I've been coding with PHP and MySQL for about a year now and have gotten the hang of it pretty well; constructing really complicated queries with joins and calculated fields and all the other joys of MySQL hasn't been a problem for me in months.
BUT there's something syntactically screwy with the following chunk of code that I can't figure out - even though it's impossibly simple, and, even more infuriating, is closely related to other parts of the project that I'm working on (and which works flawlessly).
Here's the problem code I'm trying to run, followed by the bugchecking I've already done to try to isolate the problem.
If anyone has any suggestions, I'd be totally grateful because I'm beginning to lose my mind.
Problem:
I'm really losing my mind over this, so please don't laugh when you see the code:
$query="SELECT count(somefield) FROM db_name WHERE otherfield='".$myvariable."'";
My query finds no results when using a certain variable as part of a field search - even though I know that there are over 900 records in the database that should match.
Bugchecking:
Because I know the value of the variable I'm passing to the query, I've tried hardcoding it into the query and it works fine.
I've run the query in the MySQL console (again, of course, hardcoded instead of with the variable) and it works fine.
To my mind, these two facts eliminate the possibility that there's something syntactically incorrect with the PHP version of the query.
In order to eliminate all possible database connection issues and to make sure the problem isn't related to iterating through the results returned, instead of trying to get the actual results, I've altered my original query to return only the count of the results and have incorporated the standard or die(mysql_error()) statements during the connection sequence. The query is executing, but is finding 0 results, so that eliminates the possibility that it's a connection issue.
I've verified that the field I'm checking is the correct field for the information I'm looking for (like I said, it runs fine if I hardcode the variable into the query... which, of course, will not be an option in the finished code).
I've checked the type of the variable before trying to pass it into the query (figuring that maybe, because it's pulled from a returned xml earlier in the script, that maybe it was showing up as an array or something). It typed as string.
I've verified that the variable is formatted in the way that I expect it to be found in the database; strtoupper, etc.
I've tried using LIKE '%".$myvariable."'"; still no dice.
Anyone have any suggestions for what I can do to figure out what the hell is going wrong? Thanks so much!
It's not a PHP issue so quotes have nothing to do with it.
The query has no error, so you'll need to debug it step by step.
I. SELECT count(*) FROM table_name
II. SELECT count(*) FROM table_name WHERE field='$myvariable'
Where you're dealing with PHP variables in query, echo the query and run it directly in database to omit PHP's side of error.
III. SELECT count(somefield) FROM table_name WHERE field='$myvariable'
Is the $myVariable escaped? If not, escape it using
$escapedVariable=mysql_real_escape_string($myVariable);
and then run
$query="SELECT count(somefield) FROM db_name WHERE otherfield='$escapedVariable'";
Thanks so much to everyone who tried to help, but I figured it out several hours after posting: The first problem was that I forgot to use mysql_real_escape_string($myvariable)... the reasons for how and why I forgot are manifold, but there it is.
So, after plugging that guy back in (which I had ASSUMED had been in this particular module of my code in the first place, but that's where "assuming" gets you, lol), I thought I had the whole thing licked. Three hours later, and still nothing. THEN I realized that it had to be related to XML that was being parsed into the $myvariable... so around and around we went with that one for a few more hours.
FINALLY, I realized that the real culprit was my eyes (which aren't so great).. what looked like a perfectly legit quoted string while reading a debug echo of the query before running turned out to have leading and trailing white space (which, of course, I instantly removed with $myvariable=trim($myvariable, " "), and, that, of course, solved the entire problem...:<
... Yes, I am an idiot, and I'm sorry, but, after working over this UTTERLY INFURIATINGLY stupid line of code for over 48 hours (I'm used to writing things like:
$query="UPDATE db_one.table_one SET item1='".(string)$result_array[$i][1]."', item2='".(string)$result_array[$i][2]."' WHERE thing3=".(string)$result_array[$i][19];
... and other assorted fun nonsense), I had to resort to asking (because I - no pun intended - couldn't "see" the problem... ugh)... SO... I am an idiot, and I'm sorry (but encouraged by the efforts of all of you nice people who tried to help) and am sorry for wasting everyone's time. I need to learn how to handle XML much *more*.
