I want to grab a random sample of data out of my database using CakePHP. Here's my function:
function categories_list()
{
$this->paginate['limit'] = 6;
$this->paginate['order'] = '';
$this->paginate['conditions'] = '';
// Sort Randomly Start
if ($this->Session->check('Category.randomSeed'))
{
$seed = $this->Session->read('Category.randomSeed');
} else {
$seed = mt_rand();
$this->Session->write('Category.randomSeed', $seed);
}
$this->paginate['order'] = sprintf('RAND(%d)', $seed);
// Sort Randomly End
$this->set('cat_ajax_items', $this->paginate('Category'));
}
The problem is, the query that Cake sends to the DB always does this to the RAND() portion, sending MySQL into a hissy fit:
ORDER BY RAND(`1235123412341`)
Testing on a manual query, it works just fine, and returns a sample when it's formatted like this:
ORDER BY RAND(1235123412341)
Is there any way to get Cake to back off of the autoformatting? Anything I put into that RAND() function gets dumped into string quotes.
Anything I put into that RAND() function gets dumped into string quotes.
No, this isn't correct. If it used string quotes then it would work fine, however backticks aren't string quotes. The problem is that CakePHP is quoting the number as if it were a column name. Try quoting the value using single quotes instead:
"RAND('%d')"
This should result in the following SQL being produced:
ORDER BY RAND('1235123412341')
This gives the same result as when you don't include the quotes.
many applications and frameworks try to use a so called smart determination of the type of variable before they insert them into a database
however, many of these also fail with integers and strings :)
because of PHP's automatic typecasting, you can do a following check: is_int('01234') and that would return TRUE - but that actually is not true - the "number" is actually a string, starting with 0 - and so it should be handled (unless manually converted into an integet before, if that's what it should be)
you will need to adjust CakePHP's database class where it checks for data types
I'm not familiar with CakePHP, but CodeIgniter did use a following check in its escape() function:
if (is_string($str))
... which I've changed to:
if (is_string($str) && (mb_strlen((int) $str) != strlen($str)))
... and now it all works :)
P.S.: I've tried using (int) $str === $str, however that always yielded incorrect result
Related
i want to query something from mysql database and put condition that check equality between a value in the table but after round it and other value also after round it how to do this
in php codeigniter ,plz help
i put this instruction put it didn't work
$t=round($latitude,4);
$t1=round($longitude,4);
$this->db->select('place_name');
$this->db->from('place');
$this->db->where(round(`Latitude`,4), $t);
$this->db->where(round(`Longitude`,4),$t1);
$q = $this->db->get();
You need to quote the round call, because right now you're trying to execute a PHP round() function, not the SQL one:
$this->db->where('round(`Latitude`,4)', $t);
^-- ^--
quoting it turns the whole thing into a string, which gets passed into the DB.
In zend framework 1, we had used mysql rand() function like below or using zend_db_expr(). I have tried this in ZF2, but this is not working. Somebody please help me to use this in Zend Framework 2
$select = $this->db()->select()
->from('TABLE')
->order('RAND()');
Thanks,
Looking at the API it appears that the order function accepts a string or array of parameters order(string | array $order). My first thought was to use a key/val array. However, as I look at the actual code of the Db\Sql\Select, the string or array that you are passing gets quoted (see here). Assuming that your Db platform is Mysql, this is the function that quotes the fields (see here). It appears to iterate through each of the fields, and add these quotes, rendering your rand() function a useless string.
Getting to the point, the solution is up to you, but it does not appear that you can do it the way you want with this current version of ZF2.
You will need to extend the Db\Sql\Select class, OR extend the Db\Adapter\Platform\Mysql class, OR change the code in these classes, OR execute your query as a full select statement, OR change up your logic.
