If I use a variable in a php SQL statement that also has COUNT, I get an error. If use a literal number instead of the variable, it works fine. In the code below, you can see where I set my variable. It's set to "test2", first line of code below.
What am I doing wrong?
//$tag_text_ipb hardcoded here for testing
$tag_text_ipb="test2";
//when I replace $tag_text_ipb with the literal 'test2' in SQL below, it works fine.
$query_total_tags = "SELECT COUNT(1) FROM core_tags WHERE tag_meta_app = 'downloads' AND tag_text = $tag_text_ipb";
$dlresult_total_tags = mysql_query( $query_total_tags );
//Mysql reports an error here (see below for the error text) ONLY when I use the $tag_text_ipb variable in the SQL statement.
$tag_count= mysql_result($dlresult_total_tags,$k[COUNT(1)]);
The error is:
Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /home/ipboard/admin/... : eval()'d code on line 3884
This error disappears and everything works properly if I use a literal in the SQL statement instead of $tag_text_ipb.
You're missing quotes around the tag text var in your SQL. Should be like this:
$query_total_tags = "SELECT COUNT(1) FROM core_tags WHERE tag_meta_app = 'downloads' AND tag_text = '".$tag_text_ipb."'";
$query_total_tags = "SELECT COUNT(1) ... AND tag_text = '$tag_text_ipb'";
^ ^
You need to quote the text values, otherwise your query will be malformed. Please do read about SQL injection, and see if you can use bind parameters rather than raw queries.
try this
$query_total_tags = "SELECT COUNT(1) FROM core_tags WHERE tag_meta_app = 'downloads' AND tag_text = '$tag_text_ipb'";
(single qoutes around $tag_text_ipb)
Related
I have this code
$ntimes = $wpdb->get_var("SELECT Count(*) FROM wp_comp_review_list where email = $key->email");
What I was trying to do is count the number of emails where email = "sample#gmail.com". Wherein the email to compare is generated from another foreach loop.
I am having the following error:
"WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#gmail.com' at line 1]"
I tried the by comparing names that has spaces. I got the same error because of the space.
Any tips on how to use WHERE with special characters?
An email is a string so you should use quotes, where email = '$key->email' though you're also open to SQL injection, if not it's better safe then hacked..
So you should use prepared statements instead using prepare().
<?php
$results = $wpdb->get_results(
$wpdb->prepare('
SELECT Count(*)
FROM wp_comp_review_list
WHERE email = %s',
[
$key->email
]
)
);
This should also work using esc_sql(), though avoid when you can:
<?php
$email = esc_sql($key->email);
$wpdb->get_var("
SELECT Count(*)
FROM wp_comp_review_list
WHERE email = '{$email}'"
);
?>
Use this :
$ntimes = $wpdb->get_var("SELECT Count(*) FROM wp_comp_review_list where email = '$key->email'");
Since your $key->email has space, it is no more a single word and next thing after space is considered as SQL command (which is it not)
You miss quote '' from the condition:
$ntimes = $wpdb->get_var("SELECT Count(*) FROM wp_comp_review_list where email = '$key->email'");
I need to use the number of the district to be the tail end of my variable. Example $publish_page_ADD THE DISTRICT NUMBER
I am grabbing the $district_num from my url which I've verified with echo
Here is what I've tried
$district_num = $_REQUEST['district_num']; // from url and works
$publish_page_.''.$district_num = $district_var['publish_page_'.$district_num.'']; //this does not work
$publish_page_.''.$district_num = addslashes($_POST['publish_page_'.$district_num.'']); //this does not work
$sql = "UPDATE districts SET
publish_page_$district_num = '$publish_page_$district_num' //this does not work and throws error "can not find publish_page_ in field list
WHERE district_num ='$district_num'"; //this works when the above code is removed
Follow up on corrected code... Thank You #cale_b and #Bill Karwin
$district_num = (int) $_REQUEST['district_num'];
$$publish_page = "publish_page_{$district_num}";
$$publish_page = $district_var[ "publish_page_{$district_num}"];
if (isset($_POST['submitok'])):
$$publish_page = addslashes($_POST[$publish_page]);
$sql = "UPDATE districts SET
publish_page_{$district_num} = '$publish_page'
WHERE district_num ='$district_num'";
If you want to learn about PHP's variable variables, it's in the manual (I linked to it). But you actually don't need it in your case.
Be careful about SQL injection. Your code is vulnerable to it.
Since you're using input to form a SQL column name, you can't use SQL query parameters to solve it. But you can cast the input to an integer, which will protect against SQL injection in this case.
$district_num = (int) $_REQUEST['district_num'];
$publish_page_col = "publish_page_{$district_num}";
The above is safe because the (int) casting makes sure the num variable is only numeric. It isn't possible for it to contain any characters like ' or \ that could cause an SQL injection vulnerability.
