I'm trying to debug a MySQL query, and I have trouble understanding why one while loop in my script is not working:
// select db
mysql_select_db($dbname);
for ( $x = $latRange[0]; $x <= $latRange[1]; $x++ )
{
for ( $y = $lngRange[0]; $y <= $lngRange[1]; $y++)
{
$sql="SELECT * FROM $usertable WHERE $xlookup = $x AND $ylookup = $y";
$SQLresult = mysql_query($sql);
while( $row = mysql_fetch_array($SQLresult) )
{
$tmpResult = $row[$popDen];
$result += $tmpResult;
}
}
}
Sample values of the variables described are:
$latRange = array(3,7);
$lngRange = array(9,25);
$popDen = 'ColumnNameIWant'
$xlookup = 'Col1'
$xlookup = 'Col2'
The logic behind my query is that it finds all combinations of x and y, gets the corresponding $popDen value, and adds it to $result. Result is defined at the start of my script, and returned by the program after this loop.
I know that the problem section is my while loop, but I don't quite understand how to fix it as I don't fully understand how mysql_fetch_array functions. I've also tried mysql_fetch_row and my query does not work with this either.
I know from commenting out various chunks of the code, and passing back other numbers that everything else works; it is just this chunk that is failing.
Are there any obvious errors that I am making?
If popDen is a column in your table, you need to get it with:
$tmpResult = $row['popDen'];
and if it is the only value you need, you can simplify / speed up your sql query:
$sql="SELECT `popDen` FROM $usertable WHERE $xlookup = $i AND $ylookup = $y";
Edit: By the way, you might want to initialize your $result variable so that it has a defined / valid / known value if no rows are found.
One obvious error is to use dynamic table names.
This leaves hard to close SQL-injection holes:
Use this code to plug that hole, because mysql-real_escape_string() will not help!
$allowed_tables = array('table1', 'table2');
$clas = $_POST['clas'];
if (in_array($clas, $allowed_tables)) {
$query = "SELECT * FROM `$clas`";
}
See here for more info: How to prevent SQL injection with dynamic tablenames?
And don't forget to always enclose dynamic tablenames in backticks ` or your code will break if you happen to use a reserved word or a number for a table or column name.
Related
I have a mysql query:
$analyse_ot1="SELECT COUNT(*) AS ot_count FROM first, base, users
WHERE base.base_id=$base
AND
users.base_id=$base
AND
users.id=first.user_id
AND
first.$sub='OT'";
$result_ot1=mysqli_query($con,$analyse_ot1);
$row_ot1= mysqli_fetch_assoc($result_ot1);
$total_ot1= $row_ot1['ot_count'];
$otper1=($total_ot1/$total)*100;
I will be re-using this code many times on a web-page and want to be able to run it as part of a loop.
I don't want to have to rename my variables each time (where $result_ot1 become $result_ot2 etc...)
I've tried introducing an indexing variable $x and then appending it to another variable name:
$x=2;
$result_ot.$x=....
But , it doesn't want to work.
Any suggestions? I have an idea that arrays might be needed but I'm concerned that the queries will be throwing up arrays and I'm not sure an array in an array isn't going to set my computer on fire...
A hint to use your query everywhere.
//declare this in a folder, 'functions.php', for example
function analyse($base, $sub, $con)
{
$analyse_ot1 = 'SELECT COUNT(*) AS ot_count FROM first, base, users'
." WHERE base.base_id=$base AND users.base_id=$base"
." AND users.id=first.user_id AND first.$sub='OT'";
$result_ot1 = mysqli_query($con, $analyse_ot1);
$row_ot1 = mysqli_fetch_assoc($result_ot1);
return $row_ot1['ot_count'];
}
And in any other place of your project:
include 'functions.php';
$total_ot1 = analyse($base, $sub, $con);
$otper1 = ($total_ot1 / $total) * 100;
I did not understand well the loop thing. But in order to dave your results in an array, you could just do this:
$totalCounts = [];
foreach(loop){
$total_current = analyse($base, $sub, $con);
$totalCounts[] = $total_current;
}
And you will have $totalCounts that will be an array of the query result that we find in our function. That could be a way of saving your results in an array.
You could do it associative also:
$x = 0;
foreach(loop){
$total_current = analyse($base, $sub, $con);
$totalCounts['count_'.$x] = $total_current;
$x++;
}
So, if you now access: $totalCounts['count_3'] you would be accessing the result of the query on the third loop, for example.
I don't know if this is your answer. But maybe it helped a bit.
So, I have following php query:
for($i = 0; $i < sizeof($cat_result) ; ++$i) {
$query_p = "SELECT * FROM $table WHERE id = %d";
$results[] = $wpdb->get_row($wpdb->prepare($query_p, $cat_result[$i]));
}
The search relies on $cat_result which contains numerous numbers.
For example, let say $cat_result contains the following number: '1,3,5,21,35`
Using these 5 numbers, the query will look for the db info.
However, there are scenarios where some number (for example, "21") do not exist in the db.
Then, I get PHP NOTICE: trying to get property of non-object.
