I have the following query:
var_dump($id); // string '51' (length=2)
$sql = "SELECT * FROM table WHERE id=$id";
$result = mysql_query($sql, $db);
$myrow = mysql_fetch_array($result);
var_dump($myrow) // null (NOT OK)
When I change the $id for a hard-coded value(51) it works:
$sql = "SELECT * FROM table WHERE id=51";
$result = mysql_query($sql, $db);
$myrow = mysql_fetch_array($result);
var_dump($myrow); // array 0 => string '51' (length=2) (OK)
It's as if the $sql is not getting parsed correctly. It is a very old site, could it be something to do with the PHP version the site was originally created for?
$sql = "SELECT * FROM table WHERE id=".$id;
// ALSO WORKS. But I am not really looking forward to doing a FIND & REPLACE
EDIT:
The site has hundreds of these types of queries. It is an old site that was developed my somebody else. I was wondering if there was an INI setting or something that has been switched between PHP versions that I can switch back.
Thanks
PHP Version: PHP5.2
The site was build for version 4.something.
rather than writing query like this
$sql = "SELECT * FROM table WHERE id=$id";
you can use this alternative also..
$sql = "SELECT * FROM table WHERE id='".$id."'";
use this please :
SELECT * FROM table WHERE `id` = $id
insert ` in both side of id
register_globals was turned off. I know the security implications but I have it on its own virtual server and haven't got time right now to fix it.
In htaccess:
php_flag register_globals on
Apart from the fact, that queries should be escaped (in this case casting to integer will suffice) or preferably created through prepared statements, my guess would be that it is the query that fails.
PHP have parsed double quoted strings since the beginning, so try outputting the value of $sql to see what gets sent to MySQL.
Related
so, I'm using one query to get the profile photo, i'm using the follow query:
$sql = "SELECT photo FROM users WHERE login = '$username'";
I already tried many ways to do, with and without the inverted commas.
$sql = "SELECT `photo` FROM `users` WHERE `login` = '$username'";
Next code is like:
$result = mysqli_query($link, $sql);
echo "<script>console.log('photo: ".$sql."');</script>";
When I check the console i see this error:
Uncaught SyntaxError: missing ) after argument list
When I do the query with just "select photo from users" it returns a value.
On another page I use the same code to get the permissions and it returns a value that I want
$sql = "SELECT permission FROM users where login = '$username'";
$result = mysqli_query($link, $sql);
if ($result->num_rows > 0) {
while ($row = mysqli_fetch_array($result)) {
$save = $row[0];
}
}
Permission Column is int;
Photo Column is varchar;
Since the query contains single quotes, you can't use single quotes around the argument to console.log(), because the quote in the query will terminate the JavaScript string.
Put double quotes around the JS string.
echo "<script>console.log(\"photo: ".$sql."\");</script>";
Your javascript console is wrapped in ' quotes, and your '$username' value is also using these single quotes so this is causing a problem.
Therefore; if you want to export this SQL string to your console, you need to escape these single quotes or to use alternative quotes in your javascript.
This issue is better resolved by Barmar's Answer.
BUT:
Best Practise; you should NOT be outputting SQL strings to your browser at all. This is a potentially severe security hole. Instead (especailly if your SQL server is 'localhost') you should be outputting your SQL data to your PHP error logs:
$result = mysqli_query($link, $sql);
//echo "<script>console.log('photo: ".$sql."');</script>";
error_log("Query Output: ".print_r($sql,true));
Then in your IDE or secured server connection (SFTP etc.) then you can access the PHP Error Logs and view the SQL more safely.
See also: Where does PHP store the error log? (php5, apache, fastcgi, cpanel)
I'm trying to run the following query:
SELECT * FROM `mytable` WHERE `mycolumn`='stringa /stringb'
This query works if run directly through PHPMyAdmin or in PHP as follows:
$query = "SELECT * FROM `eztrack` WHERE `visible`='1' AND `OrderHed_PONum`='stringa /stringb'";
$DB->query($query); // $DB is a mysqli object
However, when getting a search keyword from $_GET or $_POST, it returns an empty result:
$query = "SELECT * FROM `eztrack` WHERE `visible`='1' AND `OrderHed_PONum`='" . $DB->real_escape_string($_POST['q']) . "'";
$result = $DB->query($query); // $result->num_rows is 0
Do forward slashes need to be escaped? If so how? And why does it work when the search keyword is pasted directly into the file? Any help would be appreciated!
-- Edit: Solved --
The issue was not with PHP or mysqli. It had to do with copying data from Chrome. Please see my comment below.
Why do I see in several examples of mysql queries via php the syntax:
$q = "CREATE TABLE '$tablename' ('$t_id_name')";
or things similar to that? I'm asking about the single quotes around the variable names. Is this required in MySQL strings? If I echo the string, it seems to expand the variables whether the quotes are there or not.
And would this pose a problem if this were done for something that was intended to be an integer?
