I have a database table [id,first,second,third] with a lot of entries and I would like to delete all the entries when [first,second,third] are empty.
Can I use WHERE and OR?
Here is my code I would like to use. However, it might show some errors:
$sql= "delete * from mytable where first='' or second='' or third=''";
mysql_query($sql) or die("query failed: $sql".mysql_error());
You don't need * in this statement.
$sql= "delete from mytable where first='' or second='' or third=''";
Remove the star
$sql= "delete from mytable where first='' or second='' or third=''";
You don't need that with the delete statement
It's delete from, not delete * from
Adding something new to what hasn't already been said:
The asterisk isn't something that DELETE can use, only SELECT can. Yet what I am adding here is that an (mysql) aggregate function such as COUNT() can also use the asterisk.
An basic example:
SELECT COUNT(*) AS Total
FROM products
Here are their respective references:
https://dev.mysql.com/doc/refman/8.0/en/delete.html
https://dev.mysql.com/doc/refman/8.0/en/select.html
https://dev.mysql.com/doc/refman/8.0/en/counting-rows.html
Notes:
Some coders who are new to working with databases who used a SELECT query for something that worked for them, might have thought that using the asterisk (a.k.a. "star") in a DELETE statement uses the same syntax as SELECT and that it would delete everything. It's logical though, but it doesn't quite work that way with DELETE.
What needs to be used would either be TRUNCATE or DROP TABLE depending on what you want to do exactly. Delete just the selected records, all of the records or the table itself? The decision is yours.
For a specific record, use the WHERE clause.
Warning
Be careful with DROP TABLE, it will delete everything including any existing columns empty or not and their definitions.
Use TRUNCATE to only delete all of the records and not the columns and their definitions.
Please consult the manuals before usage:
https://dev.mysql.com/doc/refman/8.0/en/truncate-table.html
https://dev.mysql.com/doc/refman/8.0/en/drop-table.html
Footnote:
For those (re)visiting the question, please note that the mysql_* api is deprecated and deleted (no longer supported) in PHP 7.0.
Upgrade to either the mysqli_* or PDO api.
Consult the following references:
http://php.net/manual/en/migration55.deprecated.php
http://php.net/manual/en/book.mysqli.php
http://php.net/manual/en/book.pdo.php
Related
What is the simplest way of putting another mysql query inside a where clause in php.
For example I have tried:
$sql = "SELECT app, description FROM all-apps WHERE app!='(SELECT user, app FROM users-apps WHERE user="$user_name")'";
I need to bring up all the apps entries in the database. and then check if the user has the same app name in his list. if so it will not show up.
Basically there are 2 databases one has all apps and the other one has apps which the users have used and I need the query to find all the apps the user has not used.
Please comment bellow if this question is up to standard. Please have an opinion so I can fix on my mistakes in the future.
A few changes needed
"SELECT app, description FROM all-apps WHERE app NOT IN (SELECT app FROM users-apps WHERE user='{$user_name}')";
Note that this and your original query may leave you vulnerable to sql injection. Please use PDO prepared statements.
Thanks, with all of your help I was able to get this query to work:
$sql = "SELECT * FROM all_apps WHERE app NOT IN (SELECT app FROM users_apps WHERE user='{$user_name}') ";
This works by first selecting one table. Then choosing what column you want the WHERE to be. Then put IN if you want it to be in or NOT IN. Then in brackets your second query. Make sure to have it only select the one column. The IN clause also works if there are multiple results.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
MySQL Injection - Use SELECT query to UPDATE/DELETE
So I have found in my site bug that allows to perform sql injection
http://mysite.com/script.php?id=1 union select 1,2,3 will output all fields that has Id property equal to one plus one additional row with 1,2,3. I know that I have to validate user input to close my bug.
However my question is quite another. Is it possible to perform update query or insert query? I am able to comment query using --, however I cannot use multiple statements that are delimited by ;. So is it possible to perform update query in my case. I can show PHP code and SQL query if needed.
$sql = "SELECT id, title, text from table where cId=$val";
$result = mysql_query($sql);
$array = mysql_fetch_array($result);
//echo rows in table
Judging from MySQL Injection - Use SELECT query to UPDATE/DELETE
all that is protecting you is a limitation of mysql_query. I would not rely on this, and in particular not that it remains this way over time. You should never rely on a feature to be disabled by default. Maybe the next version already allows statements such as.
SELECT id, title, text from table where cId=1; DROP table table
Nope it is not possible. Most probably you ar running mysql_query, that would not allow multiple queries to be run in one pass. And hence if your query starts with SELECT (as it does), it would not allow any UPDATE injection
Edit: Use mysql_real_escape_string on your input even then
By default this should not be possible. Although there are options for mysql_query to run multiple statements in one string since MySQL 5.0 which you have to set with mysql_set_server_option.
Please consider changing your statement command like this to use mysql_real_escape_string:
$q = mysql_fetch_array(mysql_query("SELECT id, title, text from table where cId = " . mysql_real_escape_string($val)));
At the very best you change your code to use PDO since all mysql_* functions are officially deprecated.
I got two tables. One is account, another is Interest.
One account can have multi Interests and It can be edited.
Now, the process is deleting all Interest of this account then insert these insterests.
The QUERY IS:
"DELETE FROM Interests WHERE account_id='$id'"
"INSERT INTO Interests (account_id, interest_name) VALUES('$id', '$name')"
I use the both query when user update their account, but the insert is fail, there is nothing insert into the table (ps. the interests_id is auto_increment and this was be counted) but there is nothing new in the table. When I comment out the delete query. The insert will be successful.
Does any one know what can i do?
