Is it possible to add WHERE id = '$id' to the end of my $query string? My $query string reads as:
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
Thanks
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = "' . $id . '"';
If $id is just a number (most likely) you can do...
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = ' . $id;
Also use mysql_real_escape_string() as ZombieHunter replied in his answer.
Do not append variables directly. Use mysql_real_escape_string() to avoid potential SQL injections!
I strongly encourage you to read this page about SQL injections:
http://www.php.net/manual/en/security.database.sql-injection.php
If $sqlConditions contains more than one condition (as the variable name states), this is a dangerous operation. Anyway, if you really want to use it this way, you need to put it after the WHERE condition.
$query = 'UPDATE students SET column = value WHERE ' . join(' , ', $sqlConditions) . ' AND id = ' . mysql_real_escape_string($id);
If $sqlConditions contains the SET statement this is a dangerous operation too. Use the actual column names together with mysql_real_escape_string():
$query = 'UPDATE students SET column1 = value1, column2 = value2 WHERE id = ' . mysql_real_escape_string($id);
Related
I have set up a query as such:
$query = 'SELECT SGC.sys_id, TBL.semester, SGC.bonus, SGC.exam, SGC.ca FROM SubjectGradeComponent AS SGC, ';
$query .= '(SELECT `sys_id`, `semester` FROM AcademicYearTerm AS AYT, SubjectYearTermLevel AS SYTL WHERE academic_year = "' . $academic_year . '" AND SYTL.subject_id = ' . $subject_id . ' AND SYTL.form_level = ' . $form_level. ' AND SYTL.yearTerm_id = AYT.yearTerm_id) AS TBL ';
$query .= 'WHERE SGC.sys_id = TBL.sys_id;';
However when I run the query, $mysql->query($query);it returns an empty result with 0 rows. Running the same query on phpmyadmin shows the desired result. I have looked around but do not understand the problem.
$mysql->error does not show any error message either
EDIT:
generated query is like this:
SELECT SGC.sys_id, TBL.semester, SGC.bonus, SGC.exam, SGC.ca FROM SubjectGradeComponent AS SGC, (SELECT `sys_id`, `semester` FROM AcademicYearTerm AS AYT, SubjectYearTermLevel AS SYTL WHERE academic_year = "2018-2019" AND SYTL.subject_id = 1 AND SYTL.form_level = 1 AND SYTL.yearTerm_id = AYT.yearTerm_id) AS TBL WHERE SGC.sys_id = TBL.sys_id;""
Question is where are the "" from?
Looks like you want a JOIN query instead.
You should also use prepared statement with placeholders ? instead of injecting values directly into the query.
$query = "SELECT SGC.sys_id,
AYT.semester,
SGC.bonus,
SGC.exam,
SGC.ca
FROM SubjectGradeComponent AS SGC
JOIN AcademicYearTerm AS AYT
ON SGC.sys_id = AYT.sys_id
JOIN SubjectYearTermLevel AS SYTL
ON SYTL.yearTerm_id = AYT.yearTerm_id
WHERE academic_year = ?
AND SYTL.subject_id = ?
AND SYTL.form_level = ?";
I have a variable $categoryName which has value ABC/ABC (for example). I nedd to add quotes around this text "ABC/ABC". This is my PHP code:
public function getCategoryID($categoryName)
{
$row = Db::getInstance()->getRow('
SELECT `id_category`
FROM ' . _DB_PREFIX_ . 'category_lang c
WHERE c.`name` = ' . $categoryName);
return isset($row['categoryName']);
}
And the error from mysql.
SELECT `id_category`
FROM ps_category_lang c
WHERE c.`name` = ABC/ABC LIMIT 1
How to solve this problem ? Thanks for help.
Just put the quotes in the string.
$row = Db::getInstance()->getRow('
SELECT `id_category`
FROM ' . _DB_PREFIX_ . 'category_lang c
WHERE c.`name` = "' . $categoryName . '"');
As mentioned in the comments, it would be better if you used prepared statements to protect against SQL injection. If you can't do that, you should make sure to escape $categoryName properly.
See How can I prevent SQL injection in PHP?
guys i have a large database so when i want to fully update my some column i have timeout error (i attempt some method to increase timeout and fail) But my question is i want to bypass this problem i want to update my empty column in some table. so i want to use this query code but i have blank page with no error can some one tell me what problem with that or if possible pleas tell me a good method.
$sql = 'SELECT topic_first_poster_avatar FROM ' . TOPICS_TABLE . ' WHERE topic_poster = ' . (int) $row['user_id'] . 'IF topic_first_poster_avatar = ""
SET topic_first_poster_avatar = \'' . $db->sql_escape($avatar_info);
$db->sql_query($sql);
As plalx said in the comments, you don't need a SELECT or IF, you can specify WHERE for the update statement and have multiple contraints with AND/OR.
$sql = "UPDATE ". TOPICS_TABLE ."