How do I write "if" statement so that if the id (in this case "21") does not exist, then it simply ignores the query? (It is hard to explain what I mean by "ignore". I still want the query to do the search but if it does not find what it is looking for, then simply ignore the error).
I think you should restructure your query. That way, as long as your data is sanitized (to prevent injection as im not sure if it comes from the user or not), you can just do the following:
$cat_result = implode(",", $cat_result);
$query_p = "SELECT * FROM $table WHERE id in ( $cat_result )";
$rslt = $wpdb->get_results($query_p);
// loop result
That way, it will fetch you all in that list.
Try this:
for($i = 0; $i < sizeof($cat_result) ; ++$i) {
$query_p = "SELECT * FROM $table WHERE id = %d";
$row = $wpdb->get_row($wpdb->prepare($query_p, $cat_result[$i]));
if ($row) {
$results[] = $row;
}
}
I don't know WordPress, but I suspect get_row returns false when there are no more rows of results. Your code was putting false into $results when that happened, and later code was then trying to use that as an object.
I have a php code that updates the value in 2 tables and I used left join. It works but it keeps on skipping the first condition and always enters the second condition. I have no idea on mysql injection so please advice if my code is prone to mysql injection.
elseif ($_POST['check'])
{
if ($row[typeofdog] = 'Labrador')
{
$id = $_POST['data'];
$count = count($id);
for($i=0;$i<$count;$i++)
{
$sql = "UPDATE animals LEFT JOIN treats ON animals.style = treats.style SET animals.bone = bone - treats.total, treats.status = 'Approved' WHERE treats.id='$id[$i]'";
$result = mysql_query($sql);
}
if($result){header("location:login_success.php");}
}
else
{
$id = $_POST['data'];
$count = count($id);
for($i=0;$i<$count;$i++)
{
$sql = "UPDATE animals LEFT JOIN treats ON animals.style = treats.style SET animals.chunks = chunks - treats.total, treats.status = 'Approved' WHERE treats.id='$id[$i]'";
$result = mysql_query($sql);
}
if($result){header("location:login_success.php");}
}
}
First, = is for assignment. == is for comparison.
Second, using the index typeofdog without quotes is incorrect. PHP explains why here.
Try this:
if ($row['typeofdog'] == 'Labrador')
If this doesn't work, then $row['typeofdog'] does not equal 'Labrador'. In that case, try echoing $row['typeofdog'] just before the conditional so you can see what is being compared.
Also, yes, you are at risk for sql injection. First step to fixing this: don't use mysql. Instead use mysqli or pdo and utilize prepared statements.
i'm trying to make a long mysql query and process and update the row founded:
$query = 'SELECT tvshows.id_show, tvshows.actors FROM tvshows where tvshows.actors is not NULL';
$result = mysql_query($query);
$total = mysql_num_rows($result);
echo $total;
while ($db_row = mysql_fetch_assoc($result))
{
//process row
}
but after 60 second give me a timeout request, i have try to insert these in my php code:
set_time_limit(400);
but it's the same, how i can do?
EDIT:
only the query:
$query = 'SELECT tvshows.id_show, tvshows.actors FROM tvshows where tvshows.actors is not NULL';
takes 2-3 second to perform, so i think the problem is when in php i iterate all the result to insert to row or update it, so i think the problem is in the php, how i can change the timeout?
EDIT:
here is the complete code, i don't think is a problem here in the code...
$query = 'SELECT tvshows.id_show, tvshows.actors FROM tvshows where tvshows.actors is not NULL';
$result = mysql_query($query);
$total = mysql_num_rows($result);
echo $total;
while ($db_row = mysql_fetch_assoc($result)) {
//print $db_row['id_show']."-".$db_row['actors']."<BR>";
$explode = explode("|", $db_row['actors']);
foreach ($explode as $value) {
if ($value != "") {
$checkactor = mysql_query(sprintf("SELECT id_actor,name FROM actors WHERE name = '%s'",mysql_real_escape_string($value))) or die(mysql_error());
if (mysql_num_rows($checkactor) != 0) {
$actorrow = mysql_fetch_row($checkactor);
$checkrole = mysql_query(sprintf("SELECT id_show,id_actor FROM actor_role WHERE id_show = %d AND id_actor = %d",$db_row['id_show'],$actorrow[0])) or die(mysql_error());
if (mysql_num_rows($checkrole) == 0) {
$insertactorrole = mysql_query(sprintf("INSERT INTO actor_role (id_show, id_actor) VALUES (%d, %d)",$db_row['id_show'],$actorrow[0])) or die(mysql_error());
}
} else {
$insertactor = mysql_query(sprintf("INSERT INTO actors (name) VALUES ('%s')",mysql_real_escape_string($value))) or die(mysql_error());
$insertactorrole = mysql_query(sprintf("INSERT INTO actor_role (id_show, id_actor, role) VALUES (%d, %d,'')",$db_row['id_show'],mysql_insert_id())) or die(mysql_error());
}
}
}
}
Should definitely try what #rid suggested, and to execute the query on the server and see the results/duration to debug - if the query is not a simple one, construct it as you would in your PHP script, and only echo the SQL command, don't have to execute it, and just copy that in to the server MySQL command line or whichever tool you use.
