how to delete all rows using IN OPERATOR in mysql php - php

i am having problem in understanding the behaviour of this programme below is simple code to delete the email address using IN operator
$emails = $_POST['ids'];
$sql = "DELETE FROM newsletter where email ";
$condition = sprintf('IN ("%s")',implode(' "," ',$_POST['ids']));
$sql = $sql.$condition;
include '../includes/db.php';
$r = mysql_query($sql);
echo $sql;
it only deletes one email id and returns true . how can i make it run in a way it deletes all the emails .
below is the query constructed using the above code.
DELETE FROM newsletter where email IN ("adfadsf#gmail.com ","
asdfasfasf#gmail.com "," kjhkhsd#assdfsdf.sdfsf "," shit#gshit.com ","
someother#gmail.com")
is it wrong way of deleteing ?


Instead of:
$condition = sprintf('IN ("%s")',implode(' "," ',$_POST['ids']));
do:
$condition = sprintf('IN ("%s")',implode('", "',$_POST['ids']));
IN operator matches contents of the field with the values exactly. Spaces at the beginnings and ends of values might have cause your problems.


The query is valid however you are adding spaces before/after the email.
" asdfasfasf#gmail.com " does not match "asdfasfasf#gmail.com"


This code would be vulnerable to SQL injection attacks, i could make post something like
"); delete from newsletter; delete from newsletter where email in ("
the " are part of my post string, this would wipe your newsletter table.
However that aside the key issue with your code is potentially the spaces (do your strings include spaces in the database?) and the use of double quotes. I'm not 100% certain but I'm sure " can be used as a field indicator rather than a string so you probably want single quotes.
$emails = $_POST['ids'];
$sql = "DELETE FROM newsletter where email ";
$condition = sprintf("IN ('%s')",implode("','",$_POST['ids']));
$sql = $sql.$condition;
include '../includes/db.php';
$r = mysql_query($sql);
echo $sql;
Output then should be
DELETE FROM newsletter where email IN ('adfadsf#gmail.com','asdfasfasf#gmail.com','kjhkhsd#assdfsdf.sdfsf','shit#gshit.com','someother#gmail.com')


If you need to insert strings in a SQL query you have to single-quote them and protect against SQL injection. Also, the comma separator in the IN clause should not be quoted.
$safe_emails = array();
foreach($_POST['ids'] as $i){
$safe_emails[] = "'" . mysql_real_escape_string($i) . "'";
}
$sql = 'DELETE FROM newsletter WHERE email IN (' . implode(', ', $safe_emails) . ')';

Related

Check if word is already in DB (PHP)

I'm trying to create a function which checks if word in a string is in the DB.
So, for example, I have a list with basic words in my DB. I type a sentence and would like to get all the words from that sentence which are not yet in the DB.
Any tips on how to work this out?

First convert search string to an array using this function
$str = "Hello user how are you.";
$find_it = explode(" ",$str);
Now use mysql query to find if this exist in DB or NOT...
$filterExisting = "'" . implode("', '", $find_it ) . "'";
$sql = "SELECT * FROM table WHERE field NOT IN (". $filterExisting .")";
$result = $db->query($sql);

Manually escaping in PHP/MySQL

I try to understand manually escaping in PHP. I read this example:
if ($_POST)
{
$query = 'UPDATE
hersteller
SET
zulieferer = \''.mysql_real_escape_string($_POST['zulieferer']).'\',
telefon = \''.mysql_real_escape_string($_POST['telefon']).'\',
city = \''.mysql_real_escape_string($_POST['telefax']).'\'
WHERE
id = '.$_POST['id'];
$update = mysql_query ($query) or die (mysql_error());
}
The statement starts by an apostrophe. Unfortunately I couldn't find a discription.
1st part?
'UPDATE hersteller SET zulieferer = \'
2nd part?
'.mysql_real_escape_string($_POST['zulieferer']).'
3rd part?
', telefon = \'
4th part?
'.mysql_real_escape_string($_POST['telefon']).'

The first part is this:
'UPDATE
hersteller
SET
zulieferer = \''
note the extra '.
The escape character \ is used to escape the first ' so that it's inserted as a character into the string rather than interpreted as the end of the string.
It's similar to this:
$message = 'Let\'s get started';
$query = 'INSERT INTO table SET value = \'' . $value . '\'';

A \ character marks the following character as "plain-text", or text that has no meaning. This way, your output would look like zuliefer = 'thevalue'.
For this example, if you don't like having to escape all the characters, you can start the variable with a double quote.
$query = "UPDATE
hersteller
SET
zulieferer = '" . mysql_real_escape_string($_POST['zulieferer'])."',
telefon = '".mysql_real_escape_string($_POST['telefon'])."',
city = '".mysql_real_escape_string($_POST['telefax'])."'
WHERE
id = '".$_POST['id'] . "'";
$update = mysql_query ($query) or die (mysql_error());
-More reading on single quotes and double quotes in PHP strings
-More reading on escaping
-PHP manual on strings and meanings of symbols inside them

