Is there anything wrong with this SQL code? I got it from a tutorial, but it's returning the following error message
Database query failed: You have an
error in your SQL syntax; check the
manual that corresponds to your MySQL
server version for the right syntax to
use near 'LIMIT 1' at line 1
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// if no rows are returned, fetch array will return false
if ($subject = mysql_fetch_array($result_set)){
return $subject;
} else {
return NULL;
}
}
Best to echo the query and see what it looks like.
Probably $subject_id contains no value or an invalid value. If $subject_id is a string, you should escape it (using mysql_real_escape_string) and put it inside quotes in the query.
[Edit]
You know you can put enters in strings too, right?
// More readable
$query = "
SELECT *
FROM subjects
WHERE id = $subject_id
LIMIT 1";
$query .= "where id=" . $page_id . " ";
Needs to be put within single quotes. Replace the above statement by
$query .= "where id='" . $page_id . "' ";
Frankly, it's impossible to say what is exactly wrong with this code, not knowing what values are substituted in the query in place of variables.
Apart from that, the code in question may be subject to SQL injection attacks.
If I may put together other suggestions that will make sure no error is ever generated with this code:
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id='" . mysql_real_escape_string($subject_id) ."' ";
// note the quotes and escaping wrapper
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// if no rows are returned, fetch array will return false
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
Additionally, using global variables is a bad practice nowadays, so I suppose the example you're using is quite outdated.
Try to use mysql_real_escape_string()
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id='" . $subject_id ."' "; //You need single quotes
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned, fetch_array will return false
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
$query .= "WHERE id='" . $subject_id ."' "; //work
$query .= "WHERE id=" . $subject_id ." "; //not work
Related
I'm trying to filter through my database according to filters done by visitors.
$query = "select * from Sheet1 where";
//filter query start
if (!empty($brand)) {
$branddata = implode("','", $brand);
//testing removing query
$query .= " Brand in('$branddata') and";
}
if (!empty($model)) {
$modeldata = implode("','", $model);
//testing removing query
$query .= " Model in('$modeldata') and";
}
/* if(!empty($model) && empty($brand)){
} */
if (!empty($spower) && !empty($epower)) {
$query .= " Power>='$spower' and Power<='$epower' and";
}
if (!empty($sprice) && !empty($eprice)) {
$query .= " Doors>='$sprice' and Doors<='$eprice'";
}
$rs = mysqli_query($conn, $query) or die("Error : " . mysqli_error($conn));
The result I wish to get is a sql query that works and has correct syntax. Such as select * from Sheet1 where Doors>='$sprice' and Doors<='$eprice', if the visitor is filtering by price.
Currently, my code is made so that it simply adds a certain string to the variable. This means that if you don't filter by model, it skips model, because the model variable is empty. The problem comes to if you filter by power, the SQL will become select * from Sheet1 where Power>='$spower' and Power<='$epower' and. Obviously this doesn't work, so I need help in making the code make sure it works for every combination of filters.
Append $query .= " 1 = 1"; at the end. I did some modification in your given code. Have a look.
<?php
$query = "SELECT * FROM `Sheet1` WHERE";
//filter query start
if(!empty($brand)){
$branddata = implode("','",$brand);
$query .= " (Brand in('$branddata')) AND";
}
if(!empty($model)){
$modeldata = implode("','",$model);
$query .= " (Model in('$modeldata')) AND";
}
if(!empty($spower) && !empty($epower)){
$query .= " (Power>='$spower' AND Power<='$epower') AND";
}
if(!empty($sprice) && !empty($eprice)){
$query .= " (Doors>='$sprice' AND Doors<='$eprice') AND"; //Added 'AND'
}
$query .= " 1 = 1"; //Added new line
$rs = mysqli_query($conn,$query) or die("Error : ".mysqli_error($conn));
?>
Add AND on each query appended in if conditions. Then, at last add $query .= " 1 = 1";. Which will save you from extra AND coming at the end. If none of the conditions satisfy, then your query will be SELECT * FROM Sheet1 WHERE 1 = 1. Simple. And, don't forget to differentiate between conditions in query. Differentiate your conditions like how I did by opening and closing brackets.
I would do it this way
$filters=array();
if(!empty($brand)){
$branddata =implode("','",$brand);
//testing removing query
$filters[]= " Brand in('$branddata')";
}
if(!empty($model)){
$modeldata =implode("','",$model);
//testing removing query
$filters[]= " Model in('$modeldata') and";
}
if(!empty($spower) && !empty($epower)){
$filters[]= " Power>='$spower' and Power<='$epower' and";
}
if(!empty($sprice) && !empty($eprice)){
$filters[]= " Doors>='$sprice' and Doors<='$eprice'";
}
$query = "select * from Sheet1 where";
foreach ($filters as $filter) {
$query.=' AND '.$filter;
}
$rs = mysqli_query($conn,$query) or die("Error : ".mysqli_error($conn));
I have created an editable database to help me automate weekly member updates. There are 9 values that each member updates each week, these are controlled by $_POST submit to secondary php.
