My PHP SQL Statement is failing due to pound (#) sign. How can I get around this. (Other than fixing the database name?)
$sql = "SELECT CMCD, TK#, TECH, STATS from LIB.TICKET FETCH FIRST 10 ROWS ONLY ";
$rs = odbc_exec($conn,$sql);
Try wrapping your column name in brackets [TK#]
Try quoting the field names
$sql = "SELECT `CMCD`, `TK#`, `TECH`, `STATS` from LIB.TICKET FETCH FIRST 10 ROWS ONLY ";
$rs = odbc_exec($conn,$sql);
Related
I want to execute these queries
$q1 = "INSERT INTO t1 (id,desc) VALUES (1,'desc');" <br>
$q2 = "SET #last_id = LAST_INSERT_ID();" <br>
$q3 = "INSERT INTO t2 (parentid,desc) VALUES (#last_id, 'somedesc');"<br>
Will this work correctly 3 mysqli_query something like this?
$res = mysqli_query($q1);
$res2 = mysqli_query($q2);
$res3 = mysqli_query($q3);
To start, desc is a MySQL reserved word
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
and must be wrapped in backticks if you're going to decide on using it, without renaming it to something else than desc, say description for instance.
Therefore, you will need to change it to the following, assuming your DB connection is established, and using $con as an example, which you haven't shown us what your DB connection is.
$q1 = "INSERT INTO t1 (id,`desc`) VALUES (1,'desc')";
$q2 = "SET #last_id = LAST_INSERT_ID()";
$q3 = "INSERT INTO t2 (parentid,`desc`) VALUES (#last_id, 'somedesc')";
minus all of your <br> tags, since you are inside PHP, unless that wasn't part of your code, but in trying to format your code in your question.
Sidenote: Your semi-colons were misplaced.
and passing DB connection to your queries:
$res = mysqli_query($con,$q1);
$res2 = mysqli_query($con,$q2);
$res3 = mysqli_query($con,$q3);
Plus, adding or die(mysqli_error($con)) to mysqli_query() to check for possible errors in your queries.
This script is supposed to retrieve the CustomerID for the Customer_First_Name and Customer_Last_Name that has been entered into a form.
$query = "SELECT CustomerID FROM customer WHERE Customer_First_Name = `.$db_customer_first_name.` AND Customer_Last_Name = `.$db_customer_last_name.`";
$result = mysql_query($query)
or die(mysql_error());
echo $result;
echo $query;
when the script runs I get this error:
Unknown column '.Christopher.' in 'where clause'
the query is never printed on the screen.
any help is appreciated.
Your quotes are bad use ' instead of the tick `
You have to use single quotes for strings. Try again:
$query = "SELECT CustomerID FROM customer WHERE Customer_First_Name = '".$db_customer_first_name."' AND Customer_Last_Name = '".$db_customer_last_name."'";
This should work:
$query = "SELECT CustomerID FROM customer WHERE Customer_First_Name = '$db_customer_first_name' AND Customer_Last_Name = '$db_customer_last_name'";
You need to use normal single quotes for values. Also you don't need to break the string if you're using double quotes - variables are detected within the string.
Make sure you're also correctly escaping your strings for mysql to prevent injection.
Better still, look at moving to mysqli and using prepared statements.
Use ' instead of remove `
$query = "SELECT CustomerID FROM customer WHERE Customer_First_Name = '".$db_customer_first_name."' AND Customer_Last_Name = '".$db_customer_last_name."'";
Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?
Say i have a form on a page asking for someone's age. They enter their age and hit submit. The following php code deals with the form submission: (age is an int field in the db table.)
$Number = mysqli_real_escape_string($dbc, $_POST["age"]);
$Query = "INSERT INTO details (age) VALUES ($Number)";
$Result = mysqli_query($dbc, $Query);
Instead of this, is there anything to be gained to enclosing the user input in single quotes, even though it is not a string? Like this:
...
$Query = "INSERT INTO details (age) VALUES ('$Number')"; <-- quotes
...
What about performing a SELECT? Is this:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = '$ID'";
$Result = mysqli_query($dbc, $Query);
better than:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = $ID"; <-- no quotes
$Result = mysqli_query($dbc, $Query);
NOTE: I am aware of prepared statements and usually use them over string concatenation but this is legacy code i'm dealing with. I want to secure it as best as i can.
