Hello, I am new in php may be this one may be pretty much easy for you, but I'm stuck here
I have a $_get value $varialbe which is being use in mysql query in where = '$variable'
if it doesn't match any where value, it returns error.
Tutorials abound on this subject and hundreds of questions exist about getting started with PHP and passing variables into MySQL queries, etc.
Are you sure you've been through a few of those?
Variables from an HTML form passed as part of the URL get put into a $_GET array by PHP. So if you have a textbox with a name of "age" and a user submits it with a value of "20" you will see this URL:
http://domain.com/page.php?age=20
This value will be accessible using $_GET['age'] in PHP. To pass this value to MySQL you then would incorporate the value into the query, but only after doing some basic security and sanitizing!
$age = mysql_real_escape_string($_GET['age']);
Your MySQL query can then use this value like so:
$query = "SELECT FROM table WHERE age = $age;";
$result = mysql_query($query) or die(mysql_error());
Post your code and actual error messages for more specific answers and assistance.
Related
I'm using a SELECT query to obtain a variable using mysql_fetch_assoc. This then puts the variable into an UPDATE variable to put the returned value back into the database.
If I hard code the value, or use a traditional variable and it goes in just fine, but it doesn't work when using a value previously retrieved from the database. I've tried resetting the array variable to my own text and that works.
$arrgateRetrivalQuery = mysql_query(**Select Query**);
$arrGate = mysql_fetch_assoc($arrgateRetrivalQuery);
$arrivalGateTest = $arrGate['gatetype'];
$setGateAirportSQL = "UPDATE pilots SET currentgate = '".$arrivalGateTest."' WHERE pilotid = '".$pilotid."'";
$setGateAirportQuery = mysql_query($setGateAirportSQL);
// Close MySQL Connection
mysql_close($link);
This will just make the field to update have nothing in it, however whenever I remove the variable from the SELECT to one I define, array or not, it will work.
Hope this is clear enough. Thanks in advance.
Is arrivalGateTest a number or a string? How did you try to put another value in the query? If you are sure the previous query returns a value, try to write: $setGateAirportSQL = "UPDATE pilots SET currentgate = '$arrivalGateTest' WHERE pilotid = '$pilotid'";.
Just change your sql to inlcude a subquery.
You could use the following general syntax:
UPDATE pilots SET currentgate = (SELECT gate FROM airport WHERE flight='NZ1') WHERE pilotid='2';
which is demonstrated on this fiddle
This saves the extra query and more accurately describes what you are trying to achieve.
WARNING - test it carefully first!
I'm pretty new to web development so there's a good chance I'm doing something pretty dumb here.
I'm using AJAX to send data to a PHP file which will use the data to run SQL commands to update a table. I'm dealing with editing articles, so my PHP file needs to know three things: The original name of the article (for reference), the new name and the new content. I also tell it what page the user is looking at so it knows which table to edit.
$('#save_articles').click(function () {
var current_page = $('#current_location').html();
var array_details = {};
array_details['__current_page__'] = current_page;
$('#article_items .article_title').each(function(){
var article_name = $(this).html(); //The text in this div is the element name
var new_article_name = $(this).next('.article_content');
new_article_name = $(new_article_name).children('.article_content_title').html();
var new_article_content = $(this).next('.article_content');
new_article_content = $(new_article_content).children('.article_content_content').html();
array_new_deets = {new_name:new_article_name, content:new_article_content};
array_details[article_name] = array_new_deets;
});
send_ajax("includes/admin/admin_save_articles.php", array_details);
});
In the PHP file, I first retrieve the current page and store it in $sql_table and then remove the current page variable from $_POST. Then I run this.
foreach($_POST as $key => $value){
$original_name = $key;
$new_name = $value['new_name'];
$new_cont = $value['content'];
$query = "UPDATE
`$sql_table`
SET
`element_name`= '$new_name',
`element_content` = '$new_cont',
WHERE
`element_name` = '$original_name'";
$query = mysql_query($query);
if(!$query){
die(mysql_error());
}
}
I always receive an error saying that 'sitep_Home' is an incorrect table name. Not only is it a real table in my db, but I've actually changed its name to make sure it isn't an issue with keywords or something.
If I instead run the query without the variable $sql_table (specifying that the table is called 'sitep_Home'), the query accepts the table. It then doesn't actually update the table, and I suspect it's because of the WHERE argument that also uses a variable.
Can anyone see what I'm doing wrong here?
try to use $sql_table as '$sql_table' if you are sure that this contain a right table name.
Like you are using other column's value
Check if this can help!!
Dump/log your query before executing it - the problem should be quite visible after that (I suspect some additional characters in the table name).
Couple of things:
you should never trust your users and accept everything they'll send you in $_POST, use whitelist for the fields you'd like to update instead
your code is vulnerable to SQL injection, I recommend to use some framework / standalone library or PDO at least, avoid mysql_query which will be deprecated in the future. Check this to get some explanation http://www.phptherightway.com/#databases
Table names are case sensitive in MySQL. Please check if there is mistake in the case.
You have to surround name of mysql table in query in this `` qoutes. When you dinamically create mysql table it is very important to trim($variable of mysql name table) before create, because if "$variable of mysql name table" have space in the edns or in the start mysql not create table. And the last when you call dinamically $variable of mysql name table in query you have to trim($variable of mysql name table) again.