SET topic_first_poster_avatar = '" . $db->sql_escape($avatar_info) ."'
WHERE topic_poster = " . (int) $row['user_id'] . " AND topic_first_poster_avatar = ''";
I have an array $friends and I used $friend_new = join(',',$friends ); to get name1,name2,name3.
But when I use this query I got error:
$query = mysqli_query($connect_db, "SELECT * FROM post WHERE name IN ($friend_new )");
Does anyone know where the problem is?
You should use implode("','", $friends) and IN ('$friends_new') as these are string values.
Your code is vulnerable to injection. You should use properly parameterized queries with PDO / mysqli
Your list has to look like:
... IN ('friend1','friend2','friend3')
If you have an array of friends such as:
$friends = array("friend1","friend2","friend3");
You can use implode to prepare for use with an IN:
$friend_new = "'" . implode("','", $friends) . "'";
Finally,
SELECT * FROM post WHERE name IN ($friend_new)
The way you do it the individual strings won't be quoted, and that causes the error. As join allows you to specify a "glue" longer than 1 character you can do as follows:
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('".join("', '", $friends)."') ";
or
$friend_new = join("', '", $friends);
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('$friend_new') ";
that is, have join write the intermediate ', ' , and surround with ''
My part_no column has the following format: 000-00000-00 for all records.
I need to extract the five middle characters from part_no and place it in the core column when I create the record.
I can't get my script to work.
I'm not getting any errors. Just not working.
$order = "INSERT INTO cartons_added (add_time, type, part_no, add_type, add_qty, add_ref, add_by, add_notes)
VALUES
('$date',
'$_POST[type]',
'$_POST[part_no]',
'$_POST[add_type]',
'$_POST[add_qty]',
'$_POST[add_ref]',
'$_POST[add_by]',
'$_POST[add_notes]')";
$result = mysql_query($order);
$query2 = "select part_no from cartons_current";
$sel = mysql_query($query2);
$res = mysql_result($sel);
while($row = mysql_fetch_row($res)) {
$core_digits = split('-',$row[0]);
$core =$core_digits[1];
$query3 = "insert into cartons_current(core) values($core)";
$sel2 = mysql_query($query3);
}
You can update your cartons_current table based on your cartons_added table with something like:
INSERT INTO cartons_current(core)
SELECT SUBSTR(part_no, 5, 5) FROM cartons_added
You will probably want to limit that with a WHERE clause or maybe deal with what happens when this value is already in cartons_current (use either INSERT IGNORE or ON DUPLICATE KEY UPDATE)
You are right, the script has no error.
I think the problem is on your SQL that made you can't insert a new row, specifically on the table structure. Maybe you defined a PRIMARY KEY without AUTO_INCREMENT, defined a INDEX or UNIQUE key that is not the core key or there have some other key that did not have default value. Remember that you can't insert a row without defining all required field.
You script is selecting all part_no and for every part_no you are inserting a new row in the same table, so maybe there is the problem.
I think what you want is update every result to add they core value, you can do that with UPDATE as this code:
function getValue($value) {
return "'" . trim(mysql_real_escape_string($value)) . "'";
}
mysql_query('INSERT INTO `cartons_added` (`add_time`, `type`, `part_no`, `add_type`, `add_qty`, `add_ref`, `add_by`, `add_notes`)
VALUES (' .
getValue($date) . ', ' .
getValue($_POST[type]) . ', ' .
getValue($_POST[part_no]) . ', ' .
getValue($_POST[add_type]) . ', ' .
getValue($_POST[add_qty]) . ', ' .
getValue($_POST[add_ref]) . ', ' .
getValue($_POST[add_by]) . ', ' .
getValue($_POST[add_notes]) .
')');
$partNoQuery = mysql_query('SELECT `part_no` FROM `cartons_current`');
while($partNoResult = mysql_fetch_assoc($partNoQuery)) {
list($prefix, $core, $suffix) = explode('-', $partNoResult['part_no']);
mysql_query('UPDATE cartons_current SET `core` = \'' . $core . '\' WHERE `part_no` = \'' . $partNoResult['part_no'] . '\'');
}
I added getValue function to escape posted data to prevent SQL injection.
Try removing this
$res = mysql_result($sel);
And change your while to reference the main query resource
while($row = mysql_fetch_row($sel)) {
I don't understand your logic with your tables though. You're inserting data into the cartons_added table but then you're selecting from cartons_current?
Also, split is deprecated as of PHP 5.3.0
You said five middle "characters", so I'd add quotes around your variable like so:
$query3 = "insert into cartons_current(core) values('$core')";
(Also, there's only about a gazillion answers on SO about SQL injection, and using pdo)
INSERT INTO cartons_current(core)
SELECT
substr(part_no,position('-' IN part_no)+1,position('-' IN substr(part_no,position('-' IN part_no)+1))-1)
FROM cartons_added;