I've got a table with Clob field (is there any other data types in IBM DB2 to store text in it?). So, i have an article (html+css+text). I used htmlspecialchars($text) to prepare the text.
Then I do next thing:
$query="update tbl_lang_text set text='$text' where ownerid=$id and lang like '$lng' and type=1";
$stmt = db2_prepare($this->conn, $query);
$result = db2_execute($stmt);
So i got an error. something like: the query is too big. So. how can i update my field with such a large text?
P.S.: An test article contains 28 154 characters with spaces.
A CLOB column can take up to 2 147 483 647 characters, so it is unlikely that this is what is causing the error.
What could be problem (and even if it's not you should fix it), is that you are not escaping the input at all. Using prepared statements (i.e.: db2_prepare) is good, but you still need to use parameters and values to have your data escaped:
$query = "update tbl_lang_text set text=?".
"where ownerid=? and lang like ? and type=1";
$stmt = db2_prepare($this->conn, $query);
$result = db2_execute($stmt, array($text, $id, $lng));
It is very likely that $text contains at least an apostrophe ' and that your query fails because of it.
Related
Working on an UPDATE query for an Oracle database. The field in question is of the type NCHAR(25), which accepts a 25 character UTF-8 byte string. My input values are in ASCII which should work no problem.
The following snippet uses the oci_bind_by_name function to escape the variable in the WHERE clause and insert into the placeholder variable :herp.
$sql = "UPDATE MYTABLE SET OPT = '1' WHERE FIELD = :herp";
$stmt = oci_parse($this->conn, $sql);
oci_bind_by_name($stmt, ":herp", $record['value'], -1, SQLT_CHR);
This next snippet does not use the oci_bind_by_name function and instead inserts the variable into the SQL statement unescaped (YOLO).
$sql = "UPDATE MYTABLE SET OPT = '1' WHERE FIELD = '".$record['value']."'";
$stmt = oci_parse($this->conn, $sql);
My problem
The first snippet does not work, while the second one works fine, i.e. the UPDATE statement succeeds every time on the second method while it fails every time on the first.
Both versions of the UPDATE should work. However when I use the oci_bind_by_name function for a few fields, somehow the variable is getting changed. (I am doing more rigorous error checking in the actual code).
My question
What is going on here? How can I still use the oci_bind_by_name instead of just concatenating the variable directly into the SQL statement?
Per the developers:
Neither PHP OCI8 or PDO_OCI support NVARCHAR, NCHAR or NCLOB types.
When I use my mysqli function to search the database for a certain string with a ' (apostrophe) it never finds a result, although it is exactly the same in the databse.
For example: I search for: dawn's, this gets escaped through real_escape to: dawn\'s and this is the same as in the database (it's put in escaped as well in the database). But still it does not give me a result.
This is the code I use:
$mysqli = goConnect();
$query = $mysqli->real_escape_string($query);
if(!($stmt = $mysqli->prepare("SELECT * FROM movies WHERE title LIKE '%$query%'"))){
http_response_code(400);
echo "<p class='results'>Cannot prepare the statement, please try again later.</p>";
}
echo $query;
if($stmt->execute()){
Why doesn't this work properly?
Mysqli doesn't have a LIKE operator and Mysql LIKE works with any characters, including apostrophe.
and this is the same as in the database (it's put in escaped as well in the database).
This is what you are doing wrong. It shouldn't be the same in the database. It should be stored as is.
Besides, you should always, always ALWAYS use placeholders to substitute variables in the query. Were you using them, you'd never encounter a problem like this.
So, first change this code to
$mysqli = goConnect();
$stmt = $mysqli->prepare("SELECT * FROM movies WHERE title LIKE ?");
$query = "%$query%";
$stmt->bind_param("s", $query);
$stmt->execute();
And then change your insert code accordingly, to make it add not a single extra character to the data.
I am integrating Sphinxsearch into my site, and rewriting my old code to use Sphinx.
The problem i got is with special characters inside MATCH in SphinxQL.
Example : want to search for H&M
With plain mysql i get thousand of records, so im quite sure i got title's containing that word in my database.
I don't need extended query syntax in MATCH.
