<?php do { echo $genre['genre']; } while($row_get_genre = mysql_fetch_assoc($get_genre)); ?>
Update: I am now able to get first genre but not second it just echos the first one twice and I have tried but still no luck:
do {do { echo $row_genre['genre']; } while($row_genre = mysql_fetch_assoc($genre));} while($row_get_genre = mysql_fetch_assoc($get_genre)); ?>
Avoiding the fact that you're using a deprecated way to establish connection and interact with MySQL, what you're doing is getting a single relation genre-film and then getting the row of the genre that matches. You should surround part of your code with a while that executes while it's still genres of the film with id. Something like:
$film_id = $row_movie_list['film_id'];
mysql_select_db($database_fot , $fot);
$query_get_genre = "SELECT * FROM film_genre WHERE `id_film` ='". $film_id. "'";
$get_genre = mysql_query($query_get_genre, $fot) or die(mysql_error());
while($row_get_genre = mysql_fetch_assoc($get_genre)){
$genre_id = $row_get_genre['id_genre'];
$query_genre = "SELECT * FROM genre WHERE `id_genre` ='". $genre_id. "'";
$genre= mysql_query($query_genre, $fot) or die(mysql_error());
$row__genre = mysql_fetch_assoc($genre);
// You should do whatever you want to do with $row__genre here. Otherwise it will be cleared.
}
I must insist this is a deprecated and insecure way of communication with a MySQL Database. I recommend you read about MySQLi or PDO extensions.
MySQLi: http://www.php.net/manual/en/book.mysqli.php
PDO: http://www.php.net/manual/en/book.pdo.php
For ex. adress page test.php?prid=4477535
Code page test.php
function query($query) {
$database = 'test';
$host = 'test';
$username = 'test';
$password = 'test';
$link = mysql_connect($host,$username,$password);
if (!$link) {
die(mysql_error());
}
$db_selected = mysql_select_db($database);
if (!$db_selected) {
die(mysql_error());
}
$result = mysql_query($query);
mysql_close($link);
return $result;
}
$product_idn=$_GET['prid'];
$select_image = query("SELECT * FROM products_images WHERE `product_idn`='$product_idn'") or die(mysql_error());
foreach ($select_image as $row)
{
$select_image_array[]=$row->image;
}
print_r ($select_image_array);
receives a request
SELECT *
FROM products_images
WHERE `product_idn` = '4477535'
If make select from phpmyadmin i have 10 rows.
But if i use test.php?prid=4477535 i see empty page.
print_r ($select_image_array) not show array.
Tell me please why i see rows with phpmyadmin and not see rows with script?
Like the other said, you are prone to SQL injection since you don't serialize your input, but to fix your code, use this:
$select_image = query("SELECT * FROM products_images WHERE `product_idn`='$product_idn'") or die(mysql_error());
while($data = mysql_fetch_assoc($select_image))
{
echo $data['image'];
}
You are doing it wrong.
You have to fetch the resource (mysql_query returns a resource) into an array, and the keys of the array will be the names of the rows returned from your query.
$product_idn=$_GET['prid'];
$select_image = query("SELECT * FROM products_images WHERE `product_idn`='$product_idn'") or die(mysql_error());
while($fetch=mysql_fetch_assoc($select_image))
{
echo $fetch['image'];
}
print_r ($select_image_array);
BTW, You have a security hole here - SQL Injection.
Test the following
$result = query("SELECT * FROM products_images WHERE `product_idn`='$product_idn'")
$select_image = mysql_fetch_assoc($result);
var_dump($select_image);
for more information look at http://se2.php.net/mysql_query
You just
echo $row->image;
Never initialize $select_image_array
print_r ($select_image_array); won't show anything because there is no $select_image_array defined. Did you mean print_r ($select_image);?
Is query() a function you've defined? If not and you don't have errors on you are likely to see nothing.
You also need to sanitize your SQL. Simplest method for now since it's an integer:
$product_idn=(int)$_GET['prid'];
I began to create a website for my small real estate business.
I played a bit with functions http://www.php.net mysql and I managed to make a page accessed via AJAX and returning html content for the search engine.
I have a database already populated with apartments and houses
The problem is that if the apartment name is "apartment" I return html content if "apartment with 3 rooms" it no longer write anything.
I do not understand where I was wrong:
<?php
$search = $_GET['selected'];
$link = mysql_connect('localhost', 'root', '');
mysql_select_db('houses', $link);
function searchHouse($search, $link){
$query = "select * from houses where name=$search limit 1";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
$query2 = "select * from houses_info where house_id=$row[id]";
$result2 = mysql_query($query2);
$row = mysql_fetch_assoc($result2);
return $row;
}
$result = searchHouse($search, $link);
echo $result['house_sq'];
echo "<br>";
echo $result['house_rooms'];
echo "<br>";
echo $result['house_bathrooms'];
echo "<br>";
echo $result['house_address'];
?>
you should know if you "played" with php.net that mysql_* functions are deprecated and are no longer maintained. It's a red box on top of the page informing you that.
you have a big MySQL injection hole there, you are not escaping $string at all
your problem is that you are not adding quotes to $string like: '$string'
you should stat using PDO to get rid of the bad code and SQL Injections holes.
you can wrap those 2 selects into a single select:
<?php
function searchHouse($search, $link){
$search = mysql_real_escape_string($search);
$query = "select * from houses_info where house_id IN (select * from houses where name='".$search."' limit 1)";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
return $row;
}
?>
since you are already building that website you can start moving to PDO, read this tutorial, your code will be more like this:
<?php
$db = new PDO('mysql:host=localhost;dbname=houses;charset=UTF-8', 'root', '', array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$search = $_GET['selected'];
function searchHouse($search){
global $db;
$query = $db->prepare("select * from houses_info where house_id IN (select * from houses where name=:search limit 1)");
$query->execute(array(':search' => $search));
$row = $query->fetch(PDO::FETCH_ASSOC);
return $row;
}
$result = searchHouse($search);
?>
try:
$query = "select * from houses where name='".mysql_real_escape_string($search)."' limit 1";
and remember to always sanitize user input before passing it to sql to avoid sql injections.
