I was testing a simple employee application and got this Unknown column 'mush' in 'where clause' error. There is someone called 'mush' in the name's column.
Here's my code
<?php
// Connects to your Database
mysql_connect("localhost", "myuser", "mypass") or die(mysql_error()) ;
mysql_select_db("peoplesdb") or die(mysql_error()) ;
//Retrieves data from MySQL
$data = mysql_query("SELECT * FROM employees WHERE name = $_GET[name]") or die(mysql_error());
echo "<table border=\"1\">";
echo "<tr>";
echo "<th>First Name:</th>";
echo " <td>Last Name</td>";
echo "</tr>";
echo "<tr>";
echo "<th rowspan=\"3\"><img src=\"../about/images/".$data['photo']."\" width=\"205\" height=\"205\" alt=\"\" title=\"\"></th>";
echo $data['name'];
echo "<td>".$data['name'] ."</td>";
echo "</tr>";
echo "<tr>";
echo "<td>".$data['lastname'] ."</td>";
echo "</tr>";
echo "</table>";
?>
The aim was to display the detail on a table with a picture to the left of the table.
Here's how I tried calling the application:
http://localhost:8080/displaymembers.php?name=mush.
I have a table which contains these columns:
name, photo, telephone, lastname and dob.
Is there anything I'm going wrong that stops the details from displaying? I would like your help.
Helen.
First, you need to quote your inputs, second you need to escape them:
mysql_query("SELECT * FROM employees WHERE name = '".
mysql_real_escape_string( $_GET['name'] ) ."'");
You need to enclose it in quotes - e.g.
SELECT * FROM employees WHERE name = '{$_GET[name]}'
I would also suggest you use mysql_real_escape_string:
$data = mysql_query("SELECT * FROM employees WHERE name = '" . mysql_real_escape_string($_GET['name']) . "';") or die(mysql_error());
Try those put single quotes around your variable.
$_GET['name'];
And use mysql_real_escape_string to avoid SQL Injections.
you should try
$data = mysql_query("SELECT * FROM `employees` WHERE `name` = '".mysql_real_escape_string($_GET['name'])."'") or die(mysql_error());
as name may be reserved for mysql purposes, and I believe it is ...
Related
In mysql I want to display matched information with values... But the code I use select information separately and I get a bad result. What I want is to wrap the "select" functions together so they both look for specific information in mysql database.
Here's the code I use:
$name = explode(',',$name); //splits search
$query = "SELECT * FROM lucky WHERE name LIKE '%" . implode("%' AND name LIKE '%", $name) . "%'";
$sname = explode(',',$sname); //splits search
$query = "SELECT * FROM lucky WHERE sname LIKE '%" . implode("%' AND sname LIKE '%", $sname) . "%'";
$result = $mysqli->query($query);
while($row = $result->fetch_assoc()) {
echo "<table id='box'>";
echo "<tr;>";
echo "<td id='text''>Name:</td><td id='haha'>" . $row['name']. "</td>";
echo "<td id='text'>Second Name:</td><td id='haha'>" . $row['sname'] . "</td>";
echo "</tr;>";
echo "</table>";
} else { echo "No mathed information" ; }
Thanks in advance :)
UPADATE
Thanks to Spencer for his help!!!
Here's the code that I use now. Please use this to select matched information from the database!!!
$query = SELECT *
FROM lucky
WHERE name LIKE '$name'
AND sname LIKE '$sname'
$result = $mysqli->query($query);
while($row = $result->fetch_assoc()) {
echo "<table id='box'>";
echo "<tr;>";
echo "<td id='text''>Name:</td><td id='haha'>" . $row['name']. "</td>";
echo "<td id='text'>Second Name:</td><td id='haha'>" . $row['sname'] . "</td>";
echo "</tr;>";
echo "</table>";
} else { echo "No mathed information" ; }
If your $sname string contains the value "jack,jill", then the query would only return rows that have a name column value that contains both of those strings, for example: 'jack and jill' and 'jillojellojacko' would match. But the query will not return rows where the name column contains 'jack' but doesn't contain 'jill'.