If you add numbers, use the intval/floatval functions, don't use mysql_real_escape_string for those.
For everything you use mysql_real_escape_string for, you must use quotes, example:
$input = "foo'bar";
$input = mysql_real_escape_string($input);
//foo\'bar
mysql_query("SELECT $input");
//SELECT foo\'bar
//which is still an SQL syntax error.
You really shoud use sprintf, even if in legacy code it takes 2 mins to modify and is in my opinion totally worth the time.
Shamelessly ripped from php.net:
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
Your query is now pretty much safe from being passed the wrong types to it's fields and unescaped caracters.
You SHOULD use the PHP filters, and filter for numbers - even for ranges, regular expressions; with default values, NULL on failure, etc.
http://hu.php.net/manual/en/ref.filter.php
if the values come from a request variable, e.g. $_POST, see:
http://hu.php.net/manual/en/function.filter-input.php
This is simple one i am using the following insert query
mysql_query(insert into table1 set saltval = 'Y'Z' where uid ='1');
but i does not work becaues the value for the field saltval is Y'Z . my question is how to considered this value is as a string .
You need to escape any single quotes with a backslash.
mysql_query("insert into table1 set saltval = 'Y\'Z' where uid ='1'");
However your SQL is invalid as well... Did you mean to do an update? Insert statements don't have a where.
As mentioned in other answers, if the input is from a user then you should use mysql_real_escape_string()
http://www.php.net/manual/en/function.mysql-real-escape-string.php
$string = mysql_real_escape_string("Y'Z");
mysql_query("insert into table1 set saltval = '{$string}' where uid ='1'");
Always use mysql_real_escape_string() function for this if values come from user input
$query="insert into table1 set saltval = '".mysql_real_escape_string($InputVal)."' where uid ='1'";
See http://php.net/manual/en/function.mysql-real-escape-string.php
You have to add a backslash to certain characters to make your string fit into SQL syntax rules.
Assuming you're creating your query dynamically, PHP has special escaping function for this and you should use it for the every quoted string in the query, no exceptions.
So, write your code like this:
$salt = "Y'Z";
$id = 1;
$salt = mysql_real_escape_string($salt);
$id = mysql_real_escape_string($id);
$sql = "update table1 set saltval = '$salt' where uid ='$id'";
mysql_query($sql) or trigger_error(mysql_error()." ".$sql);
to make it safe and fault-tolerant
Why do this..
$fruit_type = "banana";
mysql_real_escape_string($fruit_type);
$query = "SELECT * FROM posts WHERE fruit = " . $fruit_type . ";
when you can do this..
$fruit_type = "banana";
mysql_real_escape_string($fruit_type);
$query = "SELECT * FROM posts WHERE fruit = $fruit_type;
I know that integers should be encapsulated in single quotes but is it fine to add a variable that contains a string directly?
Adding a string directly, without quotes (and escaped quotes within the value) will not work if that is your question.
The following will work with integers, provided you are matching on an number field, but it will not work with strings:
$query = "SELECT * FROM posts WHERE fruit = $fruit_type";
To match strings, you must enclose them within single quotes, and escape single quotes occurring within the value. The following will not escape quotes contained within the passed variable:
$query = "SELECT * FROM posts WHERE fruit = '$fruit_type'";
At the very least, you should do this:
$query = "SELECT * FROM posts WHERE fruit = " . mysql_real_escape_string($fruit_type);
And at the first opportunity, read about these:
http://php.net/manual/en/pdo.prepared-statements.php
Typically, no. The reason is just this:
$fruit_type = "; DELETE FROM posts;";
There's nothing inherently wrong with the syntax, it's your approach in general. You want to make sure that all user input strings are escaped.
I think you missed the quotes for the string.
$query = "SELECT * FROM posts WHERE fruit = '$fruit_type';
Also, its a good practice to use bind variables in SQL in order to avoid DB query parsing
To late but it will help others
`
$table ="table_Name";
$idx="value";
$sql="SELECT * FROM $table WHERE row_name= '$idx'";
`
execute your query .