By changing up your logic I mean, for example, if your table has an Integer primary key, then first select the MAX(id) from the table. Then, choose your random numbers in PHP prior to executing your query like $ids[] = rand(1, $max) for as many results as you need back. Then your sql logic would look like SELECT * FROM table WHERE id IN(453, 234, 987, 12, 999). Same result, just different logic. Mysql's rand() is very "expensive" anyways.
Hope this helps!
Here you can use \Zend\Db\Sql\Expression. Example function from ModelTable:
public function getRandUsers($limit = 1){
$limit = (int)$limit;
$resultSet = $this->tableGateway->select(function(Select $select) use ($limit){
$select->where(array('role' => array(6,7), 'status' => 1));
$rand = new \Zend\Db\Sql\Expression('RAND()');
$select->order($rand);
$select->limit($limit);
//echo $select->getSqlString();
});
return $resultSet;
}
i am using mysqlclient,
in one of my query, as shown below
sprintf (query, "select user from pcloud_session where id = '%s'", sid);
here some time this sid is with % sign in it like the example
2Cq%yo4i-ZrizGGQGQ71eJQ0
but when there is this % this query always fail, i think i have to escape this %, but how ?
i tried with \ and %% , but both of this not working, please help me here
UPDATE:
When using session.hash_bits_per_character = 6, in php session ,the default charset contains a character (comma) that will always be urlencoded(here it is %2C). This results in cookie values having this %2C in it, but session db having a comma instead of it. any idea about fixing this problem ?.. sorry for the confusion
Thanks
There's no need to escape a literal '%' in MySQL query text.
When you say the query "always fail", is it the call to the mysql_query function that is returning an error? Does it return a SQL Exception code, or is it just not returning the resultset (row) you expect?
For debugging, I suggest you echo out the contents of the query string, after the call to sprintf. We'd expect the contents of the string to be:
select user from pcloud_session where id = '2Cq%yo4i-ZrizGGQGQ71eJQ0'
And I don't see anything wrong with that SQL construct (assuming the id column exists in pcloud_session and is of character datatype. Even if id was defined as an integer type, that statement wouldn't normally throw an exception, the string literal would just be interpreted as integer value of 2.)
There should be no problem including a '%' literal into the target format of an sprintf. And there should be no problem including a '%' literal within MySQL query text.
(I'm assuming, of course, that sid is populated by a call to mysql_real_escape_string function.)
Again, I suggest you echo out the contents of query, following the call to sprintf. I also suggest you ensure that no other code is mucking with the contents of that string, and that is the actual string being passed as an argument to mysql_query function. (If you are using the mysql_real_query function, then make sure you are passing the correct length.)
UPDATE
Oxi said: "It does not return a SQL Exception code, it just does not return the result[set] I expect. I did print the query, it prints with % in it."
#Oxi
Here's a whole bunch of questions that might help you track down the problem.
Have you run a test of that query text from the mysql command line client, and does that return the row(s) you expect?
Is that id column defined as VARCHAR (or CHAR) with a length of (at least) 24 characters? Is the collation on the column set as case insensitive, or is it case sensitive?
show create table pcloud_session ;
(I don't see any characters in there that would cause a problem with characterset translation, although that could be a source of a problem, if your application is not matching the database charactarset encoding.)
Have you tested queries using a LIKE predicate against that id column?
SELECT id, user FROM pcloud_session WHERE id LIKE '2Cq\%yo4i-%' ESCAPE '\\'
ORDER BY id LIMIT 10 ;
SELECT id, user FROM pcloud_session WHERE id LIKE '2Cq%'
ORDER BY id LIMIT 10 ;
Are you getting no rows returned when you expect one row? Are you getting too many rows returned, or are you getting a different row than the one you expect?
That is an oddball value for an id column. At first, it looks almost as if the value is represented in a base-64 encoding, but it's not any standard encoding, since it includes the '%' and the '-' characters.
If you're going to do this in C without an interface library, you must use mysql_real_escape_string to do proper SQL escaping.
There shouldn't be anything intrinsically wrong with using '%inside of a string, though, as the only context in which it has meaning is either directly inprintftype functions or as an argument toLIKE` inside of MySQL.