If your intent is to search for rows that have either of the values matching, for example
$name = 'fee,fi,fo'
$sname = 'fum'
That is, any rows where name column contains either 'fee', or 'fi', or 'fo', or sname column contains 'fum', you could use a query of the form:
SELECT t.*
FROM lucky t
WHERE t.name LIKE '%fee%'
OR t.name LIKE '%fi%'
OR t.name LIKE '%fo%'
OR t.sname LIKE '%fum%'
If you replace all those ORs with ANDs, then a row will need to satisfy all of those predicates to be returned. If you want a combination of AND and OR, then use parens to specify the order of precedence...
I have a problem with PHP and Mysql. PHP is acting very strange. This is my code
echo "<form action='scripts/leerling.php' method='post'>";
echo "Nieuwe Leerling: <br/><br/>";
echo "Naam<br/>";
echo "<input type='text' name='naam'/><br/><br/>";
echo "Leeftijd<br/><input type='number' name='leeftijd'/><br/><br/>";
echo "Ouder:<br/>";
echo "<select name='ouder'>";
$result2 = mysqli_query($con, "SELECT * FROM users WHERE group=3");
while($record2 = mysqli_fetch_array($result2)){
echo "<option value='" . $record2["id"] . "'>" . $record2["username"] . "</option>";
}
echo "</select><br/> <br/>";
echo "<input type='image' src='img/plus.png'/><span style='font-size: 11pt;'> Leerling Toevoegen</span>";
echo "</form>";
i think everyting is allright. I want to make a selectbox with variable options. Now comes the annoying part: if i change this:mysqli_query($con, "SELECT * FROM users WHERE group=3") To this:mysqli_query($con, "SELECT * FROM users WHERE id=3") it works! and i dont know why... My table of my database sure has a column named ID AND a column named group and they are both the datatype INT but ID is also A_I. I dont know if that matters...
Perhaps because GROUP is a reserved word in MySQL? Try this:
$result2 = mysqli_query( $con, "SELECT * FROM users WHERE 'group' = 3" );
I am trying to take a user's input of #,#, or just normal statements and then pull those results from a SQL database if the search results exist in the "query" column of a table called "job" in my database. Here is the error I am getting:
Unknown column 'Array' in 'where clause'
Here's my code:
$result_all = $_POST['result_name'];
$result_all_array= explode(',',$result_all);
$query = "select last_count, query, job_id from twitterinblack46.job where
query in (".$result_all_array.") order by last_count desc;";
$result= mysql_query($query);
if($result === FALSE) {
die(mysql_error());
}
else{
//Sets up table
echo "<table border='1'
<tr>
<th>Job ID</th>
<th>Last Count</th>
<th>Result</th>
</tr>";
//Populates table
while($row = mysql_fetch_array($result)){
echo"<tr>";
echo "<td>" . $row["job_id"] . "</td>";
echo "<td>" . ltrim($row["last_count"],'0') . "</td>";
echo "<td>" . str_replace(array('%23', '%40', '%20', 'q='), array('#','#',' ',''),
$row['query']) . "</td>";
echo "<tr>";
}
echo "</table>";
Anyone know what I am doing wrong?
Update:
Here was the confusion, I did not forget to copy the $ for query. "query" is the name of the column I want to get the information from in my query. So what I am saying is, what is the difference between these two sets of code and why doesn't it work for the first query?
Code that doesn't work:
$result_all= $_POST['result_name'];
$query = "select last_count, query, job_id from twitterinblack46.job where
query in (".$result_all.") order by last_count desc;";
$result= mysql_query($query);
Code that does work:
$job_id_all= $_POST['job_id'];
$query = 'select last_count, query, job_id from twitterinblack46.job where job_id in
('.$job_id_all.') order by last_count desc;';
$result= mysql_query($query);
It is obviously a problem of the form input, being multiple checkboxes checked for example.