If you want to update your table records, you will do update operation.
like this:
UPDATE TABLE_NAME SET FIELD_NAME = 'VARIABLE_NAME'
WHERE PRIMERY_FIELD_NAME = 'VARIABLE_NAME' ;
you did not have to use these two queries, if you want to update data simply use the updat query of mysql.use this:
<?php
$query = "UPDATE Interests SET interest_name = '".$name."' WHERE account_id = '".$id."'" ;
mysql_query($query);
?>
If you want to update your table records then you may execute update operation. It like following
UPDATE Interests
SET
interest_name = '$name'
WHERE
accountno = '$id' ;
Try it. You may solve your problem by this way.
If you have queries failing, you should capture the error and see what went wrong. In all MySQL APIs for PHP, a query that fails returns a status code to indicate this. Examples of checking this status code are easy to find in the docs. But most developers fail to check the status.
Use transactions to ensure that both changes succeed together or neither are applied.
How to Decide to use Database Transactions
Definition of a transaction in MySQL: http://dev.mysql.com/doc/refman/5.5/en/glossary.html#glos_transaction
Syntax for starting and committing transactions in MySQL: http://dev.mysql.com/doc/refman/5.5/en/commit.html
You need to use InnoDB. MyISAM does not support transactions. http://dev.mysql.com/doc/refman/5.5/en/innodb-storage-engine.html
In PHP, you need to stop using the old ext/mysql API and start using MySQLi or PDO.
http://php.net/manual/en/mysqli.quickstart.transactions.php
http://php.net/manual/en/pdo.begintransaction.php
This happens because the query are treated as two single transaction, so the order of execution is not guaranteed.
The effect you are describing is because the insert is processed before delete, so the interests_id is auto-incremented properly, then the row is deleted by delete statement.
You should change the query logic or perform both queries in one single transaction.
How to insert data into two or more tables?
Currently I am using this trick. (Let just assume that the syntax is correct)
$Sql1 = "insert into user";
$Sql2 = "insert into files";
$Sql3 = "insert into messages";
query $Sql1
query $$ql2
query $Sql3
So I am using this and I need to optimize.
Also, I think I need to use Foreign key? But I don't know how to do it on phpmyadmin.
and lastly:
This is all I want.
To insert data on the "user" table and then automatically the table "messages" and "files"
will have also an ID which is the same with the user.. That is why I use to 3 queries in my code.
Please help me.
Thanks in ADVANCE!
myb
It is perfectly fine to use multiple queries.
However, you should wrap the 3 queries into one transaction. That is, if one query fails for some reason, the effects of all previous queries (if any) can be rolled back so that your database stays in a consistent state.
Note: Transactions are not possible with MySQL's MyISAM tables. Additionally you have to use PHP's Mysqli (or PDO) to be able to use transactions. (I assume that you're not using some high-level data base abstraction layer.)
As to your question regarding foreign keys: As far as I know, it makes no difference when you're using the MyISAM engine for the tables in your database (which I presume), because MyISAM doesn't even support the explicit modeling of foreign keys. Other table engines like InnoDB, however, can use foreign keys to check certain constraints like "a message must always be associated with an existing person".
Here are some nice examples regarding foreign keys: http://www.postgresql.org/files/documentation/books/aw_pgsql/node131.html
This is the answer, I think : http://dev.mysql.com/doc/refman/5.1/en/example-foreign-keys.html
With mysql u can use LAST_INSERT_ID() or in php mysql_insert_id() function. Checkout this manual entries:
http://dev.mysql.com/doc/refman/5.0/en/getting-unique-id.html
http://php.net/manual/en/function.mysql-insert-id.php
this is part of a security audition, so there is no way to "change" the query.
Basically, what I found is a flaw that allows statement manipulation, so basically it goes like:
$query = "DELETE FROM `products` WHERE `products`.`whatever` = $variable";
This is PHP, so as far as I know there is no way to execute multiple queries. Using this SQL Injection, I was able to "clear" this table by running "0 OR 1=1#".
This works just fine, but it doesn't allow me to choose more tables to delete from.
This is, in pseudocode what I want to do:
DELETE FROM `products` WHERE `products`.`whatever` = **0 OR 1=1, FROM `othertable` WHERE `othertable`.`othercolumn` = 0 OR 1=1**
Is this plausible anyhow?
If this isn't reliable, is there any other way I could use this?
You can't have multiple FROM clauses for the same DELETE statement, so you can't go about it exactly how you'd want to. If the MySQL db had 'allow multiple queries per statement' turned on, you could try to terminate the one DELETE query and then tack on another to the end, so that it'd look like this:
DELETE FROM `products` WHERE `products`.`whatever` = **0 OR 1=1; DELETE FROM `othertable` WHERE `othertable`.`othercolumn` = 0 OR 1=1**
But that's about it.
Perhaps I don't fully understand the question, but what I take away is that you're building a SQL command as a string and running that string directly against a MySQL database.
You can separate multiple commands using the command separator (usually ';'), so you could run pretty much any command you want as this comic aptly illustrates.
If your database configuration supports multiple commands (or might in the future if someone changes today's setting), you want to ensure you don't have a command separator as part of the input. See this article for advice on sanitizing your input to prevent this type of attack.
As you stated, multiple queries are not supported by the normal MySQL driver module. From the manual for mysql_query:
mysql_query() sends a unique query
(multiple queries are not supported)
to the currently active database on
the server that's associated with the
specified link_identifier .
Unfortunately for your injection efforts, DELETE syntax only supports multiple table deletes by specifying them in the FROM clause. Your injected variable is part of the WHERE, so the most damage you can do is to the single specified table.
Contrary to popular belief, you can actually run multiple MySQL statements from PHP, you just have to be using a different database driver module such as MySQLi. See MySQLi::multi_query().