Sorry and thanks again!
I always wrote it like this
$query="SELECT count(somefield) FROM db_name WHERE otherfield='$myvariable' ";
Try removing the double quotes and dot at the variable name
You shouldn't need the parenthesis around the var. Plus look at other changes.
$query="SELECT count(*) FROM table_name WHERE field='$myvariable'";
Related
As an Amateur PHP Developer I often have this problem of mixing sequences and variables.
SHORT :
So what would be the tips to keep in mind when writing a webpage that has many SQL queries.
I have thought of an idea of making a function but I am not sure if that would be of any good.
LONG:
The problem is I have a PHP page that has many sql queries which are followed by result, row , row_number, and die() if result unsuccessful after running the query.
I number them as sql1, result1, row1, error1, mysqlouput1 and sql2.... and so on..
When I add one more query after five or six days I have to go through the whole code to find out which was the last sequence used and take the next one, many times i just use the same and it creates strange problems.
The same problem with variables, as the same page is loading again and again with different POST and GET ids keeping track of variables is just too messy.
So what would be the tips to keep the code well sequenced, readable and variable names unique and understandable.
I have though of writing a function that takes the SQL as the input and gives the result, row, row count, and error as output.
What would you experienced people suggest ?
Thanks.
at first you should really try to just use relevant names for your variables.
Like if you are lookin for all the users use variables like $sqlUsers, $queryUsers, $resultUsers/$usersArray
The idea with the function would be one way to tackle the problem, as it no longer possible to code errors in the process itself, so if you do not want to switch to objectoriented programming I would probably choose that way.
Another way would be a mix, you could create only some classes in which you handle the database-interactions for specific domains. I.e. class userDataHandler would have the methods getUserById(), getAllUsers() et cetera. This way you would still have to write the querying process, but you know exactly where your queries are, have them in a structured way, there are no problems with naming your variables inside the methods, and your code doesn't get messy as you have different files for different domains -> separation of domainspecific code.
Can you explain your problem with the request-variables($_POST and $_GET) a little more? Why does your site get called with so many different variables, maybe you could structure your application a little better.
I'm not really sure why I'm having this issue but at the moment I'm blocked. The problem that I'm having is that when using Doctrine to insert into MySQL, some values are automatically escaped. For example, on a form where a user inputs something such as he/she, the data stored into the MySQL table is he\/she.
Now, the issue is that sometimes the user will use a search function, but using he/she won't give them any results. How can I solve this? I'm thinking on escaping the characters on the string that I pass to the LIKE function, is this a correct approach? I'm thinking that the same issue will happen if the user has values such as this is 50% (the percent would need to be converted as well before given to the LIKE function?)
You need to solve this at the core - the data should never enter into your database. A probable cause of this is a misconfigured web server that still has magic quotes enabled with MSSQL mode, or using a library that tries to do input sanitation in a (very) wrong way. You should never ever ever want to fix this on the search end of things - once you start patching there for corrupted data you're in for an endless cesspool of problems.
Debug why the data is going in wrong, and fix it there.
I am working with a legacy PHP framework and am coming across some strange behavior that I can't track down.
I'm running a query that looks something like this
select * from table where column like '%word-anotherword%'
, which I would like to return records from table where column contains the text "word-anotherword". (column is a longtext field).
When I run this query in phpMyAdmin, I get the expected results. But when I run it from inside our framework, I get no results. I have run it in a separate .php file, using mysql_link, mysql_query to run the query, and that also behaves as expected.
When I echo out the query in the framework directly before it is passed to mysql_query, it is formatted just the same as I expect. I.E. our framework is not escaping it in some unexpected manner.