Try this in both queries:
$result_all= implode(',', mysql_escape_string($_POST['result_name']));
$query = "select last_count, query, job_id from twitterinblack46.job where query in (".$result_all.") order by last_count desc;";
$result= mysql_query($query);
i cannot get a row to delete as the id is not going through the url. its a simple error somewhere and i cannot find the solution after having a look around for an hour.
this page contains the information on a table:
<?php
$result = mysql_query("SELECT review, ratings, date, user FROM reviews")
or die(mysql_error()); ;
if (mysql_num_rows($result) == 0) {
echo 'There Arent Any Reviews Yet';
} else {
echo "<table border='0'><table width=100% border='6'><tr><th>Comments/Thoughts</th><th>Ratings</th><th>Date</th><th>User</th><th>Delete</th></tr>";
while($info = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $info['review']. "</td>";
echo "<td>" . $info['ratings']. " Stars</td>";
echo "<td>" . $info['date']. "</td>";
echo "<td>" . $info['user']. "</td>";
echo "<td>" . " <a href='deletereview.php?review_id=" . $info['review_id'] . "'>Delete</a> </td>";
echo "</tr>";
}
}
echo "</table>";
?>
it goes to deletereview.php which carries out the delete function:
<?php
session_start();
require_once '../includes/db.php';
$id = $_GET['review_id'];
$info = "DELETE FROM reviews WHERE review_id = '$id'";
mysql_query($info) or die ("Error: ".mysql_error());
echo "<h2>Review Deleted</h2>";
?>
any ideas guys?
You're not selecting the review_id in the query, so $info["review_id"] is always null.
Aside from the other answers, I'll say this:
Your database will get jacked if you do not sanitize your variables.
For instance, what happens if I pass review_id=' OR '1'='1?
DELETE FROM reviews WHERE review_id = '' OR '1'='1'
This query will delete everything in reviews.
mysql_real_escape_string() your $_GET and $_POST variables before using them in your MySQL.
You forgot to select the review_id.
$result = mysql_query("SELECT review_id, review, ratings, date, user FROM reviews")
You're not selecting review_id from the database but you use $info['review_id'] to set the ID on the URL. Just change your first line to:
$result = mysql_query("SELECT review_id, review, ratings, date, user FROM reviews")
Also you must escape the input with mysql_real_escape_string:
$id = mysql_real_escape_string($_GET['review_id']);
You have to select the review_id in the query. But also you have to check for some SQL injection, because with the GET request it's easy to delete all the table records.
So I'm trying to display a list of all users in my database... each one with a link that will display their own information (in this case only displays user again and password), heres my code...
<?php
mysql_connect('localhost','user','password')or die ('Connection Failed: '.mysql_error());
mysql_select_db('name')or die ('Error to select database '.mysql_error());
$result = mysql_query("SELECT * FROM usuarios ORDER BY ID");
echo "<table border='0'>
<tr>
<th>UserName</th>
</tr>";
while ($row = mysql_fetch_array($result))
{
echo "<tr>";
echo '<td>' . $row['usuario'] . '</td>';
echo "</tr>";
}
echo "</table>";
?>
I get the ID of each user through the URL to be a new variable in my user.php page to recognize each one...
<?php
$numusu = $_GET['id'];
$result = mysql_query("SELECT * FROM usuarios WHERE id=`$numusu`");
while ($row = mysql_fetch_array($result))
{
echo "<table><tr>";
echo "<td>User:" . $row['usuario'] . "</td>";
echo "<td>Password:" . $row['password'] . "</td>";
echo "</tr></table>";
}
?>
But for some reason I'm not able to display anything in user.php, I get the ID value and all just missing the information I just get an error
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL
result resource in /site/test/test/test/login_php/user.php on line 15
What am I doing wrong? Please help me!
The query should be SELECT * FROM usuarios WHERE id='$numusu'. Backticks only work for table and database names.
When you get Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource, it usually means $result is null and/or mysql_query failed. If you change the query to
$result = mysql_query("...") or die(mysql_error());
It should tell you that something like Unknown column '1' in 'where clause'.