To answer your question, the quotes are necessary, but not to expand the variable. A typical SQL query would look like this:
$q = "SELECT * FROM `table` WHERE `first_name` = 'user3475234'";
Now, consider the following example:
<?php
$tablename = "users";
$user = "user3475234";
$q = "SELECT * FROM `$tablename` WHERE `first_name` = '$user'";
echo $q;
This will display: SELECT * FROM `users` WHERE `first_name` = 'user3475234'. Note that the quotes weren't necessary to output the string, but they were a necessary part of the query.
That being said, code like this opens your script to SQL injection. I won't explain too much about it, since there are plenty of resources discussing it, but consider the example where someone's username is user3475234' OR 1==1--. This username will effectively return all users in the table.
You must use backticks (`) for field or table name especially if the field or table name are same with mysql command. And you need to use single-quote (') for value.
My query:
$result = mysql_query("SELECT * FROM members WHERE email=$email")
or die(mysql_error());
In this case $email is filled with "info#frankkluytmans.nl". The error I get when this query gets executed is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#frankkluytmans.nl' at line 1
What am I doing wrong?
A couple things..
Don't use mysql_* functions, they're deprecated!
Sanitize the input. In your example, you should quote $email because it's a literal.
$result = mysql_query("SELECT * FROM members WHERE email='$email'")
quote it.
Also, the regular PHP mysql functions will be deprecated as of PHP 5.5.
Take a look at mysqli, pdo.
You need to put single quotes around $email
$result = mysql_query("SELECT * FROM members WHERE email='$email'")
for frankkluytmans.nl conflict with syntax for mysql query i.e tablename.columnname
$result = mysql_query("SELECT * FROM members WHERE email='".$email."'")
You need to put quotes around the email variable.
$result = mysql_query("SELECT * FROM members WHERE email='$email'")
or die(mysql_error());
You should know however, that the "mysql_" range of PHP functions are soon going to be deprecated and should be replaced with the mysqli API. A quick sample showing how to use it can be found at: http://www.php.net/manual/en/mysqli.query.php#refsect1-mysqli.query-examples
Try something like:
$result = mysql_query("SELECT * FROM members WHERE email='".$email."'")
or die(mysql_error());
You need to have quotes around the variable and its good practice to not have variables inside your string.
You might want to check out alternatives to MySQL_ though as its now deprecated. Try mysqli.
Please change your query.
$result = mysqli_query("SELECT * FROM members WHERE email='".$email"'");
Just trying to select all rows with no comments, or comments < 5 characters.
Starting from basics, this works:
$query= "SELECT * FROM `comments`";
$result = mysql_query($query);
What doesn't work is:
$query = "SELECT * FROM `comments` WHERE `comment` = ''";
or
$sql = "SELECT * from comments WHERE LENGTH(comment) < 5 LIMIT 30";
I've put limit 5 because when I do a COUNT on the "empty" comments, it says there's 4 bytes there. The column is not NULL (don't blame me, I didn't write it!)
I've even tried using phpmyadmin to change the "empty" values to the word "chicken", then running
So, I used phpmyadmin to change all the instances of comments < 4 characters to the word "chicken".
$query = "SELECT * FROM `comments` WHERE `comment` = 'chicken'";
As with ALL of the above errors, it spews out:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
But if I do
$emptycomment = "chicken";
$query = sprintf("SELECT * FROM `comments` WHERE `comment` = $emptycomment");
Invalid query: Unknown column 'chicken' in 'where clause'
WTF?! But that works perfectly in phpmyadmin! (all above tested on stable and alpha versions)
I also saw where someone else put:
$query = sprintf("SELECT * FROM `comments` WHERE `comment` = 'chicken'");
Again, no dice on any of the above.
The stupid thing is, these all work perfectly directly as a mysql query, and the above were even generated by phpmyadmin!
I've even updated php to 5.3.2, the mysql installed is 5.1.52
I've tried making it EXACTLY as per example 2 here, using variables for everything.
http://php.net/manual/en/function.mysql-query.php
I've followed the tutorial here:
http://www.devshed.com/c/a/MySQL/Null-and-Empty-Strings/3/
I've browsed about 20 articles here at Stackoverflow.
It's 11:15am. I started at 6:30. Getting a bit frustrated here. Thanks!
$emptycomment = "chicken"; $query = sprintf("SELECT * FROM comments WHERE comment = $emptycomment");
Have you tried to print $query after? You missed quotes around string variable
$query = "SELECT * FROM comments WHERE comment = '" . mysql_real_escape_string($comment) . "'";
I ran into a similar problem where an "empty" field wasn't NULL. What happens if you try the chicken with:
$query = "SELECT * FROM comments WHERE comment LIKE '%chicken%'";
This will give you a match even if you have CR/LF and other strange "invisible" characters involved.
From my experience the query generated by phpmyadmin puts quotes where I believe there shouldn't be any such as table names and once I remove those it works. I. E. "SELECT * FROM 'db'.'table'" doesn't work but "SELECT * FROM table" does.