I am assuming that our framework is overriding some PHP setting somewhere to cause this difference in behavior, but I have had no luck googling for what it might be. I found this article, which seemed to be a good start, but also didn't quite seem to fit what I'm seeing, since I am getting different behaviors on the same MySQL setup.
Any pointers in the right direction would be greatly appreciated!
As a debugging heads-up:
When you echo your query out, you might want to make sure you're actually seeing the data - e.g. if you're echo-ing onto a webpage, make sure you're applying htmlspecialchars() to the string. Otherwise you might not spot some changes.
LIKE is not full text search, that's why question title is wrong and, probably, that article which you found isn't related to your problem.
And about your problem, open your my.cnf and enable queries log:
[mysqld]
#Set General Log
log = "C:/all_queries.log"
Now run your query and look into log.
I have written a PHP OO class which will update 4 fields of a certain row in a table. For now the row is decided by a constant (user with name 'jip')
I have corrected the query in a previous post here, so i'm pretty sure the query itself is fine. So, there must be some sort of error within the class itself. Probaply the vars don't reach the query somehow. I have been looking for hours, but can't find the problem. I have linked both files of the class, since i downt know where the error is, the values just don't show up in the database. If anyone would like to check them, (s)he'd make my entire week! SO here is the link and i hope someone is willing to help :)
UpdateForm.php: http://pastebin.com/dUaZPrn6
Update.class.php: http://pastebin.com/6mnL4DzE
Try replacing mysqli_real_escape_string($conn, $variable) with
$conn->real_escape_string($variable);
For example,
$conn->real_escape_string($this->Lengte_update);
You're using the object-oriented style, so you can't use the procedural escape function. See the docs on mysqli::real_escape_string.
Edit:
The query isn't being executed. You assign the query to $query, but you need to call
$conn->query($query);
For anything to happen in the database.
I'm running php 5.2.13 and i have an app that contains tons of files but they all calling one file at the beginning, i want to put some line in that file to automatically mysql real escape any query, because i don't want to go across every file and change code.
Thanks!
I don't know how well that would work. What you really need is to escape the input not things like table names, fields, etc. If you pass the entire query to an escape, I'd be willing to bet you'd find a good number of queries that will fail because it will turn things like
select * from tablename where name = 'foo'
into
select * from tablename where name = \'foo\'
Which would choke.
And, having a wrapper function in your code helps a lot (assuming you don't want to use a framework, etc). If you have "mysql_query()" littered around your code, you probably are in for a bit of work to change it up. If you can't/don't-want-to adopt a framework, at least wrap it in a function of your own, like "db_query()" like this:
function db_query($query,$and,$other,$arguments)
{
mysql_query( ... ); // you can change this to some other database later if you want
}
I did that in a project a few years ago and it helped a ton when I wanted to log some errors. I just added it to that function instead of having it in 200 places in the code.
But even that won't really help if you didn't escape input properly in the first place. In that case your only option is to take some time and fix it.
Hans has some good suggestions. But i think the bottom line is youre going to have to modify a lot of code. There is no magic bullet on this one. Whoever wrote it should have known better, and now you my friend are going to pay the price. Personally if youre going to have to go in and manually edit i would urge you to switch to PDO or mysqli. That way you can make use of prepared statements which will handle the escaping of variables for you provided you use them correctly.
If you have a large project, and need to change the data access, I would suggest to move to an ORM, my personal pick is Propel.
With that you would solve the whole escaping sql's problem, would make your app more scalable and you could also reverse your database diagram in order to generate the classes needed for Propel.
Propel will give you benefits like transactions, parameters and many more, so you should reaally think about it.
Best regards
Take note that it's not queries that you will want to escape, it's user supplied variables that are to be included in the query (unless you're writing malformed SQL yourself on purpose). So what you can do is to run mysql_real_escape_string() on, say, the $_POST array with array_map(), provided that you are not going to use that array for anything else.
mysql_real_escape_string() is still only the second best solution to the issue anyway. I you can use prepared statements (AKA parametrized queries) and you're home free.