Querying using array - php

There is nothing wrong with my code, but I just cant help but wonder, should I wrap the $key with mysql_real_escape_string? This is just part of my Database function which is mainly used to pull data out of the database with table name and $where as arguments to the function. $where is to be an associative array with keys being column name, and values being the data.
This is what processes the $where array. Before this I have $sql = 'select * from ' . $table;
if(!empty($where)){
$where_count = count($where);
$sql .= ' WHERE ';
foreach($where as $key => $value){
$split_key = explode(' ', $key);
if(count($split_key) > 1){
$sql .= $key[0] . ' ' . $key[1] . ' "' . mysql_real_escape_string($value) . '" ';
} else {
$sql .= $key . ' = "' . mysql_real_escape_string($value) . '" ';
}
}
}


Filter ANY INPUT from the user that is going to be placed in your query. No doubt!
So if the keys are supplied by the user, YES and if they are generated in a safe manner, NO.
Take a look at SQL Injection to understand why filtering must be done.


I am not sure what is being asked here, but I can see one error:
$sql .= $key[0] . ' ' . $key[1] . ' "' . mysql_real_escape_string($value) . '" ';
should be
$sql .= $split_key[0] . ' ' . $split_key[1] . ' "' . mysql_real_escape_string($value) . '" ';


If you really want to quote field names, use backticks.
See http://dev.mysql.com/doc/refman/5.6/en/identifiers.html
The following statement creates a table named a`b that contains a
column named c"d:
CREATE TABLE `a``b` (`c"d` INT);

Related

Global Search on Custom field in SugarCRM or SuiteCRM

I have a custom field called code on Accounts module and I want to enable it on the Global Search such that its searches without wildcards entered in the search bar.
So suppose I have some records with values like "88990","23477" and "12347".
If some one uses global search and enters 347 it should return me the account with code 23477 and 12347.
I dont want to enter %347 yo the the results.
How can I achieve this?
I have code on
custom/Extension/modules/Account/Ext/Vardefs/sugarfield_code_c.php
$dictionary['Account']['fields']['code_c']['inline_edit']='1';
$dictionary['Account']['fields']['code_c']['labelValue']='test code';
$dictionary['Account']['fields']['code_c']['unified_search']=true;
and on custom/modules/Accounts/SearchFields.php I have
$searchFields['Accounts'] = array(
'code_c' =>
array(
'query_type' => 'default'
)
);

SuiteCRM Version: 7.10.4
Solution is NOT upgrade safe.
Navigate to include/SearchForm/SearchForm2.php and look for the following inside the generateSearchWhere() function:
$where .= $this->seed->db->concat($concat_table, $concat_fields) . " LIKE " . $this->seed->db->quoted($field_value . $like_char);
$where .= ' OR ' . $this->seed->db->concat($concat_table, array_reverse($concat_fields)) . " LIKE " . $this->seed->db->quoted($field_value . $like_char);
I changed this line to concatenate the $like_char variable before $field_value:
$where .= $this->seed->db->concat($concat_table, $concat_fields) . " LIKE " . $this->seed->db->quoted($like_char . $field_value . $like_char);
$where .= ' OR ' . $this->seed->db->concat($concat_table, array_reverse($concat_fields)) . " LIKE " . $this->seed->db->quoted($like_char . $field_value . $like_char);

mysqli fetch_object() fatal error

I tried to use mysqli in for my forum database. this is the code I used:
<meta charset="utf-8">
<?php
include("config.php");
$limits = "6";
$forum_id = "2";
$db = new mysqli($INFO['sql_host'], $INFO['sql_user'], $INFO['sql_pass'], $INFO['sql_database']);
$topics = $db->query("
SELECT
`topics`.`start_date`,
`topics`.`title`,
`topics`.`starter_name`,
`topics`.`posts`,
`topics`.`title_seo`,
`topics`.`tid`,
`posts`.`post`
FROM
`" . $INFO['sql_tbl_prefix'] . "topics` as `topic`,
`" . $INFO['sql_tbl_prefix'] . "posts` as `post`
WHERE
`topics`.`approved` = 1 AND
`topics`.`forum_id`= " . $forum_id . " AND
`posts`.`topic_id` = `topic`.`tid` AND
`posts`.`new_topic` = 1
ORDER BY
`topics`.`start_date`
DESC LIMIT 5");
echo '<ul id="news">';
while ($topic = $topics->fetch_object()) {
$url = $INFO['board_url'] . '/index.php?/topic/' . $topic->tid . '-' . $topic->title_seo . '/';
$topic->post = strip_tags(str_replace(array('[', ']'), array('<', '>'), $topic->post));
$topic->start_date = date("Y.m.d H:i", $topic->start_date);
echo '
<div class="news">
<div class="newsp"><div class="pteksts">' . $topic->title . '</div></div>
<center><img src="img/news.png"></center>
<div class="teksts" style="padding-bottom: 5px;">' . $topic->post . '</div>
</div>
';
}
echo '</ul>';
?>
and errors i received:
Fatal error: Call to a member function fetch_object() on a non-object in /home/public_html/scripts/news.php on line 35

