New to PHP/mySql and having trouble inserting and retrieving binary data. I have a mySql table called usr_pressdata. The field 'BinDat' is of type mediumblob.
$dat = $this->parseOverview($sql);
// $dat is now a binary string
$datsql = "Update usr_pressdata Set BinDat = " . $dat;
$datresult = mysql_query($datsql, $this -> conn) or die(mysql_error());
$getdat = "Select * from usr_pressdata";
$getdatresult = mysql_query($getdat, $this -> conn) or die(mysql_error());
$row = mysql_fetch_array( $getdatresult );
$retval = $row['BinDat'];
In this example my goal is that $retval == $dat but it does not. I suspect that my query string $datsql is incorrect. Can someone correct this example code? Thank you.
When inserting values in a table (or more generally, when including a value in an SQL request):
the string must be enclosed between quotes ('...')
the string must be “escaped” using mysql_real_escape_string so as to prevent SQL injection.
So you need to write something like:
$request = "UPDATE usr_pressdata SET bindat= '" . mysql_real_escape_string($dat) . "';";
I suspect you may want to add a WHERE someColumn = someCondition clause at the end, because as it is now, it would affect all the rows in the table.
Related
Here's The code we have tried so far.
What actually we have to do is user will input data in his selected textboxes. we want php query to combine the search result and provide output.
$query=array();
$query[] = empty($_POST['keyword_s_dec']) ? : 'cand_desc='.$_POST['keyword_s_dec'];
$query[] = empty($_POST['keyword_s_location']) ? : 'cand_location='.$_POST['keyword_s_location'];
$results = implode('AND', $query);
$sql = "SELECT * FROM candidate where '".$results."'";
$result = mysql_query($sql) or die(mysql_error());
Where keyword_s_dec & keyword_s_location are our texfield ID;
cand_desc & cand_location are database columns.
Also we are trying for SQL Injection how can we achieve this?
I did some adjustments to your code:
$query = array();
if (!empty($_POST['keyword_s_dec'])) $query[] = "cand_desc = '".$_POST['keyword_s_dec']."'";
if (!empty($_POST['keyword_s_location'])) $query[] = "cand_location = '".$_POST['keyword_s_location']."'";
$condition = implode(' AND ', $query);
$sql = "SELECT * FROM candidate WHERE $condition";
$result = mysql_query($sql) or die(mysql_error());
This builds a valid query:
SELECT * FROM candidate WHERE cand_desc = 'test1' AND cand_location = 'test2'
Your main issue was that you weren't inserting spaces around the AND string and single quotes for the values in the WHERE clause, but I also removed the conditional ?: operator since it made the code less readable.
Note that I only fixed the code that you wrote. It won't work if none of the POST variables are set (since then the SQL string will have a WHERE clause without any content) and you should definitely use mysql_real_escape_string() when reading the POST variables to prevent SQL injection.
I've been successful with duplicating joined tables. Yay!
Now, after a number of tests, I've found that single apostrophe (escaped items) aren't being accepted. When originally creating new tables rows in the form, everything was run through the following:
$unit_id = mysqli_real_escape_string($dbc, trim($_POST['ajax_unit_id']));
Now, as I am duplicating these rows to create new records, I don't seem to know where/how to escape_string again in order to allow for single apostrophes again, such as a title called Don's Supah-Dupah App.
Duplication php:
$sql1 = "CREATE TEMPORARY TABLE tmp
SELECT *
FROM ".ID_TABLE."
WHERE `unit_id` = " . $id . "";
$result = mysqli_query($dbc,$sql1) or die(mysqli_error($dbc));
$sql2 = "ALTER TABLE tmp
DROP COLUMN `unit_id`";
$result = mysqli_query($dbc,$sql2) or die(mysqli_error($dbc));
$sql3 = "UPDATE tmp
SET `title` = '" . $titleStamp . "'";
# ************************************************************ #
# ****** This is where I believe the issue is occurring ****** #
# ************************************************************ #
$result = mysqli_query($dbc,$sql3) or die(mysqli_error($dbc));
$sql4 = "INSERT INTO ".ID_TABLE."
SELECT 0,tmp.*
FROM tmp";
$result = mysqli_query($dbc,$sql4) or die(mysqli_error($dbc));
$unit_id1 = $dbc->insert_id; //mysqli_insert_id($dbc); // Store new unit_id as var
$sql5 = "DROP TABLE tmp;";
$result = mysqli_query($dbc,$sql5) or die(mysqli_error($dbc));
After combing through the coding again, I found that the error actually had nothing to do with the duplication...sort of.
Note: I am providing this answer in case it helps someone out there to step back, look at there own issue from 5000m meters...instead of from 5 inches. Hopefully this helps someone to pull themselves out of the rabbit hole to get a better perspective.
Earlier before the duplication, I'd set up a variable $title that was generated by an initial sql select
$row = mysqli_fetch_array($rdata);
$title = $row['title'];
...then concatenate the title and a datetimestamp.
date_default_timezone_set(DEFAULT_TZ); // Default timezone set as Australia/Melbourne
$timestamp = date('Y/m/d h:i:s:a');
$titleStamp = $title." COPY ".$timestamp;
This $title variable is where the issue was occurring. The new string had to be escaped before the content could be inserted back into the new row.
$title = mysqli_real_escape_string($dbc, trim($row['title']));
Voila!