From that php, the post values are set as php var, then used to UPDATE sql db.
mysql_select_db("web_footy1") or die(mysql_error());
// The SQL statement is built
$strSQL = "UPDATE Round_6 SET ";
$strSQL = $strSQL . "Game1= '$Game1', ";
$strSQL = $strSQL . "Game2= '$Game2', ";
$strSQL = $strSQL . "Game3= '$Game3', ";
$strSQL = $strSQL . "Game4= '$Game4', ";
$strSQL = $strSQL . "Game5= '$Game5', ";
$strSQL = $strSQL . "Game6= '$Game6', ";
$strSQL = $strSQL . "Game7= '$Game7', ";
$strSQL = $strSQL . "Game8= '$Game8', ";
$strSQL = $strSQL . "Game9= '$Game9' ";
$strSQL = $strSQL . "WHERE Member = '$Member' ";
// The SQL statement is executed
mysql_query($strSQL) or die(mysql_error()) ;
Yes, i am aware this is subject to SQL injection, it is a private site so security can wait atm
The problem is that all values are update at same time, and to update one, you need to re enter all otherwise they are replaced with empty value.
So my question in twofold.
A) What is the cleanest way to be able to control each variable separately,
B) Can i, and if so, how to use isset($GameX) to control which queries are executed.
Eg
IF (isset($Game1)) {UPDATE Round6 SET Game1='$Game1' WHERE Member='$Member'} ;
Please keep in mind, 3 weeks ago i knew nothing about coding, and have crash coursed in html, php and sql in that time... Cheers
I really really really can't recommend enough that you FIX your SQL injection.
Having said that, you can programatically add conditions to your UPDATE clause.
An example might be the following snippet:
<?php
$Game3 = "things";
$Game5 = "stuff";
$Game6 = "awesome";
$Member = 'ben';
$update_parts = array();
for ($game_counter = 1; $game_counter < 10; $game_counter++) {
$variable_name = "Game" . $game_counter;
if ( isset($$variable_name) ) { // This is like isset($Game1)
$update_parts[] = "Game" . $game_counter . " = '" . $$variable_name . "'";
}
}
if ( sizeof($update_parts) > 0 ) {
$strSQL = "UPDATE Round_6 SET ";
$strSQL .= implode(", ", $update_parts);
$strSQL .= " WHERE Member = '$Member'";
echo $strSQL;
}
I've put in a couple of variables up the top there. This yields the following SQL:
UPDATE Round_6 SET Game3 = 'things',
Game5 = 'stuff', Game6 = 'awesome' WHERE Member = 'ben'
EDIT: If you want to use PDO, you need the Query and the Parameters separated. In my example below, I'm putting the Query parameters in
$conn = new PDO("mysql:host=localhost;dbname=database;","username","password"); // Your Connection String
$update_parts = array();
$query_params = array();
for ($game_counter = 1; $game_counter < 10; $game_counter++) {
$variable_name = "Game" . $game_counter;
if ( isset($$variable_name) ) { // This is like isset($Game1)
$update_parts[] = "Game" . $game_counter . " = ?";
$query_params[] = $$variable_name;
}
}
if ( sizeof($update_parts) > 0 ) {
$strSQL = "UPDATE Round_6 SET ";
$strSQL .= implode(", ", $update_parts);
$strSQL .= " WHERE Member = ?";
$query_params[] = $Member;
// Here is where you'd run the update
$stmt = $conn->prepare($strSQL);
$stmt->execute($query_params); // Notice I'm passing in the parameters separately
}
Hi I'm using PHP to try and retrieve data from a database while looping through an array inside the in statement like this.
$sql2 = "SELECT * FROM pixacour_pixacourt.UserCaseMessages WHERE FavorIDs IN (" ;
$count = 0;
foreach($followingArray as $value)
{
if($count==count($followingArray)-1)
{
$sql2 .= "LIKE";
$sql2 .= "%'".$value."'%";
}
else
{
$sql2 .= "LIKE";
$sql2 .= "%'".$value."'%,";
}
++$count;
}
$sql2 .= ")";
I get this error, that says
"trying to get property of non object"
I can't figure out what is going on any suggestions would be much appreciated thank you for your time.
You should not be using LIKE in an IN clause but you do need to comma delimit elements. No need to keep track of the count, either. foreach will cease when the array has been traversed and you can trim off the trailing comma.
$sql2 = "SELECT * FROM pixacour_pixacourt.UserCaseMessages WHERE FavorIDs IN (" ;
foreach($followingArray as $value)
{
$sql2 .= "'".$value."', ";
}
$sql2 = rtrim($sql2,',');
$sql2 .= ");";
If this fails, like Gordon says, echo $sql2 and the syntax error will probably be clear.
If you do indeed need to use LIKE and wildcard matching, you could append multiple OR clauses, one for each $value.