You give aliases for your tables as topic and post, but then you use the aliases topics and posts. You need to change the table qualifiers to use the same spelling as your table alias.
Wrong, because alias topic is not the same as table qualifier topics:
SELECT
`topics`.`start_date`, . . .
FROM
`" . $INFO['sql_tbl_prefix'] . "topics` as `topic`,
. . .
Right, after changing the table qualifier to match the alias name:
SELECT
`topic`.`start_date`, . . .
FROM
`" . $INFO['sql_tbl_prefix'] . "topics` as `topic`,
. . .
Right as well, but alias is unnecessary if it's the same as the base table name:
SELECT
`topics`.`start_date`, . . .
FROM
`" . $INFO['sql_tbl_prefix'] . "topics` as `topics`,
. . .
But more to the point, you should always check the return value from $db->query(), because it returns false if there's an error. You can't call any method on a false because that's not an object.
If that happens, report the error but do not try to fetch from the result. It won't work.
$topics = $db->query(...);
if ($topics === false) {
die($db->error);
}
// now we can be sure it's safe to call methods on $topics
while ($topic = $topics->fetch_object()) {
. . .
Re your comment that the output is blank:
I just tested this script and it mostly works, so I can't guess what's going wrong. I suggest you read your http server's error log, which is where many PHP notices and errors are output.
I do see the following notice:
Notice: A non well formed numeric value encountered in /Users/billkarwin/workspace/SQL/22159646.php on line 51
The line is this:
$topic->start_date = date("Y.m.d H:i", $topic->start_date);
The problem is that PHP's date() function takes an integer timestamp, not a date string.
You might want to format the date in SQL, using MySQL DATE_FORMAT() function instead.

I am attempting to switch from mysql to mysqli and cannot see why there is a error on else statement

I have included the php code run on the server side that is failing with the following error:
Parse error: syntax error, unexpected T_ELSE in
/home3/atljj/public_html/Osler/include/vo2_membersite.php on line 2849
No clue why it is stopping on the ELSE statement ???
Short story... I want to write a program to create and maintain a 1 record MYSQL control file.
I am writing the code in steps and so far have:
Written HTML code to via a form, submit to the server a request to create the table with the proper fields.
The server was then re-written to write the first record into the table via the INSERT statement.
All is well to this point... I have 1 record in the MySQL file and next I only need to update it.
The server was changed to test for a record already existing and if so bypass the INSERT code and run the UPDATE code instead... But I do not see where the problem is, other than I am attempting to use MYSQLi code now.
Is my table checking done wrong, I'm searching for record 1 and if not found use INSERT ELSE use the UPDATE...
function UpdateCase(&$formvars)
{
$con = mysqli_connect($this->db_host,$this->username,$this->pwd,$this->database);
if (mysqli_connect_errno())
{
$this->HandleDBError("Failed to connect to MySQL");
return false;
}
$c_match = $this->RandomIt();
$c_username = "admin";
$qry = "Select * from $this->case_c_table WHERE c_id = 1";
if(!$result = mysqli_query($con,$qry));
{ /* first entry not found add to table*/
$c_flag="M";
$addit = 'INSERT INTO $this->case_c_table (
c_match,
c_flag,
c_username,
c_element,
c_patname,
c_patgndr,
c_patage,
c_patethncty,
c_patdate,
c_cc,
c_td,
c_lmpdate
)
values
(
"' . $c_match . '",
"' . $c_flag . '",
"' . $c_username . '",
"' . $this->SanitizeForSQL($formvars['c_element']) . '",
"' . $this->SanitizeForSQL($formvars['c_patname']) . '",
"' . $this->SanitizeForSQL($formvars['c_patgndr']) . '",
"' . $this->SanitizeForSQL($formvars['c_patage']) . '",
"' . $this->SanitizeForSQL($formvars['c_patethncty']) . '",
"' . $this->SanitizeForSQL($formvars['c_patdate']) . '",
"' . $this->SanitizeForSQL($formvars['c_cc']) . '",
"' . $this->SanitizeForSQL($formvars['c_td']) . '",
"' . $this->SanitizeForSQL($formvars['c_lmpdate']) . '"
)';
mysqli_query($con,$addit);
}
else
{
$qry="Update $this->case_c_table Set
c_element=". $this->SanitizeForSQL($formvars['c_element']).",
c_patname=". $this->SanitizeForSQL($formvars['c_patname']).",
c_patgndr=". $this->SanitizeForSQL($formvars['c_patgndr']).",
c_patage=" . $this->SanitizeForSQL($formvars['c_patage']).",
c_patethncty=". $this->SanitizeForSQL($formvars['c_patethncty']).",
c_patdate=". $this->SanitizeForSQL($formvars['c_patdate']).",
c_cc=". $this->SanitizeForSQL($formvars['c_cc']).",
c_td=". $this->SanitizeForSQL($formvars['c_td']).",
c_lmpdate=". $this->SanitizeForSQL($formvars['c_lmpdate'])."
WHERE c_id=1";
mysqli_query($con,$qry);
}
}