The statement starts by an apostrophe. Unfortunately I couldn't find a discription.
In PHP you can define strings with a pair of ' or a pair of ".
The main difference lays in the fact that "-strings are also evaluated to seek for $ variables.
For both string types you can obviously escape the ' or " character in order to make it appear in the string:
echo "He said \"Welcome\".";
// He said "Welcome".
In your case, for example, assuming the POST variable to be equal to x:
'zulieferer = \''.mysql_real_escape_string($_POST['zulieferer']).'\''
// zulieferer = 'x'
Since that string doesn't use " I'd suggest you to refactor it to be:
$a = mysql_real_escape_string($_POST['zulieferer']);
$b = mysql_real_escape_string($_POST['telefon']);
$c = mysql_real_escape_string($_POST['telefax']);
$d = (int) $_POST['id'];
$query = "UPDATE hersteller
SET zulieferer = '$a', telefon = '$b', city = '$c'
WHERE id = $d";
On a side note: you shouldn't use mysql_* functions. Use prepared statements instead.

The code is a little hard to read for two reasons:
it uses single quotes within the SQL statement and for the php string
it is one long string spanning multiple lines
This might be easier to read:
$query = 'UPDATE '.
' hersteller '.
'SET '.
' zulieferer = "'.mysql_real_escape_string($_POST['zulieferer']).'", '.
' telefon = "'.mysql_real_escape_string($_POST['telefon']).'", '.
' city = "'.mysql_real_escape_string($_POST['telefax']).'" '.
' WHERE '.
' id = '.$_POST['id'];
Edit: Regarding your comment:
$query = "DELETE FROM description WHERE id = '" . $this->getId() . "'";
This serves the same purpose as my rewrite above, only exchanging the use of single and double quotes. It uses double quotes as php string delimiters and single quotes in SQL. Both variants are fine, since both PHP and MySQL allow both kinds of quotes. Your $query variable will actually contain DELETE FROM description WHERE id = '1234'. Please note, however, both versions are not syntactically identical. PHP handles double quotes a bit differently from single quotes. In double quotes, PHP will replace variable names with the contents of that variable, in single quotes it won't.
$query = "DELETE FROM description WHERE id='$id'"; <-- PHP will insert the variable $id
$query = 'DELETE FROM description WHERE id="$id"'; <-- PHP will not touch the string

WHERE query not functioning properly

I have this query:
$queryfile = "UPDATE Glasovi
SET Fotografija='$content',
MD5Slike='$checksum'
WHERE Email ='$email'";
It won't update the database.
When I write the email directly in the WHERE clause, it works:
$queryfile = "UPDATE Glasovi
SET Fotografija='$content',
MD5Slike='$checksum'
WHERE Email ='user.user#mail.com'";
I tried to echo the $email variable and it has the right value.
Where is the error in the first query?

Your query looks correct. The only issue I can see is one of the other variables contains a single quote, which could possibly result in your error.
try using addslashes escape any single quotes in your variable
$queryfile = "UPDATE Glasovi
SET Fotografija ='".addslashes($content)."',
MD5Slike ='".addslashes($checksum)."'
WHERE Email ='".addslashes($email)."'";
Doing so would also help prevent SQL injection by single quotes

your request is ok, so you should check your variables in php, use var_dump($email)
-- EDIT --
Your request doesn't seem to be secure, you should use PDO statements to secure it from SQL injections

You have not concatenated your variables with your string.
Change your code to this:
$queryfile="UPDATE Glasovi SET Fotografija=' . $content . ', MD5Slike=' . $checksum . ' WHERE Email =' . $email . '";

update only records that are non empty

I have this query, which i use to update a table.
The issue is, i need to update only values different from "undefined"
With the help of someone here i got to this query:
$sqlStart="UPDATE forma SET ";
$sql="";
if (!empty($postDyqani_pergjegjes)) $sql += " dyqani_pergjegjes='$postDyqani_pergjegjes',";
if (!empty($postEmri)) $sql += " emri='$postEmri',";
if (!empty($postKlienti)) $sql += " klienti='$postKlienti',";
if (!empty($postTelefoni)) $sql += " telefoni='$postTelefoni,'";
if (!empty($postMontim)) $sql += " montim='$postMontim',";
if (!empty($postAdresa)) $sql += " adresa='$postAdresa',";
if (!empty($postData_e_shitjes)) $sql += " data_e_shitjes='$postData_e_shitjes',";
if (!empty($postDifekti)) $sql += " difekti='$postDifekti',";
if (!empty($postTekniku_emer)) $sql += " tekniku_emer='$postTekniku_emer',";
if (!empty($postTekniku_mesazh)) $sql += " tekniku_mesazh='$postTekniku_mesazh',";
if (!empty($postData_fillim)) $sql += " data_fillim='$postData_fillim',";
if (!empty($postData_mbarim)) $sql += " data_mbarim='$postData_mbarim',";
if (!empty($postData)) $sql += " data='$postData',";
if (!empty($postStatus)) $sql += " status='$postStatus',";
// replace the last `,` for `;`
if ($sql != "") {
$sql = substr($sql, 0, -1) . ";";
// replace the last `,` for `;`
// run sql command
echo $sqlCommand = $sqlStart.$sql;
$result=mysql_query($sqlCommand) or die(mysql_error()) ;
} else {
}
It won't execute though..
Please give me a hand on this..
if i print the variables most of them result to be undefined
Thanks