I am trying to update a record in my database with values pulled from an exploded array
$arr2 = explode(",",$_POST['hidden-tags']);
//echo $arr2[0];
//insert new rows into blog post
mysql_select_db($db, $db);
$insertq = mysql_query("UPDATE blog SET tags1 = $arr2[0],tags2 = $arr2[1],tags3 = $arr2[2], tags4 = $arr2[3], tags5 = $arr2[4] WHERE idblog = '$id' ",$dbconnet);
If I echo the values from my array one at a time it works great. Once I try to put them in the db the row turns up empty. Whats more the user may not of entered 5 items they may only have entered 1 but I dont think thats really the problem. To be honest I cant see why its currently failing at all.
I know I can save all values in one field but it will be easier as separate fieldsfor when I pull back and query later on.
if the data types of the columns are string, values must be wrap with single quotes as they are string literals. eg,
$insertq = mysql_query("UPDATE blog SET tags1 = '". $arr2[0] . "',....");
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
$insertq = mysql_query("UPDATE blog SET tags1 = $arr2[0],tags2 = $arr2[1],tags3 = $arr2[2], tags4 = $arr2[3], tags5 = $arr2[4] WHERE idblog = '$id' ",$dbconnet);
should be:
$insertq = mysql_query("UPDATE blog SET tags1 = '".$arr2[0]."',tags2 = '".$arr2[1]."',tags3 = '".$arr2[2]."', tags4 = '".$arr2[3]."', tags5 = '".$arr2[4]."' WHERE idblog = '".$id."' ,$dbconnet);
or the whole query is going to consider the variables names as part of the string
EDITED: i had the quotes inverted.
It should be like this :
$insertq = mysql_query("UPDATE blog SET tags1 = "'.$arr2[0].'",tags2 = "'.$arr2[1].'",tags3 = "'.$arr2[2].'", tags4 = "'.$arr2[3].'", tags5 = "'.$arr2[4].'" WHERE idblog = "'.$id.'" ",$dbconnet);
I think you might need to look at the datatypes of your table. If you are using varchar or text as data-types then single colon will be necessary.
$insertq = mysql_query("UPDATE blog SET tags1 =' $arr2[0]',tags2 = '$arr2[1]',tags3 = '$arr2[2]', tags4 = '$arr2[3]', tags5 = '$arr2[4]' WHERE idblog = '$id' ",$dbconnet);
Also if the idblog is integer then donot use single quotes.
hope this helps
I have a problem with integers in MySQL. I am trying to update a cell which stores an integer. However, I have problem with the type of that cell. Actually it is type is set to int but when I retrive the data I always get 0 and I belive it is because of the problem about how I am trying to get it. Here is my code sample;
function updateNumb($username) {
$query = "SELECT `num` FROM `profiles` WHERE `nick`='" . $username . "'";
$result = mysql_query($query, $this->conn) or die(mysql_error());
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$row['num'] = $row['num'] + 1;
$numb = (int)$row['num'] + 1;
//here I update the data.
$query = "UPDATE `profiles` SET `num`=" . $numb . " WHERE `nick`='".$username."'";
mysql_query($query, $this->conn) or die(mysql_error());
return $numb;
}
Can it be because of mysql_fetch_array stuff? Or how could I overcome this problem?
replace partisayisi with num
There is nothing wrong with the code you provided, maybe it's not doing what you really need, for example num is incremented twice, but there are no visible mistakes that would make it return 0, at least not in what we can see.
Make sure you provide valid username, try to echo your query before sending to mysql to see what it really looks like, maybe try this query yourself in mysql client or phpmyadmin to see what's going on.
Also if the only thing you need is to increment num for some user you can do it in one update, you don't need to use select to get that number:
UPDATE profiles set num=num+1 WHERE nick='somenick'
I am using a page where a variable $submissionid is being posted to it. I would like to use this variable and pull the field subcheck from a MySQL table called submission. I would like the value of the field subcheck to simply be a new variable $subcheck. I'm not sure how to do this. I have a query below, but how to I convert the result of the query below into a variable called $subcheck? (For any given submissionid, there will only be one $subcheck.)
Thanks in advance,
John
$querysub = mysql_query("SELECT subcheck FROM submission WHERE submissionid = '$submissionid' ");
mysql_query($querysub) or die(mysql_error());
You can try:
$querysub = mysql_query("SELECT subcheck FROM submission WHERE submissionid = ".
mysql_real_escape_string($submissionid));
$result = mysql_query($querysub);
if (!$result) {
die 'Could not run query: ' . mysql_error();
}
$subcheck = mysql_result($result, 0);
This is more of a 'php' question, than it is for mysql.
Look up the 'extract' keyword for PHP Link. Effectively 'extract' takes the contents of an associative array and creates php variables (symbol table entries) using the names of keys. Each php variable will then contain the associated value.
You should be able to just:
$result = mysql_query("SELECT * FROM table");
$row = mysql_fetch_array( $result, MYSQL_ASSOC );
extract( $row ); // Create php variables, named after each column in the table.
$row["field"] == $field; // Will be a true statement after 'extract()'
Enjoy, you now have the ability to have your code dynamic adjust to a DB schema that could be changed.
-- J Jorgenson --
This should work:
$querysub = mysql_query("SELECT subcheck FROM submission WHERE submissionid = '" . $submissionid ."' ");
$result = mysql_query($querysub) or die(mysql_error());
$row = mysql_fetch_assoc( $result );
if ($row ) {
$subcheck = $row['subcheck'];
} else {
echo "Subcheck not found";
}
Be careful with the escape characters around $submissionid in your query string. In your sample, they are probably letting the name of the variable go into the string you send to the mysql server.