Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am currently working on a fun project, which involves Ajax, HTML, JavaScript, PHP and SQL.
I have debugged my project as far as I could, and I am 100% sure my AJAX, HTML and JavaScript are working fine and my variables are send to the server correctly.
I am trying to fetch data from the database, subtract a number (submitted in the form) from this data and update the database accordingly.
My database does update. However, it is not displaying the correct numbers. When submitting 1 in the form, it will ALWAYS return the same numbers in the database. (Which is odd, because I am subtracting it...). I am 100% sure the data from the form is passed to the server correctly, so I would like you all to check my server file, which should be the problem.
Edit:
The database connection is made in db.php and is made correctly. This has been tested.
You really need to switch to prepared statements to fix your sql injection problems.
Apart from that, what's wrong with this specific code, is that mysql_query does not return a number, it returns a resource. You need to fetch a row to get the number.
as far as I know, mysql_query returns resource, not result itself. So you have to modify your code to something like this:
$res = mysql_query("your_query_here");
$row = mysql_fetch_row($res);
$totaalaantal = $row[0];
check http://php.net/manual/en/function.mysql-query.php
I think you are mistaking the return value of mysql_query, look php's manual
mysql_query returns a resource which then may be passed to some other funcion to extract the value returned by the query you made. You should do something like this:
$res = mysql_query(...)
$row = mysql_fetch_assoc($res)
$dec = $res["column_name"] - $some_value
You should check the $_REQUEST[...] array values to eliminate sql injection vulnerabilities.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am developing an application to produce printed reports from a MySQL database. This uses layout files to define what data to retrieve and how to format the output. The data to be retrieved is defined by a select statement which could vary from a simple view to something very complicated. Obviously, validation of the layout requires analysis of the select statement, which is simple under mysqli - prepare the statement then use mysqli_stmt::result_metadata.
The well documented problems of calling mysqli_stmt::bind_params with dynamicly varying parameter counts has prompted me to look at PDO, but there I have the problem that the prepared query must be executed before PDOStatement::getColumnMeta can be used to identify column names. Is there a way to identify prepared select statement column names without executing the statement?
I guess you want to get the name and data type of each column in your result set, then use that information to help lay out your report.
The most reliable way to do this is to execute() the query. That puts absolute control of the columns and data types in the hands of the person who writes and troubleshoots the SQL in your layout file. I don't believe there's a reliable MySQL statement parser you can use in php to dig out aliases and data types from just the SQL.
Both PDO and mysqli require you, the programmer, to execute the query to get the metadata.
If you can organize your report program so it concludes its layout after it fetches a row of the result set, that's a good way to go.
Or you can execute the query once appending LIMIT 1, do the layout, and execute it again to get the data. But your more complex queries may not benefit much from that attempted optimization. And queries already containing a limit just won't work in this scheme.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
When I use a variable in my WHERE clause of Update the updation doesnt take place.
$eventid=$_GET['id'];
$sql = "UPDATE events SET name=:name WHERE id=:id";
$q = $conn->prepare($sql);
$q->execute(array(':name'=>$name,':id'=>$eventid));
When I echo $_GET['id'] I get the correct value.
$_GET['id'] is the value I have passed from another page
People are saying you're vulnerable to sql injection attacks because you're passing an id via a $_GET parameter to an update statement where you directly use the $_POST superglobal.
In order to make it more secure, you could start by passing the ID via $_POST as well, and not using $_POST directly in your SQL.
But that's not the question you asked.
I would hazard to guess it's not updating because you're passing ID as a string, which it probably isn't.
Try changing
WHERE id='".$_GET['id']."'");\
to
WHERE id=".$_GET['id']."");
Save your query to a string variable so you can debug what are you sending to db MySQL. Then try to run the result query direct on the db.
$DBcon->query(#strSQL);
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I want to create a simple protection system for my php scripts.
My plan is two hard-code a varibale which allows code snippets to execute.
I want to have some kind of system were I have a database with the domain and a license key. They key will be entered in the admin panel and then every time someone visits the site the php code gets executed and will send the key with the domain. A script on my server will check if the two variables match and return "VALID" or "ERROR".
If it returns VALID the code on the client side gets executed. If it returns "ERROR" some kind of advertisment or error message will be displayed.
At this point of time I can really code anything, BUT the connection between the servers.
I guess I cannot use some kind of $_GET or $_POST since I don' t wanna any kind of redirect. I cannot directly connect to the db since this would be a BIG security issue.
Any ideas? Thx ya.
Well, the problem with this is that if the client can see it -- they can modify it.
However, you can just use
$result = file_get_contents('http://mywebsite.com/check.php?license=' . $license);
if(trim(strtolower($result)) == 'valid') {
// it's valid
} else {
// display ad
}
Or you can use cURL.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
This question made me curious.
The correct answer demonstrates using MySQL syntax to add values of a certain range within a database and return the result. Would it be better done retrieving the results within the daterange and computing the total in PHP? Or should the DB be used wherever applicable? Obviously with the example given in that question, it won't really matter unless we're talking thousands of orders, but for arguments sake...
Simple calculations, especially for aggregation type scenarios, should definitely be handled on the database for multiple reasons:
Less data returned over the wire from the database
Database can take advantage of indexing
Database is faster at aggregating data, because that's what they're made for.
Using code such as PHP makes sense only when you have really complex calculations or business logic that are not handled easily by a database tool, or when using logic that databases do not do efficiently, such as string manipulation.
The general rule of thumb is something like this:
Return as little data as absolutely necessary from the database, and apply any logic that reduces the number of rows at the database side.
Work with the data returned to do complex business logic and markup (i.e., HTML) with your coding language.
Why would you rewrite code? SUM(somefield) WHERE (condition) gives you exaclty what you need.
$rows = mysql_query('SELECT SUM(somefield) AS `sum` FROM table WHERE (condition)');
$row = mysql_fetch_array($rows);
$sum = $row['sum'];
On the contrary, you suggest to do something like this:
$rows = mysql_query('SELECT somefield FROM table WHERE (condition)');
$sum = 0;
while ($row = mysql_fetch_assoc($rows)) {
$sum += $row['somefield']; }
}
I don't see why. ;-)
And that's pure for the code, indeed more data is being transported in the second case, to name one thing.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I was wondering how can you check to see if certain data is present in a database and if so display it on the web page and if not don't display it using PHP.
You select the data and you can use mysql_num_rows() to check how many rows were returned.
If no rows are returned, you can do something else.
Rough unsafe example
$query = mysql_query("SELECT * FROM users WHERE id = 20");
$num = mysql_num_rows($query);
if($num > 0)
{
// Stuff to do when you find the items
}
else
{
// No items found
}
That's a pretty involved question. It requires you to connect to your database mysql_connect(), query it mysql_query(), and pour out any results from the query mysql_fetch_object().
Using the PHP MySQL interface functions, you run a SQL SELECT query that will retrieve the data you are looking for. Using a PHP control structure such as if, you then conditionally display the data, or not, depending on its existence or lack thereof.