How do I select a value from a database where username is based on the session?
This is what I have so far:
$query = mysql_query ("select id from CUSTOMER where username = .$_SESSION['username'] ");
If username is in session cookie then grab the username like this
$username = $_SESSION['username'];
$escuname = mysql_real_escape_string($username);
$query = mysql_query("select id from CUSTOMER where username = '".$escuname."' LIMIT 1");
$query = mysql_query("select id from CUSTOMER where username = '".$_SESSION['username']."'");
Session variable in your query wasn't parsed properly. You could fix it using curly bracers syntax:
$query = mysql_query( "select id from CUSTOMER where username = '{$_SESSION[ "username" ]}'" );
or concatenate it using dot operator:
$query = mysql_query ( "select id from CUSTOMER where username = '" . $_SESSION[ "username" ] . "'" );
You can find more about parsing strings in PHP manual.
Related
I want to find out the max value of sql data column on the basis of email id and username. (there is no primary entity)
To get the email id, i store the user email id from session.
here goes my code:
$emailid = $userRow['emailid'];
$sql = "select max(item) from product where email = '$emailid' AND username = 'arun'";
$result = $conn-> query($sql);
$row = $result->fetch_assoc();
echo "Max item : " .$row['result'];
It's giving me first value of sql table but not highest.
you can either change your column data-type or use CAST or CONVERT.
$sql = "SELECT MAX( CAST( `item` AS UNSIGNED) ) as max FROM `product` WHERE `email` = '$emailid' AND `username` = 'arun'";
If possible its better to change the data-type.
Try this,
$emailid = $userRow['emailid'];
$sql = "SELECT MAX(item) AS item FROM product WHERE email = '$emailid' AND username = 'arun'";
$result = $conn-> query($sql);
$row = $result->fetch_assoc();
echo "Max item : " .$row['item'];
Try this way,
$rowSQL = mysql_query( "SELECT MAX( ID ) AS max FROM `tableName`;" );
$row = mysql_fetch_array( $rowSQL );
$largestNumber = $row['max'];
I want to select the highest value in a table:
$max = "SELECT MAX(pid) FROM pic";
Then pass that value into a PHP variable:
$results_max = $conn->query($max);
$highest_val = $results_max->fetch_assoc();
To then use again in a SQL insert statement:
$sql_update = "UPDATE users
SET username = '$username', pid = '$highest_val'
WHERE username = '$username'";
However i tested out the value i got from my first select statement ($highest_val) and it returns "Array". Does anyone know what I am doing wrong?
Edit:
$sql_update = "UPDATE users
SET username = '$username', pic_id = '$highest_val[pid]'
WHERE username = '$username'" ;
You need to create alias of MAX(pid);
$max = "SELECT MAX(pid) as pid FROM pic";
Now you fetch max pid using
$results_max = $conn->query($max);
$highest = $results_max->fetch_assoc();
$highest_val =$highest['pid'];// pass column name here
And your Update query would be
$sql_update = "UPDATE users
SET username = '".$username."', pid = '".$highest_val."'
WHERE username = '".$username."'";
I have the following code:
$username = $_SESSION['username'];
$query = ("SELECT id FROM users WHERE username = '$username'");
$result = mysql_query($query) or die (mysql_error());
$row = mysql_fetch_row($result);
$user_id = $row[0];
Where should I apply mysql_real_escape_string here?
Would $user_id = mysql_real_escape_string($row[0]); work?
I know that MySQL should be left in the past. I'll move to MySQLi soon enough.
do this in first line:
$username = mysql_real_escape_string($_SESSION['username']);
and change query to this:
$query = ("SELECT id FROM users WHERE username = '".$username."'");
I'm trying to make an last activity function for an website. but i can't get it to work. I hope you guys can help me out here.
this is my query:
$last_activity_query = "UPDATE users_table SET user_name = '$user_name' WHERE 'date_last_inlog' = NOW()";
$result_update = mysql_query($last_activity_query);
$last_activity_update = mysql_fetch_array($result_update);
this is an print screen of my database table:
I want to store this update in the last row.
Thanks in advance!
i've changed my script now but its still not changing anything in my database table.
this is the change:
if (isset($_REQUEST['inlog_submit'])){//checks if form is submitted
$user_name = $_REQUEST['username_input'];//request username from inlog_form
$password = $crypt;//gets enqrypted pass
//$tbl_name="user_table"; // Table name
$query = "SELECT * FROM users_table WHERE user_name= '$user_name' AND password='$password'";//query stored in var
$last_activity_query = "UPDATE users_table SET 'date_last_inlog' = NOW() WHERE user_name = '$user_name'";
$result = mysql_query($query);//var with result of query
$result_update = mysql_query($last_activity_query);
if ($user_name = mysql_fetch_array($result)){//checks inlog data from form with the $result query
$_SESSION['user_name'] = $user_name[user_name];//creates session with username
$_SESSION['password'] = $password[password];//creates session with password
$last_activity_update = mysql_fetch_array($result_update);
header ('Location: admin.php');//when login is correct redirect to specified page
}else{
$error_inlog = 10;//when inlog data is incorrect this error will show
}
}
?>
Your SQL query is in the wrong order.
$last_activity_query = "UPDATE users_table SET 'date_last_inlog' = NOW() WHERE user_name = '$user_name'";
Your logic is incorrect. Use this:-
"UPDATE users_table SET 'date_last_inlog' = NOW() WHERE user_name = '$user_name'";
You are using this :-
UPDATE users_table SET user_name = '$user_name' WHERE 'date_last_inlog' = NOW()
You are trying to update user_name column where the date_last_inlog column value is equal to the current time which is logically incorrect.
I have a DB table. I want to make a text input where the user can input the "uid" and the query will return the row associated with that uid.
So let's say I have something like this:
$query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1";
$result = mysql_query($query);
$res = mysql_fetch_assoc($result);
echo $res["age"];
how would I modify that query to something like..
SELECT name, age
FROM people
WHERE uid = $_POST['blahblah'] LIMIT 0,1
Thanks in advance for your help!
In reality...
// Read input from $_POST
$uid = (isset($_POST['uid']) ? $_POST['uid'] : '');
// Build query. Properly escape input data.
$query =
"SELECT name,age " .
"FROM people " .
"WHERE uid = '" . mysql_real_escape_string($uid) . "' " .
"LIMIT 0,1";
Its advisable to escape characters in the variable for security reasons. Take a look at this document for some of the reasons:
http://en.wikipedia.org/wiki/SQL_injection
To save from SQL injection attack, use:
$search_query = mysql_real_escape_string($_POST['blahblah']);
$query = "SELECT name, age FROM people WHERE uid = '".$search_query."' LIMIT 0 , 1";
There are so many ways to do the same
But first escape it and store it in one variable
$blahblah = mysql_real_escape_string($_POST['blahblah']);
And then There are
First:
As #Mett Lo mentioned:
$query = "SELECT name,age FROM people WHERE uid = '" . $blahblah . "' LIMIT 0,1";
Second:
$query = "SELECT name,age FROM people WHERE uid = '{$blahblah}' LIMIT 0,1";
Third:
$query = "SELECT name,age FROM people WHERE uid = '$blahblah' LIMIT 0,1";
and if blahblah is an int value in db table then Fourth:
$query = "SELECT name,age FROM people WHERE uid = $blahblah LIMIT 0,1";
You may use the sprintf function to create the query.
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
$_POST['blahblah'] );
The rest will be the same. It is highly recommended that you escape the $_POST data before running the query to prevent SQL attacks. You may re phrase the query as follows.
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
mysql_escape_string($_POST['blahblah']) );