The prepared query returns the following resultset, when $this->show is set to saved-by-the-bell:
season
------
1
2
3
4
When I execute the following code:
$seasons = array( );
$query = $db->prepare(
"SELECT `season` " .
"FROM `tv` " .
"WHERE `show_url` = ':show' " .
"GROUP BY `season` " .
"ORDER BY `season` ASC;"
);
$query->bindParam( ':show', $this->show );
$query->execute( );
$query->setFetchMode( PDO::FETCH_OBJ );
while( $row = $query->fetch( ) )
{
$season = new stdClass;
$season->number = $row->season;
$season->title = "Season {$row->season}";
$season->url = $row->season;
$seasons[] = $season;
}
return $seasons;
$seasons is an empty array, why?
$db is an instantiated object that extends PDO.
I've tried all kinds of debugging methods, but when I echo the rowCount, it says 0. I'm still new to PDO, but I can't seem to see what's wrong here.
Thanks in advance.
Ahhh, I figured it out. I'll leave my stupidity up here, in case anyone else happens across this.
Apparently, when using prepared statements, you don't need to wrap your parameters in quotes in the SQL code.
So, the prepare statement should look like this:
$query = $db->prepare(
"SELECT `season` " .
"FROM `tv` " .
"WHERE `show_url` = :show " .
"GROUP BY `season` " .
"ORDER BY `season` ASC;"
);
Related
I have created an editable database to help me automate weekly member updates. There are 9 values that each member updates each week, these are controlled by $_POST submit to secondary php.
From that php, the post values are set as php var, then used to UPDATE sql db.
mysql_select_db("web_footy1") or die(mysql_error());
// The SQL statement is built
$strSQL = "UPDATE Round_6 SET ";
$strSQL = $strSQL . "Game1= '$Game1', ";
$strSQL = $strSQL . "Game2= '$Game2', ";
$strSQL = $strSQL . "Game3= '$Game3', ";
$strSQL = $strSQL . "Game4= '$Game4', ";
$strSQL = $strSQL . "Game5= '$Game5', ";
$strSQL = $strSQL . "Game6= '$Game6', ";
$strSQL = $strSQL . "Game7= '$Game7', ";
$strSQL = $strSQL . "Game8= '$Game8', ";
$strSQL = $strSQL . "Game9= '$Game9' ";
$strSQL = $strSQL . "WHERE Member = '$Member' ";
// The SQL statement is executed
mysql_query($strSQL) or die(mysql_error()) ;
Yes, i am aware this is subject to SQL injection, it is a private site so security can wait atm
The problem is that all values are update at same time, and to update one, you need to re enter all otherwise they are replaced with empty value.
So my question in twofold.
A) What is the cleanest way to be able to control each variable separately,
B) Can i, and if so, how to use isset($GameX) to control which queries are executed.
Eg
IF (isset($Game1)) {UPDATE Round6 SET Game1='$Game1' WHERE Member='$Member'} ;
Please keep in mind, 3 weeks ago i knew nothing about coding, and have crash coursed in html, php and sql in that time... Cheers
I really really really can't recommend enough that you FIX your SQL injection.
Having said that, you can programatically add conditions to your UPDATE clause.