There are many things broken with your approach; first of all, += won't do what you think it does for PHP strings, and will probably make everything end up as the value 0. Use .= to concatenate a string to an existing string:
$foo = '123';
$foo .= 'abc';
// $foo == '123abc'
Second, without any more information about where your variables are coming from, it'll be hard to say what's going the wrong way. If you have a field named 'Dyqani_pergjegjes', the correct way to reference it will be to use $_POST['Dyqani_pergjegjes'].
In addition you need to escape strings that you want to use in an SQL query, to avoid SQL injection exploits and other possible bugs (or use prepared statements in mysqli or by using PDO) if you want do solve it properly):
difekti='". mysql_real_escape_string($postDifekti) . "'
You're also missing a condition for your UPDATE-statement, so in it's current form it'll change all the rows in the database. Probably not what you want. And you do not need to add a ";" at the end of the statement - this is implicit when performing a query, and is generally advised against.

How to deal with an apostrophe while writing into a MySQL database [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I am getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','portal','','offering','MSNBC','News','','sports','','MSN','Money','','games'' at line 3
The only problem is that this error shows up when inserting data that contains an apostrophe. I tried changing the data type from VARCHAR to TEXT, but the result is still the same.
I tried to put in addslashes()
How do I fix this?
$query=" INSERT INTO alltags
(id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES
('',mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
mysql_query($query) or die(mysql_error());
I changed it to mysql_real_escape_string. Is this syntax correct? I am getting errors.

The process of encoding data which contains characters MySQL might interpret is called "escaping". You must escape your strings with mysql_real_escape_string, which is a PHP function, not a MySQL function, meaning you have to run it in PHP before you pass your query to the database. You must escape any data that comes into your program from an external source. Any data that isn't escaped is a potential SQL injection.
You have to escape your data before you build your query. Also, you can build your query programmatically using PHP's looping constructs and range:
// Build tag fields
$tags = 'tag' . implode(', tag', range(1,30));
// Escape each value in the uniqkey array
$values = array_map('mysql_real_escape_string', $uniqkey);
// Implode values with quotes and commas
$values = "'" . implode("', '", $values) . "'";
$query = "INSERT INTO alltags (id, $tags) VALUES ('', $values)";
mysql_query($query) or die(mysql_error());

Using mysql_real_escape_string is a safer approach to handling characters for SQL insertion/updating:
INSERT INTO YOUR_TABLE
VALUES
(mysql_real_escape_string($var1),
mysql_real_escape_string($var2))
Also, I'd change your columns back from TEXT to VARCHAR - searching, besides indexing, works much better.
Update for your update
Being that id is an auto_increment column you can:
leave it out of the list of columns, so you don't have to provide a value in the VALUES clause:
INSERT INTO alltags
(tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES
(mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
include id in the list of columns, which requires you use either value in its place in the VALUES clause:
NULL
DEFAULT
Here's an example using NULL as the id placeholder:
INSERT INTO alltags
(id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES
(NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
I want to really stress that you should not setup your columns like that.

Slight improvement of meagar's answer:
EDIT: meagar updated his post, so his answer is now better.
$query = 'INSERT INTO alltags (id, ';
// append tag1, tag2, etc.
$query .= 'tag' . implode(', tag', range(1, 30)) . ") VALUES ('', ";
// escape each value in the uniqkey array
$escaped_tags = array_map('mysql_real_escape_string', $uniqkey);
// implode values with quotes and commas, and add closing bracket
$query .= "'" . implode("', '", $escaped_tags) . "')";
// actually query
mysql_query($query) or die(mysql_error());

Please look at meagars answer. This is the correct code.
If you want to use the misguided mysql_query() function, then you have to break up the SQL string as follows:
mysql_query(
"INSERT INTO whateever (col1,col2,col3,col4) VALUES ("
. mysql_real_escape_string($col1)
. ","
. mysql_real_escape_string($col2)
. ","
. mysql_real_escape_string($col3)
. ","
. mysql_real_escape_string($col4)
. ")"
);
Or since you have an array, use the clever method call to escape all at once:
$uniqkey = array_map("mysql_real_escape_string", $uniqkey);
mysql_query("USE THE ESCAPED ARRAY THEN DIRECTLY ('$uniqkey[0]', '$uniqkey[1]', '$uniqkey[2]', '$uniqkey[3]', ...");

Categories