For the other dynamic values, use query parameters.
$publish_page_value = $_REQUEST["publish_page_4{$district_num}"];
$sql = "UPDATE districts SET
`$publish_page_col` = ?
WHERE district_num = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([ $publish_page_value, $district_num ]);
As #cale_b comments below, you should understand that in PHP, variables can be expanded inside double-quoted strings. See http://php.net/manual/en/language.types.string.php#language.types.string.parsing for details on that.
I have the following code:
$indtag = '';
foreach($pretag as &$indtag) { //cycles through tags, puts quotes into check by tag
$quote = mysqli_query($mysqli, "SELECT `id`, `$indtag` FROM `beyonce` WHERE `$indtag` LIKE '%$indtag%'");
while($row = mysqli_fetch_assoc($quote)) {
echo $row['$indtag'];
echo $row['id'];
}
}
The table has fields for ids, quotes, then an individual column for each tag (ang for anger being an example). pretag is an array full of tags (rom is romance, ang is anger, dece is deception) that I'm running through, trying to find quotes with those IDs and tags. The statement works fine in SQL when I run it with ang, it selects the IDs fine, but when I try to select the column/field for a tag using a variable, nothing comes back. Any ideas?
You're using the variable $indtag where you should be using the column name indtag:
SELECT `id`, `$indtag` FROM `beyonce` WHERE `$indtag` LIKE '%$indtag%'
^ ^
And as #tadman points outs, don't do it this way, use mysqli_stmt_bind_param with a prepared statement or you are in for a wild ride.
This line in your code doesn't need quotes.
echo $row['$indtag']; // Won't work
echo $row[$indtag]; // Will work
<?php $daerah_ejen1 = "$_GET[daerah_ejen]";
$kumpulan_ejen1 ="$_GET[kumpulan_ejen]";
echo $daerah_ejen1;
echo $kumpulan_ejen1;
echo $kumpulan_ejen;
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '$daerah_ejen1' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
$result = mysql_query($sql) or #error_die("Query failed : $sql " . mysql_error());
?>
my url
laporan_kk_detail.php?daerah_ejen=HULU+LANGAT&kumpulan_ejen=Ketua Kampung
for output daerah_ejen variable has display,
but for kumpulan_ejen/kumpulan_ejen1 is not display.
i dont know where the problem
your quotes accessing $_GET variable is invalid. try this
<?php
$daerah_ejen1 = $_GET["daerah_ejen"];
$kumpulan_ejen1 =$_GET["kumpulan_ejen"];
and you should read something about security, because you can pass malicous code to your script!
edit:// you can have a look on this thread https://stackoverflow.com/questions/19539692/sanitizing-user-input-php
you are converting get values in string using double quotes so remove and try
$daerah_ejen1 = $_GET['daerah_ejen'];
$kumpulan_ejen1 =$_GET['kumpulan_ejen'];
also use mysql_real_escape_string() for prevent sql injection.
The quotes go around the parameter name. This is because $_GET[] is an associative array and its values are referenced using a string key
$daerah_ejen1 = $_GET['daerah_ejen'];
$kumpulan_ejen1 =$_GET['kumpulan_ejen'];
Always sanitize your parameter values before using them in a query to protect yourself against SQL injection.
$daerah_ejen1 = mysqli::real_escape_string($daerah_ejen1)
You face 2 problem on your code :
1st is :
$daerah_ejen1 = "$_GET[daerah_ejen]";
$kumpulan_ejen1 ="$_GET[kumpulan_ejen]";
replace it by this :
$daerah_ejen1 = $_REQUEST['daerah_ejen'];
$kumpulan_ejen1 =$_REQUEST['kumpulan_ejen'];
2nd is :
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '$daerah_ejen1' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
replace it by this :
$sql= "SELECT * FROM data_ejen WHERE daerah_ejen= '".$daerah_ejen1. "' AND kumpulan_ejen='Ketua Kampung' ORDER BY nama_ejen";
If you need to put the $_GET['name'] in double quotes, wrap it in {} brackets.
e.g.
$kumpulan_ejen1 ="{$_GET['kumpulan_ejen']}";
Also, as dbh pointed out, you only have $kumpulan_ejen1, not kumpulan_ejen.
I put this in an SQL statement:
WHERE course_num = '$course_details['course_num']'
term_cd = '$course_details['term_cd']'
term_year = '$course_details['term_year']'
course_title = '$course_details['course_title']'
units = '$course_details['units']'
and got an error. Because this clearly doesn't work, how do you index a variable in an SQL statement?
Use
{$arrayvar['index']}
You can also omit the single quotes, but I think it's better to have them.