An example might be the following snippet:
<?php
$Game3 = "things";
$Game5 = "stuff";
$Game6 = "awesome";
$Member = 'ben';
$update_parts = array();
for ($game_counter = 1; $game_counter < 10; $game_counter++) {
$variable_name = "Game" . $game_counter;
if ( isset($$variable_name) ) { // This is like isset($Game1)
$update_parts[] = "Game" . $game_counter . " = '" . $$variable_name . "'";
}
}
if ( sizeof($update_parts) > 0 ) {
$strSQL = "UPDATE Round_6 SET ";
$strSQL .= implode(", ", $update_parts);
$strSQL .= " WHERE Member = '$Member'";
echo $strSQL;
}
I've put in a couple of variables up the top there. This yields the following SQL:
UPDATE Round_6 SET Game3 = 'things',
Game5 = 'stuff', Game6 = 'awesome' WHERE Member = 'ben'
EDIT: If you want to use PDO, you need the Query and the Parameters separated. In my example below, I'm putting the Query parameters in
$conn = new PDO("mysql:host=localhost;dbname=database;","username","password"); // Your Connection String
$update_parts = array();
$query_params = array();
for ($game_counter = 1; $game_counter < 10; $game_counter++) {
$variable_name = "Game" . $game_counter;
if ( isset($$variable_name) ) { // This is like isset($Game1)
$update_parts[] = "Game" . $game_counter . " = ?";
$query_params[] = $$variable_name;
}
}
if ( sizeof($update_parts) > 0 ) {
$strSQL = "UPDATE Round_6 SET ";
$strSQL .= implode(", ", $update_parts);
$strSQL .= " WHERE Member = ?";
$query_params[] = $Member;
// Here is where you'd run the update
$stmt = $conn->prepare($strSQL);
$stmt->execute($query_params); // Notice I'm passing in the parameters separately
}
Ok here is my code:
<?php
$cat1 = $_GET["cat1"];
$query = "SELECT DISTINCT cat2 FROM products WHERE cat1 = $cat1";
$result = mysqli_query($connection, $query);
if (!$result) {
die("Geen data beschikbaar");
}
while($category2 = mysqli_fetch_assoc($result)) {
echo "".$category2["cat2"]."<br />";
}
?>
my url is http://www.websitename.com/category.php?cat1=Holland
Obviously this does not work altought i dont understand why. If I remove the variable after WHERE in the statement and just fill in 'Holland' it works great. So I am doing something not right with the syntax ? Thanks
$sql = "SELECT DISTINCT cat2"
. " FROM products"
. " WHERE cat1 = '" . mysqli_real_escape_string($connection, $cat1) . "'";
Add single quotes around your string, and escape it to avoid sql injection.
I'm trying to create a php function to split up the data into batches as it fails when I try to insert them fairly quickly.
I'm trying to insert thousands of records of user-data into a different format in the same database, later to be exported to a seperate database. However the query fails.
Based on comments and answers below I've updated the code to the following. Still fails, though.
The code inserting values:
function insertUsers( $users ){
error_reporting(E_ALL);
ini_set('display_errors',1);
global $pdo;
//insert into database
$i = 0;
$base = 'INSERT INTO tth_user_accounts (user_login, user_pass, user_email, user_registered,
user_firstname, user_lastname ) VALUES ';
$sql = '';
var_dump($users);
while( $i < count( $users ) ){
$sql = $sql . ' ("' .
$users[$i]['user_login'] . '", "' .
$users[$i]['user_pass'] . '", "' .
$users[$i]['user_email'] . '", "' .
$users[$i]['user_registered'] . '", "' .
$users[$i]['meta_value']['first_name'] . '", "' .
$users[$i]['meta_value']['last_name'] . '")';
if (!( $i % 25 === 0 )){
$sql = $sql . ', ';
}
if ($i % 25 === 0) {
//execute $base + $query here
$sql = $base . $sql;
$query = $pdo->prepare( $sql );
echo 'check query: <br />';
print_r( $query );
if( $query->execute() ){
echo '50 users succesfully added to the database';
} else {
echo 'Query failed: ';
print_r( $pdo->errorInfo() );
echo '<br />';
}
$sql = ''; //Re-init query string
}
$i++;
}
if ( strlen( $sql ) > 0 ) { // Execute remainder, if any
//execute $base + $query here
$sql = $base . $sql;
$query = $pdo->prepare( $sql );
echo 'check query: <br />';
print_r($query);
if( $query->execute() ){
echo 'User succesfully added to the database';
} else {
echo 'Query failed: ';
print_r( $pdo->errorInfo() );
echo '<br />';
}
}
}
check query:
PDOStatement Object ( [queryString] => INSERT INTO tth_user_accounts (user_login, user_pass, user_email, user_registered, user_firstname, user_lastname ) VALUES ("John Smith", "4\/\/350M3 P4sS\/\/0r|)", "john.smith#greatmail.com", "2013-04-11 11:18:58", "John", "Smith") )
Query failed: Array ( [0] => 00000 [1] => [2] => )
Tried it with a %25 and %50, both don't work. Keep getting the 00000 error which is supposed to lead to victory (success, though for me it still fails, nothing in the DB)
I'd do it manually if I had the time but this won't be a one-time event so I need a solution to this issue. Is there a good way to split up the query into batches (and how?) that would allow this to be repeated and queries to be executed one after the other? I've been looking at a whole bunch of questions on SO (and elsewhere) already and can't find one that suits my needs.
UPDATE - has been answered, need a small modification as shown below:
if (!( $i % 25 === 0 )){
if(!( $i == ( count( $users ) - 1 ))){
$sql = $sql . ', ';
}
}
You're mixing PDO with mysql_ functions. Pick one and follow the respective library's error handling.