$sql2 = "SELECT * FROM pixacour_pixacourt.UserCaseMessages WHERE " ;
$whereClause = "";
foreach($followingArray as $value)
{
$whereClause .= " OR FavorIDs LIKE '%".$value."%' ";
}
$whereClause = ltrim($whereClause, " OR");
$sql2 .= $whereClause . ";";
UPDATE 1/9/15
I realized there's a bug in this code in that when $followingArray is empty, we'd receive a MySQL syntax error because the query ends with "WHERE". Here's a new version which resolves that bug:
$sql2 = "SELECT * FROM pixacour_pixacourt.UserCaseMessages" ;
if(count($followingArray) >= 1) {
$sql2 .= " WHERE";
}
$whereClause = "";
foreach($followingArray as $value)
{
$whereClause .= " OR FavorIDs LIKE '%".$value."%' ";
}
$whereClause = ltrim($whereClause, " OR");
$sql2 .= $whereClause . ";";
I need to set up a SQL query with multiple parameters that are being pulled from the URL. So far I can only get it to work with the there is only one item in the URL.
My default query to pull in all the content
$sql = "SELECT ";
$sql .= "* ";
$sql .= "FROM ";
$sql .= "cms_site_content ";
$sql .= "WHERE ";
$sql .= "1";
I then check if anything was passed through the URL and retrieve it.
if (isset($_GET["d"])) {
$d=$_GET["d"];
Inside the if statement, I break the values passed as "d" into separate items
$newD = explode(',',$d);
$countD = count($newD);
foreach($newD as $discipline) {
if ($countD == 1) {
$sql .= " AND";
$sql .= " discipline='".$discipline."'";
}
My problem is getting the SQL to work if there is more than one discipline value. It should read something like this:
SELECT * FROM cms_site_content WHERE 1 AND discipline="value"
however if there's more than one discipline value, it should read:
SELECT * FROM cms_site_content WHERE 1 AND discipline="value OR discipline="value2" OR discipline="value3"
Is there a more efficient way to write this? I can't figure out how to insert the OR into the foreach statement.
Save all discipline values in an array;
$discipline_arr = array();
foreach($newD as $discipline) {
$discipline_arr[] = $discipline;
// by the way, don't forget to escape for sql injection
// mysql_escape_string is the depracated one, u can use that if u have no
// other choice
}
Then in your sql, add them as discipline in ('value1','value2', 'etc ...') condition (that is for strings, for numeric types it would be like discipline in (1,2,3,4, etc)
$sql = " SELECT * FROM cms_site_content WHERE 1 " .
(empty($discipline_arr) ? "" : "and
discipline in ('". implode("','" , $discipline_arr). "') ") ;
Link to escaping
http://tr1.php.net/manual/en/function.mysql-escape-string.php
Assuming the rest of your query is in tact. Simply store all of your discipline values in an array as follows, then feed the $discipline_string to your $sql query:
$discipline_ary = array('option1', 'option2', 'option3');
$discipline_string = "";
for($i=0; $i < count($discipline_ary); $i++){
$discipline_string .= " discipline = '" . $discipline[$i] . "' ";
if($i+1 == count($discipline_ary)){
break;
}else{
$discipline_string .= " OR "
}
}
This query is not returning any result as there seems to be an issue with the sql.
$sql = "select region_description from $DB_Table where region_id='".$region_id."' and region_status =(1)";
$res = mysql_query($sql,$con) or die(mysql_error());
$result = "( ";
$row = mysql_fetch_array($res);
$result .= "\"" . $row["region_description"] . "\"";
while($row = mysql_fetch_array($res))
{
echo "<br /> In!";
$result .= " , \"" . $row["region_description"] . "\"";
}
$result .= " )";
mysql_close($con);
if ($result)
{
return $result;
}
else
{
return 0;
}
region_id is passed as 1.
I do have a record in the DB that fits the query criteria but no rows are returned when executed. I beleive the issue is in this part ,
region_id='".$region_id."'
so on using the gettype function in my php it turns out that the datatype of region_id is string not int and thus the failure of the query to function as my datatype in my tableis int. what would be the way to get parameter passed to be considered as an int in php. url below
GetRegions.php?region_id=1
Thanks
Try it like this:
$sql = "SELECT region_description FROM $DB_Table WHERE region_id = $region_id AND region_status = 1"
The region_id column seems to be an integer type, don't compare it by using single quotes.
Try dropping the ; at the end of your query.
First of all - your code is very messy. You mix variables inside string with escaping string, integers should be passed without '. Try with:
$sql = 'SELECT region_description FROM ' . $DB_Table . ' WHERE region_id = ' . $region_id . ' AND region_status = 1';
Also ; should be removed.
try this
$sql = "select region_description from $DB_Table where region_id=$region_id AND region_status = 1";
When you are comparing the field of type integer, you should not use single quote
Good Luck
Update 1
Use this.. It will work
$sql = "select region_description from " .$DB_Table. " where region_id=" .$region_id. " AND region_status = 1";
You do not need the single quotes around the region id i.e.
$sql = "SELECT region_description FROM $DB_Table WHERE region_id = $region_id AND region_status = 1"