If you have shell access, use the top command after running the above script again, and see if the MySQL demon server is spiking in resources to see if it really is the cause.
Can you also try a simpler query in place of the longer one? Like just a simple SELECT count(*) FROM tvshows and see if that also takes a long time to return a value?
Hope these suggestions help.
There are so many problems with your code.
Don't store multiple values in a single column. Your actors column is pipe-delimited text. This is a big no-no.
Use JOINs instead of additional queries. You can (or could, if the above weren't true) get all of this data in a single query.
All of your code can be done in a single query on the server. As I see it, it takes no input from the user and produces no output. It just updates a table. Why do this in PHP? Learn about INSERT...SELECT....
Here are some resources to get you started (from Googling, but hopefully they'll be good enough):
http://www.sitepoint.com/understanding-sql-joins-mysql-database/
http://dev.mysql.com/doc/refman/5.1/en/join.html
http://dev.mysql.com/doc/refman/5.1/en/insert-select.html
What is Normalisation (or Normalization)?
Let me know if you have any further questions.
I'm using PHP ADOdb and I can get the result set:
$result = &$db->Execute($query);
How do I get the field names from that one row and loop through it?
(I'm using access database if that matters.)
It will depend on your fetch mode - if you setFetchMode to ADODB_FETCH_NUM (probably the default) each row contains a flat array of columns. If you setFetchMode to ADODB_FETCH_ASSOC you get an associative array where you can access each value by a key. The following is taken from ADODB documentation - http://phplens.com/lens/adodb/docs-adodb.htm#ex1
$db->SetFetchMode(ADODB_FETCH_NUM);
$rs1 = $db->Execute('select * from table');
$db->SetFetchMode(ADODB_FETCH_ASSOC);
$rs2 = $db->Execute('select * from table');
print_r($rs1->fields); # shows array([0]=>'v0',[1] =>'v1')
print_r($rs2->fields); # shows array(['col1']=>'v0',['col2'] =>'v1')
To loop through a set of results:
$result = &$db->Execute($query);
foreach ($result as $row) {
print_r($row);
}
Small improvement to the solution posted by #thetaiko.
If you are ONLY needing the field names, append LIMIT 1 to the end of your select statement (as shown below). This will tell the server to send you a single row with column names, rather than sending you the entire table.
SELECT * FROM table LIMIT 1;
I'm working with a table that contains 9.1M records, so this minor change speeds up the query significantly!
This is a function I use to return a field array - I've stripped out some extra stuff that, for example, allows it to work with other DBs than MySQL.
function getFieldNames($strTable, $cn) {
$aRet = array();
# Get Field Names:
$lngCountFields = 0;
$strSQL = "SELECT * FROM $strTable LIMIT 1;";
$rs = $cn->Execute($strSQL)
or die("Error in query: \n$strSQL\n" . $cn->ErrorMsg());
if (!$rs->EOF) {
for ($i = 0; $i < $rs->FieldCount(); $i++) {
$fld = $rs->FetchField($i);
$aRet[$lngCountFields] = $fld->name;
$lngCountFields++;
}
}
$rs->Close();
$rs = null;
return $aRet;
}
Edit: just to point out that, as I say, I've stripped out some extra stuff, and the EOF check is therefore no longer necessary in the above, reduced version.
I initally tried to use MetaColumnNames, but it gave differing results in VisualPHPUnit and actual site, while running from the same server, so eventually
I ended up doing something like this:
$sql = "select column_name, column_key, column_default, data_type, table_name, table_schema from information_schema.columns";
$sql .= ' where table_name="'.$table.'" and table_schema="'.$database_name.'"';
$result = $conn->Execute($sql);
while($row = $result->fetchRow()) {
$out[] = strToUpper($row['column_name']);
}
I think it should work with mysql, mssql and postgres.
The benefit of doing it like this, is that you can get the column names, even if a query from a table returns an empty set.
If you need the Coloumn names even for empty tables or for joins about multiple tables use this:
$db->Execute("SELECT .......");
// FieldTypesArray - Reads ColoumnInfo from Result, even for Joins
$colInfo = $res->FieldTypesArray();
$colNames = array();
foreach($colInfo as $info) $colNames[] = $info->name;
The OP is asking for a list of fieldnames that would result of executing an sql statement stored in $query.
Using $result->fetchRow(), even with fetch mode set to associative, will return nothing if no records match the criteria set by $query. The $result->fields array would also be empty and would give no information for getting the fieldnames list.
Actually, we don't know what's inside the $query statement. Besides, setting limit to 1 may not compatible with all database drivers supported by PHP ADOdb.
Answer by Radon8472 is the right one, but the correct code could be:
$result = $db->Execute($query);
// FieldTypesArray - an array of ADOFieldObject Objects
// read from $result, even for empty sets or when
// using * as field list.
$colInfo = [];
if (is_subclass_of($result, 'ADORecordSet')){
foreach ($result->FieldTypesArray() as $info) {
$colInfo[] = $info->name;
}
}
I have the habit of checking the class name of $result, for as PHP ADOdb will return false if execution fails.