Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am able to navigation between a php page using ID but not using project name. Can you only use an number and not characters?
Works
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE id=$id";
'.$row['project'].'
page url: https://example.com/project.php?id=1
Doesn't work
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE project=$project";
'.$row['project'].'
page url: https://example.com/project.php?project=Test
Thanks for the help!
MySQL uses single or double quotes for strings. Your second query puts string to a query, resulting in invalid query.
This is not a valid SQL query:
SELECT `name` FROM `cats` WHERE `breed` = ordinary cat
But this is:
SELECT `name` FROM `cats` WHERE `breed` = 'ordinary cat'
Of note, be careful with using any input (including query string) in your query like you did. You should use prepared statement instead to safely escape that string for your query.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I am writing code to delete a row based on ID from a SQL Server database. I want to make sure my code is safe from accidentally deleting everything or deleting something other than what it should. My code at the moment is as follows...
$st = $conn->prepare("if (select count(*) from sometable where id = :id) = 1
delete from sometable where id = :id");
$st->bindParam(':id',$id);
$st->execute();
Is this a safe way to delete a single row without accidentally deleting everything? Is there a better, known best-practices way to do it?
Edit: I am getting an error COUNT field incorrect or syntax error when testing this code.
I have changed my code accordingly to resolve this (I was hoping I could refer to the same field more than once and bind it once but apparently not)
$st = $conn->prepare("if (select count(*) from sometable where id = ?) = 1
delete from sometable where id = ?");
$st->execute(array($id,$id));
(Might as well use my question to troubleshoot since stackoverflow won't let me delete it)
Is this a safe way to delete a single row without accidentally deleting everything?
Yes, as long as your ID's are unique for each row.
Is there a better, known best-practices way to do it?
No.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am creating a form that collects data and sends to a database using php, with a code snippet i got online.
$con=mysqli_connect("localhost","root","famakin","k");
if(mysqli_connect_errno())
{
echo"FailedtoconnecttoMySQL:".mysqli_connect_error();
}
$sql="INSERT INTO transactions(Username,Insured_Name,combined,Residential_Address,Telephone,Email,Make_Of_Car,Model,Engine_Number,Year_Of_Manufacture,Chassis_Number,Vehicle_Class,Colour,Registeration_Number,Product_Type,Premium,Policy_Number,Start_Date,Expiry_Date,Date_Begin,Type_Of_Insurance,Status, Transaction_id)VALUES('$_POST[Username]','$_POST[Insured_Name]','$_POST[combined]','$_POST[Residential_Address]','$_POST[Telephone]','$_POST[Email]','$_POST[Make_Of_Car]','$_POST[Model]','$_POST[Engine_Number]','$_POST[Year_Of_Manufacture]','$_POST[Chassis_Number]','$_POST[Vehicle_Class]','$_POST[Colour]','$_POST[Registeration_Number]','$_POST[Product_Type]','$_POST[Premium]','$_POST[Policy_Number]','$_POST[Date]','$_POST[Date_Expiry]','$_POST[Date_Begin]','$_POST[Type_Of_Insurance]','$_POST[Status]','$_POST[Transaction_id]')";
if(!mysqli_query($con,$sql))
{
die('Error:'.mysqli_error($con));
}
mysqli_close($con);
This works for inserting details into the database,but i want to check if for example the username in which i am inserting into the database exists,please how do i go about this with what i have already?
regards
There are two main approaches, essentially...
SELECT from the database before trying to INSERT. If the record is found by the SELECT, don't perform the INSERT and instead respond to the user accordingly.
Place a UNIQUE constraint on the column (or set of columns) which needs to be unique in the table. This would cause the INSERT to fail, and the code would have to catch and handle that failure and respond to the user accordingly.
The second option puts the responsibility squarely on the database itself, which is important if anything else if ever going to use that database and needs to maintain that same responsibility.
Also, and this is important, please note that your code is open to SQL injection attacks, which allows users to execute their own code on your server. You'll want to read up on that so you can protect your application.
Here, you can do it via mysqli_num_rows():
$username = mysqli_real_escape_string($con, $_POST['Username']);
$check_select = mysqli_query("SELECT * FROM `transactions` WHERE Username = '$username'");
$numrows=mysqli_num_rows($check_select);
if($numrows > 0){
// do something
}
else{
// do something else
}
Although there are other ways to do this, it is but one example.
You can avoid this by also setting your column(s) as UNIQUE.
By the way, your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements, they much safer.
Just do a SELECT query before the INSERT. If a record with that username exists then don't insert the record.
Well before you insert one you want to query for it's existence (please refer to Google on how to "Select data from Database PHP").
If that select count(*) from Transactions.... where Username =.. returns something other than 0 the username is already taken.
Note: I have bigger concerns about the fact you include POST-Parameters directly into your SQL-Query string and recommend you read something about "SQL Injection PHP".
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
$SQL="SELECT first_name FROM people WHERE fname = '$fname' INSERT INTO (first_name) VALUES (fname)";
Anything wrong with this? Trying to insert a value from a user defined variable into a mysql table
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in D:\wamp\www\Pxxxx\process.php on line 44
This is the error
$fname is a user defined variable
first_name is the column I'm trying to insert it into and it's in a table called people
You have the order inverted. It seems like you are looking for INSERT .. SELECT syntax (see MySQL documentation here: http://dev.mysql.com/doc/refman/5.6/en/insert-select.html)
INSERT INTO target_table (first_name)
SELECT fname
FROM people
WHERE fname = ?
It was unclear from your example what the name of the table you were trying to insert data into is, so I just listed it as target_table here.
Your SQL statement has to be reordered like this:
"INSERT INTO people (fname) SELECT '$fname' FROM dual;"
This will select the value of $fname from the pseudo table "dual" and insert the value into "people".
Maybe this is more suitable:
"INSERT INTO people (fname) VALUES ('$fname');"
This snippet show you a simple insert statement.
Note: Please have a look for SQL Injection at Wikipedia. The code you are writing is open for these kinds of attacks. If you are writing PHP code, have a look for Prepared Statements and mysqli to prevent these attacks.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Ok so i store the column i want to update in side a variable so i need to put the variable in side the main query i try and do it like so
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
I have searched for an answer and have found a thread here on the site doing the same:
Using a passed variable in a query using PDO (Oct 2011; by Don S)
$sqlltyryrt = "UPDATE user_items SET :fggdgdf = :fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array('fggdgdf'=>$fggdgdf),$_SESSION['username']);
You can't bind the names of columns; so that isn't going to work. There's no way to use a bound variable for a column or table name, so the only way to do this is to actually interpolate the variables into the string:
$sqlltyryrt = "UPDATE user_items SET $fggdgdf = $fggdgdf +1 WHERE username=?";
$qqqqq = $db->prepare($sqlltyryrt);
$qqqqq->execute(array($_SESSION['username']));
But you need to be very sure that you've sanitized the variables, else you're open to SQL injection. You can use whitelisting for this, as you should be able to generate an array of possible column names and can check that the variables are present in that array.
But the fact that you're trying to bind the names of comments implies that your database design could do with looking at.