$q = "h&m";
$spxq = "SELECT * FROM sphinx_index WHERE MATCH(:query) LIMIT 0,10";
$stmt = $DB->prepare($spxq);
$stmt->bindValue(':query', $q, PDO::PARAM_STR);
$stmt->execute();
$res = $stmt->fetchAll(PDO::FETCH_ASSOC);
This isn't returning any results.
After this i tried escaping $q so :
$q = "h\&m";
Still not working.Tried with double escaping too, still not working.
Any help would be appriciated.
Ok, i got this, if anyone in the future has this same problem.
The solution is to add the special characters you want to be able to search for in the sphinx.conf file, in the charset_table.
So for my case of H&M, you need to add the & character (U+026) in to the charset table.
I am currently working on a php project and used the word 'value' as a column name. The problem being that when I run the query, it overwrites all entries in the database, even though I have a delimiter (primary key = *). I have tried everything I can think of to get this to work, and it hasn't yet. here is the complete line of code:
$SqlStatement = "UPDATE rev_exp SET Date_Entered = '".date('Y-m-d')."', Description = '".$_POST['txtUtilityType']." ".$_POST['txtAccountNumber']." ".$_POST['txtDateAdded']."', `Value` = ".$_POST['txtValueBalance'].", Notes = '".$_POST['txtNotes']."' WHERE PK_Rev_Exp = ".$row['FK_Rev_Exp'];
Note here, that $row['FK_Rev_Exp'] is the delimiter I was talking about. It is being pulled accurately from a previous query. Also, please ignore any sql injection problems, I'm just working on getting the project functional, I can optimize later.
EDIT 1: I have also tried enclosing the "value" in everything I can think of that may get rid of this problem, but no luck.
EDIT 2: I also don't think it is a problem with the statement itself, as I directly entered the statement into the mysql command line and it only affected 1 row, possibly a php problem?
EDIT 3: Full block, including the execution of the sql. Here, ExecuteSQL runs all necessary mysqli statements to execute the sql command. it takes in a sql statement and a true/false if there is a result set:
$SqlStatement = "UPDATE rev_exp SET Date_Entered = '".date('Y-m-d')."', Description = '".$_POST['txtUtilityType']." ".$_POST['txtAccountNumber']." ".$_POST['txtDateAdded']."', `Value` = '".$_POST['txtValueBalance']."', Notes = '".$_POST['txtNotes']."' WHERE PK_Rev_Exp = ".$row['FK_Rev_Exp'];
ExecuteSQL($SqlStatement, false);
I can't figure it out, and any help would be appreciated.
I think your problem is not about mysql reserver keywords because your correctly surrounded Value with backtick and that makes database understand this is a field. I'm more concerned about treating not integers as integers so i would suggest to surround with quotes '' your value since it is a decimal
`Value` = '".$_POST['txtValueBalance']."',
I have read through some of the related questions but I still don't understand. So I decided to post a question here. I have a query like below
$query = "INSERT INTO Table (q1,q2,q3,q4....q25) VALUES ('".$_POST['Q1']."',
'".$_POST['Q2']."',
'".$_POST['Q3']."',
'".$_POST['Q4']."'.....)";
mysql_query($query);
The $_POST['Qx'] value is obtained from a survey where people are allowed to type in comments. Often people would like in words like "don't, can't, doesn't ...". The apostrophe will cause the problem when inserting the data to the table.
I have read through some articles suggesting the method of
mysql_real_escape_string($_POST['Q1'])
But I have 25 questions, some of them even have sub-questions.. so I have around 70 data to input to the table.
Is there any good method that I can adopt to be able to pass apostrophes into MySQL table?
edit: so I have around 70 data to input to the table.
70 is "nothing " for a for-loop ;-)
for($i=1; $i<71; $i++) {
$params[$i] = mysql_real_escape_string($_POST['Q'.$i], $link);
}
But you might want to consider a redesign of your database tables.
You have to encode/escape the parameters. In case of the (deprecated) mysql extension that would be mysql_real_escape_string()
$link = mysql_connect(...);
...
$query = sprintf(
"
INSERT INTO
Table
(q1,q2,q3,q4....q25)
VALUES
('%s','%s' ...)
",
mysql_real_escape_string($_POST['Q1'], $link),
mysql_real_escape_string($_POST['Q2'], $link)
...
);
mysql_query($query, $link) or die(mysql_error($link));
but better use a supported extension like mysqli or pdo.
And take a look at prepared statements.