I need effective some solution for the following issue:
For some reason that would be too much time-consuming to explain properly, I need a PDO prepare statemnt sorta looking this way:
'SELECT field, another field, blabla FROM table WHERE some_foreign_id = first_val AND the_same_foreign_id = second_val AND again_the_same_id = third val ......'
and Id wish to fill the values with an array of unknown size, that depends on how many fields in that foreign table fits to a certain category in yet another table.
So the querstion is: is it even possible or should I give it up and find some naive walkaround?
Thanks in advance!
Mac
You can pass an array of values into stmt ->execute($array); The only tricky part would be getting the number of question marks to enter.
$foreign_ids = array(foreign_id_1, foreign_id_2, foreign_id_3); //etc
$input_list = substr(str_repeat(',?', count($foreign_ids)), 1); //this gets you the correct number of ? to use for your query
// if you need add another value to the parameters you can use array_push($foreign_ids,$your_other_param);
$stmt= $dbh->prepare("
SELECT field, another_field
WHERE some_foreign_id = ($input_list)");
$stmt->execute($foreign_ids);
It should be possible. You'll need to generate your query dynamically with question marks for parameters, and then bind with an array at the point of execution.
See example 3 on the PDO::execute page of the PHP docs.
I am trying to define variables from the results of a query, but I cannot manage to get this to work. I am trying to make my site multilangual, so I want to define a lot of text items (identifiers) that I have stored in a database. The table looks like this:
ID, Identifier, English, Dutch
1, Owned_by, "Owned by", "Eigendom van"
2, Owner_of, "Owner of", "Eigenaar van"
etc
etc
where the Column Identifier is the variable that I want to define and 1 of the 2 languages is the value that I want to give the variable. I have define a previous query from which the result is the language requested by the user, so $language_2 is the outcome from the previous query. So when $language_2 = "Dutch", I would like all the records in the table to be defined with the value in the column "Dutch".
When I use the code below the variables will be printed (echoed) but I cannot use them as an actual variable to use in my site.
$sql_3 = "SELECT Identifier, ".$language_2." as Language FROM translate";
$result_3 = mysql_query($sql_3) OR die (mysql_error());
while ($row_3 = mysql_fetch_array($result_3))
{
echo "$".$row_3['Identifier']." = '".$row_3['Language']."';<BR>";
}
How can I get them to actually become a variable that I can use in my site?
Add brackets arround the string that is the variable name:
${$row_3['Identifier']} = $row_3['Language'];
You can use mysql_fetch_assoc() to get an associated array if you must use the older mysql_* functions, then use variable variables to get what you want
$$row_3['Identifier'] = $row_3['Language'];
${$row_3['Identifier']} = $row_3['Language'];
I have a view that needs updating with a list of id's. So I am storing the values that have been selected to remove from the view in a session variable that then goes into the mySQL query as below. Then when the form is reset the values are also reset out of the array.
But its not working... this is what I've got.
Any help would be appreciated.
if($_POST['flag']=='flag'){
//collect deleted rows
$_SESSION['delete-row'][] = $_POST['idval'];
//Split session array
$idavls = join(',' , $_session['delete-row'];
$sqlDelete = "CREATE OR REPLACE VIEW filtetbl AS SELECT * FROM `".$page['db-name']."`.`leads_tbl` WHERE ".$_SESSION['filter-view']." AND `lead_status` = '1' AND `lead_id` NOT IN (".$idvals.") ORDER BY `lead_added`";
$result = mysql_query($sqlDelete);
if($result){
echo true;
}
else{
echo mysql_error();
}
}
$_session isnt the same as $_SESSION for a start.
Also dont use mysql_query or similar (because it isnt safe) use PDO
This is hard to correct without more information (and there are several errors - probaby cut and paste) so I'll pull apart one by one and you can go from there.
1 - $_SESSION['delete-row'][] = $_POST['idval'];
If 'idval' comes from multiple inputs (i.e. ) then it is already an array, and you should have $_SESSION['delete-row'] = $_POST['idval']; If you are looping in an array of inputs (i.e. trying to append for many posts from then it is correct)
2 - $idavls = join(',' , $_session['delete-row'];
$_SESSION (you said this was a type) and you also need a bracket/bract ar the end
$sqlDelete = "CREATE OR REPLACE VIEW filtetbl AS SELECT * FROM ".$page['db-name'].".leads_tbl WHERE ".$_SESSION['filter-view']." AND lead_status = '1' AND lead_id NOT IN (".$idvals.") ORDER BY lead_added";
Firsly this is very insecure as pointed out by allen213. Even if you don't use PDO to make safe the variable, please cast all the inputs as (int) assuming the IDs are integers, or at least wrap the input in mysql_real_escape_string().
Secondly, the logic in the question doesn't quite make sense. You say you want to remove IDs from the view, but what you are doing is recreating the view with only those IDs in $_SESSION['delete-row'] removed - so this may re-introduce IDs previously removed from the view. You'd actually need to keep $_SESSION['delete-row'] and keep adding to it to ensure the next time the view was created, then all the IDs are removed.
I hope that helps. If not, more code may be required (i.e. the form you are using the send data, anythign else that affects sessions etc.