Syntax error in SHOW FIELD FROM

I am having problems with the following statement, I know its probably something small and silly but I cant seem to find the solution.
$field_sql = 'SHOW FIELDS FROM '.$table ' WHERE FIELD '=''.$column';

You're missing a dot and have quotes when you don't need them:
$field_sql = 'SHOW FIELDS FROM ' . $table . ' WHERE FIELD = ' . $column;
^ ^^^ ^
Missing Removed extra quotes
However, for SQL string values, you probably want the quotes, so you can use different quotes than the ones you're using to denote the string:
$field_sql = 'SHOW FIELDS FROM `' . $table . '` WHERE FIELD = "' . $column . '"';
I also added backticks for the table name.

$field_sql = 'SHOW FIELDS FROM ' . $table . ' WHERE FIELD = '.$column;

You cna try with
$field_sql= 'SHOW FIELDS FROM ' . $table . ' WHERE FIELD =' . $column;

Insert Into Mysql DB

I am having a small issue with some coding of mine. For some reason my entries aren't dropping in my DB. Any suggestions would be greatly appreciated! Here is my code...
<?php
$dbhost="localhost";
$dbname="DBNAME";
$dbuser="USER";
$dbpasswd="PASSWORD"; // connect to the db
$dbcxn = mysqli_connect($dbhost, $dbuser, $dbpasswd);
if (!$dbcxn) {
die('Could not connect: ' . mysql_error());
}
$db_selected = mysqli_select_db($dbcxn, $dbname);
if (!$db_selected) {
die ('Can\'t use dbreviews : ' . mysql_error());
}
$query = "INSERT INTO entries ( submitterFirstName, submitterLastName, submitterPhone, submitterEmail, referredFirstName, referredLastName, referredPhone, referredEmail, referredReason)
VALUES ('$submitterFirstName', '$submitterLastName', '$submitterPhone', '$submitterEmail', '$referredFirstName', '$referredLastName', '$referredPhone', '$referredEmail', '$referredProject')";
$result=mysqli_query($dbcxn, $query);
?>

The first thing you want to check is echo the query back to yourself and read it over.
Second, check the table structure. Make sure the column names are all spelled correctly and that all fields exist in your table (I've accidently forgotten to add a column before).
Third, you may or may not receive error messages depending on your configuration. But, you can manually check.
if (!$result) {
echo mysqli_error($dbcxn);
}

First thing first should be code formatting, it will help you read the code and consequently find your errors easier.
$query = "
INSERT INTO
entries
(
submitterFirstName,
submitterLastName,
submitterPhone,
submitterEmail,
referredFirstName,
" .
"referredLastName,
referredPhone,
referredEmail,
referredReason
)
" .
" VALUES
(
'$submitterFirstName',
'$submitterLastName',
'$submitterPhone',
' $submitterEmail',
'$referredFirstName'," .
"'$referredLastName',
'$referredPhone',
'$referredEmail',
'$referredProject'
);
"
The above is your query string split onto several lines, there are some errors which should be evident straight away? Once formatted I would do echo $query and view the output of $query.
Also try seeing if you can do an insert without using php (using mysql workbench, php admin etc) then compare it with the string value you have set as $query.
// less errors, please note that inside "" you can include php $vars without needing to escape.
$query = "
INSERT INTO
entries
(
submitterFirstName,
submitterLastName,
submitterPhone,
submitterEmail,
referredFirstName,
referredLastName,
referredPhone,
referredEmail,
referredReason
)
VALUES
(
'$submitterFirstName',
'$submitterLastName',
'$submitterPhone',
'$submitterEmail',
'$referredFirstName',
'$referredLastName',
'$referredPhone',
'$referredEmail',
'$referredProject'
);
";

Change your query variable to:
$query = "INSERT INTO entries " .
"( submitterFirstName, submitterLastName, submitterPhone, submitterEmail, referredFirstName, " .
" referredLastName, referredPhone, referredEmail, referredReason )" .
" VALUES ('" .
$submitterFirstName . "', '" .
$submitterLastName . "', '" .
$submitterPhone . "', '" .
$submitterEmail . "', '" .
$referredFirstName . "', '" .
$referredLastName . "', '" .
$referredPhone . "', '" .
$referredEmail . "', '" .
$referredProject . "')";
and it should be working.
Suggesting to use mysqli prepare

Categories