It would also be beneficial print out your $sql to yourself to see if it's formatted correctly. Additionally, if you're handling POSTed data, you will want to use prepared statements,
You might need to increase the max_allowed_packet value which defaults to 1Mb. If you want to split up the query in batches you can do so using the modulus operator.
$base = 'INSERT INTO ...';
$sql = '';
while( $i < count( $users ) ){
$sql = $sql . ' ("' ... //etc.
if ($i % 50 === 0) {
//execute $base + $qry here
$sql = ''; //Re-init query string
}
}
if (strlen($qry)>0) { // Execute remainder, if any
//execute $base + $query here
}
Or as an array (described here):
$base = 'INSERT INTO ...';
$sql = array();
while( $i < count( $users ) ){
$sql[] = ' ("' ... //etc.
if ($i % 50 === 0) {
//execute $base + implode(',', $sql) here
$sql = array(); //Re-init query string
}
}
if (sizeof($qry)>0) { // Execute remainder, if any
//execute $base + implode(',', $sql) here
}
Also please make sure you're using prepared statements correctly so you're not vulnerable to SQL injections.
Finally: you might need to enable error reporting so failures won't be silent; if they're still silent after enabling error reporting (e.g. error_reporting(-1);) you might need to set MySQL to strict mode (not sure if that will help). If they still fail silently file a bugreport.
Edit
Oh, I missed the fact that you're mixing mysql_ and PDO; that will probably be the reason why you're not seeing any errors... D'uh. Go read the manual on PDO error handling.
#Downvoters: If you're downvoting at least have the decency to leave a comment on why.
Is there a reason why you want to do it as one single statement? Why not just iterate through the users and insert each one with something like:
while($i < count( $users )) {
$sql = 'INSERT INTO tth_user_accounts (user_login, user_pass, user_email, user_registered, user_firstname, user_lastname ) VALUES ';
$sql = $sql + "(";
$sql = $sql + "'" . $users[$i]['user_login'] . '",';
$sql = $sql + "'" . $users[$i]['user_pass'] . '",';
$sql = $sql + "'" . $users[$i]['user_email'] . '",';
$sql = $sql + "'" . $users[$i]['user_registered'] . '",';
$sql = $sql + "'" . $users[$i]['meta_value']['first_name'] . '",';
$sql = $sql + "'" . $users[$i]['meta_value']['last_name'] . '"';
$sql = $sql + ")";
$query = $pdo->prepare( $sql );
if( $query->execute() ){
echo 'User succesfully added to the database';
} else {
die ("Query failed: " . $pdo->errorInfo());
}
}
Even better is to prepare the statement once and then bind the parameters. As pointed out by RobIII, you can introduce SQL injection vulnerabilities by building up your SQL statements as strings so instead, you could do something like:
$sql = 'INSERT INTO tth_user_accounts (user_login, user_pass, user_email, user_registered, user_firstname, user_lastname) ';
$sql += ' VALUES (:user_login, :user_pass, :user_email, :user_registered, :user_firstname, :user_lastname)';
$query = $pdo->prepare( $sql );
while ($i < count($users)) {
$query->bindParam(":user_login", $users[$i]['user_login']);
$query->bindParam(":user_pass", $users[$i]['user_pass']);
$query->bindParam(":user_email", $users[$i]['user_email']);
$query->bindParam(":user_registered", $users[$i]['user_registered']);
$query->bindParam(":user_firstname", $users[$i]['user_firstname']);
$query->bindParam(":user_lastname", $users[$i]['user_lastname']);
if( $query->execute() ){
echo 'User succesfully added to the database';
} else {
die ("Query failed: " . $pdo->errorInfo());
}
}
Another issue you may be encountering is a simple fact that the user's name / information may contain invalid characters and killing your command. Take for instance a person's last name is "O'Maley". When building your string of values and wrapping the name with hard quotes, you would get
'O'Maley'
I ran into something similar to this about 8 years ago and had to validate certain values within the data. Once you find it, you'll know how to correct each respective value, then go back to batch mode.
Also, consider someone supplying a bogus value of a bogus / bad value of "--" which indicates rest of line is a comment... or even a ";" to indicate end of statement. That is most likely what you are running into.
As RobIII responded, and I was too quick in my response, don't test one at a time, but query the data an look at it for such anomolies / bad escape posts in the data. Fix what you need to BEFORE trying the insert.