This proves to be really annoying, but it's absolutely necessary. It's going to make your code a lot more complicated which is why using low-level MySQL in C is usually a bad idea. The C++ wrapper will give you a lot more support.
You really shouldn't escape the string yourself. The safest option is to let the MySQL API handle it for you.
For a string of maximum length n, start by allocating a string of length 2*n+1:
int sidLength = strlen(sid);
// worst-case, we need to escape every character, plus a byte for the ASCIIZ
int maxSafeSidLength = sidLength * 2 + 1;
char *safeSid = malloc(maxSafeSidLength);
// copy "sid" to "safeSid", escaping as appropriate
mysql_real_escape_string(mysql, safeSid, sid, sidLength);
// build the query
// ...
free(safeSid);
There's a longer example at the mysql_real_escape_string page on dev.mysql.com, in which they build the entire query string, but the above approach should work for supplying safeSid to sprintf.
I just discovered this, I use MySQL as my database.
When i do something like:
$query = $this->db->where('id', '6rubbish')->get('posts', 1);
it generates and executes this SQL:
SELECT *
FROM (`posts`)
WHERE `id` = '6rubbish'
LIMIT 1
The surprising thing is that it actually fetches the post with the ID 6.
I find this very vulnerable in same cases because i'm trying to exactly match the ID, not to do a LIKE query.
Any ideas?
Yes.
Read Type Conversion in Expression Evaluation
Use intval() PHP function to extract the integer part of the variable
Or use is_int to exclude any variable that is not a pure integer
But the origin of the problem is that your query generator library doesn't understand the variable types, PHP being a dynamic typed language doesn't help too.
I don't know what library you're using, maybe there is an option to tell that you're passing an int? It should protect you from SQL injection, I hope, try with:
$query = $this->db->where('id', "don't")->get('posts', 1);
and see if the generated SQL has the single quoted escaped (doubled or preceded by backslash).
That is because SELECT 6 = '6rubbish' will give you true, and your id is number type.
Your id field is, no doubt, a numeric data type.
When MySQL evaluates expressions, it converts operands to compatible types (see docs).
'6rubbish' (a string) gets converted to 6 (a number) and, hence, you get a match.
I want to generate a random string of about 5 characters long. I can create it ok, but I'm having trouble checking if it exists in an array (or database in real situation) and creating a new one if it does.
I use a function like this to generate the string:
function rand_string(){
return substr(md5(microtime()), 0, 5);
}
But them I'm lost.
I need to check if it exists already.
If it does, make a new one
And repeat
Try this:
function rand_string(){
$str = substr(md5(microtime()), 0, 5);
if(exists_in_db($str)) $str = rand_string();
return $str;
}
Just a warning that if you are using this to generate a unique string by adding it to the database once you've determined it's not been used then this is not safe in a concurrent environment.
In the interval between you checking it's not in the database, and adding a record containing it later on another thread could do the same...
If you are using it this way, probably the safest approach is to ensure that the field containing the string has a unique constraint on it and try to add it. If you suceeded in adding it then you know it was unique, if you didn't then it wasn't. And this is safe to do in a multithreaded environment.
If you are simply checking against a static list of strings and do not intend to add the generated string to the database then ignore this post :P
To check if it's in the DB run a query after.
$unique=FALSE;
while(!$unique)
{
$str = substr(md5(microtime()), 0, 5);
//Insert SQL Code to check if used here
if($row['ID']=='')
$unique=TRUE;
}
on a database you could..:
select substr(newid(),1,5) as name
for a new string and to check..:
select count(*) as cnt from yourtable where yourcolumn = __GENERATED_string__
build a while around it and you'Re done
With the mysql_query(), use a select statement to see if you return any results (i.e., "Select * from table where col1 = 'String'". Then test to see if any rows were returned. Loop through these calls until you have a truly random, unused value.