Your first query should be:
$query = "select * from houses where name like $search% limit 1";
Strings need to be quoted in queries. Also, this is vulnerable to MySQL injection, make sure to escape $search with mysql_real_escape_string. Or even better yet use MySQLi or PDO instead of the old mysql_ functions.
$query = "select * from houses where name=$search limit 1";
Should be:
$query = "select * from houses where name='$search' limit 1";
Although you REALLY need to escape $search because it came from a user, even if they aren't malicious, any search queries with a single quote in it will break;
$search = $_GET['selected'];
Should be:
$search = mysql_real_escape_string($_GET['selected']);
(Anybody have the copy paste handy with the links to tutorials for MySQLi/PDO and such?)
I have read multiple question in the internet including this stackoverflow question but none of them working for me. Here is my code:
<?php
$conn1 = mysql_connect("localhost","root","passw0rd") or die(mysql_error());
$conn2 = mysql_connect("localhost","root","passw0rd") or die(mysql_error());
mysql_select_db("asteriskcdrdb",$conn1);
mysql_select_db("pj8v2",$conn2);
$query = "SELECT * FROM cdr";
$result = mysql_query($query,$conn1);
var_dump($result);
$query2 = "SELECT * FROM tb_did_avalaible";
$result2 = mysql_query($query2,$conn2);
var_dump($result2);
?>
When i var_dump the result, it return false. What is the problem here? Thank you.
You dont need two connections, if both databases are located on the same mysql-server and you access them both as unique user.
You also don't need to select a DB.
Just use the database-name as prefix when specifying the tables:
<?php
mysql_connect("localhost","root","pass") or die(mysql_error());
$query = "SELECT * FROM asteriskcdrdb.cdr";
$result = mysql_query($query)or die(mysql_error());
var_dump($result);
$query2 = "SELECT * FROM pj8v2.tb_did_avalaible";
$result2 = mysql_query($query2)or die(mysql_error());
var_dump($result2);
?>
The real problem in your code is: there can only be one active DB, it should work this way:
<?php
$conn1 = mysql_connect("localhost","root","passw0rd") or die(mysql_error());
$conn2 = mysql_connect("localhost","root","passw0rd",true) or die(mysql_error());
mysql_select_db("asteriskcdrdb",$conn1);
$query = "SELECT * FROM cdr";
$result = mysql_query($query,$conn1);
var_dump($result);
mysql_select_db("pj8v2",$conn2);
$query2 = "SELECT * FROM tb_did_avalaible";
$result2 = mysql_query($query2,$conn2);
var_dump($result2);
?>
Altough there's no need for 2 connections, you can select both DB's using the same connection.
Sorry i just figure out the problem. If using same connection parameter, must add true in the connect parameter
$conn1 = mysql_connect("localhost","root","passw0rd") or die(mysql_error());
$conn2 = mysql_connect("localhost","root","passw0rd",true) or die(mysql_error());
Don't use mysql connector, use mysqli. It is more secure compared to mysql.
the code would be.
$conn1 = new mysqli("localhost","user","password","db1");
$conn2 = new mysqli("localhost","user","password","db2");
$query1 = "select * from table1";
$query2 = "select * from table2";
echo $query1 . "<br />";
echo $query2 . "<br />";
$rs1 = $conn1->query($query1);
$rs2 = $conn2->query($query1);
Also check if the the query is correct. Most of the times the error is in the query and not the syntax.
Alright, PHP is throwing this error at me (in the log) when I run the code mentioned below:
Error
mysql_num_rows() expects parameter 1 to be resource, string given in (place) on line 10
Line 9-11
$queryFP = ("SELECT * FROM db");
$countFP = mysql_num_rows($queryFP);
$aID = rand(1, $countFP);
I think it has something to do with the $queryFP's syntax, but I'm not completely sure how to fix it since $queryFP's syntax is the simplest query I've ever seen.
You need to query the database first.
$queryFP = ("SELECT * FROM db");
Should be:
$queryFP = mysql_query("SELECT * FROM db");
You are missing the mysql_query function, it should be like this:
$queryFP = "SELECT * FROM table_name_here";
$queryFP = mysql_query($queryFP) or die(mysql_error());
$countFP = mysql_num_rows($queryFP);
$aID = rand(1, $countFP);
As it been said, you're missing mysql_query function.
Though whole approach is wrong. You shouldn't select whole load of ata if you need only number of rows.
So, it must be
$sql = "SELECT count(*) FROM db";
$res = mysql_query($sql) or trigger_error(mysql_error().$sql);
$row = mysql_fetch_row($res);
$countFP = $row[0];
$aID = rand(1, $countFP);
And I hope you won't use $aID for any database related action