I'm working on some prepared statements using mysqli in a php file with a database running on InnoDB. Most of the statements are working pretty well, but I have a select statement with multiple conditions that keeps returning a syntax error in my select statement, to be specific: near ? AND section_num = ? AND dept = ? AND semester = ? AND year = ? at line 1 as well as the following error:
Call to a member function bind_param() on a non-object.
Here's the snippet of code:
if (!$rs = $mysqli->query("SELECT id FROM courses WHERE course_num = ? AND section_num = ? AND dept = ? AND semester = ? AND year = ?")) {
echo "Select Query Failed!: (" . $mysqli->errno . ") ". $mysqli->error;
}
if(!$rs->bind_param("ssssi", mysqli_real_escape_string($mysqli,$course_num), mysqli_real_escape_string($mysqli,$section_num),
mysqli_real_escape_string($mysqli,$dept), mysqli_real_escape_string($mysqli,$semester), mysqli_real_escape_string($mysqli,$year))) {
echo "Select Binding parameters failed: (" . $rs->errno .") " . $rs->error;
}
if (!$rs->execute()) {
echo "Execute select failed: (" . $rs->errno . ") " . $rs->error;
}
Any suggestions for how to form this statement to retrieve an id based on the 4 inputs would be great. Thanks!
You should be using prepare to prepare a statement, not query as that just executes a query.
$query = "
SELECT id
FROM courses
WHERE
course_num = ? AND section_num = ? AND dept = ? AND semester = ? AND year = ?
";
$rs = $mysqli->prepare($query);
$rs->bind_param("ssssi", $course_num, $section_num, $dept, $semester, $year);
$rs->execute();
Change: $mysqli->query("SELECT id ...
To: $mysqli->prepare("SELECT id ...
It is quite simple just do this
$query = "SELECT * FROM `$table_tran` WHERE `$mem_id` ='$member_id' and $status` = '$cur_status'";
$result = mysqli_query($link,$query);
It gets the data from the transaction table using the and statement.
Well, I've been at this for a few hours, and for the life of me I can't figure out what is wrong. The code is as follows:
$str = "%" . $_POST['str'] . "%";
$offset = (int) $_POST['offset'];
try {
$stmt = $dbh->prepare("SELECT * FROM Spells WHERE :col LIKE :str ORDER BY :sort LIMIT 10 OFFSET :offset");
$stmt->bindParam(":col",$_POST['col']);
$stmt->bindParam(":str",$str);
$stmt->bindParam(":offset",$offset, PDO::PARAM_INT);
$stmt->bindParam(":sort",$_POST['sort']);
$stmt->execute();
}
catch (PDOException $e) {
echo "MySQL error: " . $e->getMessage() . "<br/>";
die();
}
The connection to the database works fine, no errors occur. If I type in % into the search field(which would be output as %%% in the query), results return as expected.
I've attempted the same query in phpMyAdmin and it works fine. I've been updating this script from the deprecated mysql_* functions, which worked fine before.
Example of the previous, deprecated query:
$sql = "SELECT * FROM Spells WHERE " . $col . " LIKE '%" . $str . "%' ORDER BY " . $sort . " LIMIT 10 OFFSET " . $offset;
As I may have already stated, I've been searching on this site as well, trying to find a solution; nothing has worked, not even MySQL's CONCAT('%',:str,'%').
The server I'm testing this on is running off of php version 5.3.17.
My question, in case I did not make it clear, is what am I doing wrong here? For those wondering(I thought that I put this but apparently I did not), there are no error messages.
The issue is that you cannot use parameters in place of identifiers. This means you cannot parameterise column or table names.
What your query essentially looks like when it is executed is
SELECT * FROM Spells WHERE 'some_column_name' LIKE '%something%'...
I would establish a whitelist of search and sort column names and use those to construct your query. Here's a very simple example
$search = array('col1', 'col2', 'col3');
$defaultSearch = 'col1';
$sort = array('col1', 'col2');
$defaultSort = 'col1';
$col = in_array($_POST['col'], $search) ? $_POST['col'] : $defaultSearch;
$sort = in_array($_POST['sort'], $sort) ? $_POST['sort'] : $defaultSort;
$sql = sprintf('SELECT * FROM Spell WHERE %s LIKE :str ORDER BY %s LIMIT 10 OFFSET :offset',
$col, $sort);
$stmt = $dbh->prepare($sql);
// bind :str and :offset, and so on