Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Could anyone give me examples of how to use parameterized queries with MySQL/PHP please?
A parameterized query is essentially a query which abstracts away all the input. This has several good side effects, like making all input harmless (ie. no harmful injections are possible) and making it faster when used repeatedly, since it is pre-parsed and compiled, so the engine knows how to apply the input given. An example in pure mysql is:
PREPARE qry FROM "INSERT INTO tbl VALUES (?)";
The statement is now compiled and cached, and can be executed repeatedly without needing to recompile and interpret it:
SET #var = "some input";
EXECUTE qry USING #var;
SET #var = "some other input";
EXECUTE qry USING #var;
When used in PHP, it's usually like this (shortened):
$stmt = prepare('INSERT INTO tbl VALUES(?)');
execute($stmt, array("some input"));
execute($stmt, array("some other input"));
execute($stmt, array("some more input"));
PREPARE stmt_name FROM "SELECT name FROM Country WHERE code = ?";
SET #test_parm = "FIN";
EXECUTE stmt_name USING #test_parm;
Source: MySQL Dev: Prepared Statements
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Is it safe to use this code ?
$check = mysql_query("SELECT id FROM table WHERE nick='asd'");
$count = mysql_num_rows($check);
I just need number of rows. id is AUTO_INCREMENT
If 'asd' is a constant and not related to any (user) input, then yes it is safe.
Otherwise you should replace it with bind a variable and use prepared statements or at least escape it properly. (But it is easy to forget escaping, so it is a better practice to try to use bind variables instead.)
NO. Absolutely not.
First of all, read up on MySQLi. The i stands for improved. Secondly, use prepared statements. This prevents injection. Read up on that here.
$db = new mysqli("localhost", "DATABASE-NAME", "DATABASE-USER", "DATABASE-PASS");
$check = $db->prepare("SELECT `id` FROM `table` WHERE `nick` = ?");
$check->bind_param('s', $nickVar);
$check->execute();
Don't take the easy way out. Keep doing things safe until it comes naturally. I used to be all about quick hacks, quickly get it to work, quickly write some things down, but in the end, it's best to get used to good practice.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Just wondering if it's possible to run a INSERT INTO sql command through an if statement?
I've got a few test groups that contain test members and I want to add the group id to a db table if the group_id equals 3. I'm unsure how the INSERT INTO sql would be written.
I'm currently passing the group_id number into a variable called $groupIDResult.
The only code I have currently got is:
if ($groupIDResult[0] == 3) {}
Just wondering if it's possible to run a INSERT INTO sql command
through an if statement?
Yes. An if statement is just a condition that checks criteria you set such as whether $groupIDResult[0] is equal to 3. So just do this and all is good:
if ($groupIDResult[0] == 3) {
// INSERT INTO query & related PHP logic to run that query goes here.
}
But you state:
I'm unsure how the INSERT INTO sql would be written.
So what is the real question? Is it about a SQL query or an if condition? Because you are on the right track but it’s unclear why you are having problems.
The insert statement would go in your curly braces and would be of the form
INSERT INTO table_name(column_name) VALUES(your_value)
Consult the PHP manual or the manuals for any framework you're using for specific syntax.
W3Schools.com also has some intro to SQL material you may find useful.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Improve this question
I want to select the user from my database using email or username, my code is:
$sql = "SELECT * FROM `users` WHERE (`Email`='".$User."' OR `Username`='".$User."'') AND `Password`='".$Password."'";
My Code Worked
Code:
$sql = "SELECT * FROM users WHERE (Email = '$User' or Username ='$User') AND Password='$Password'";
Note: I would have posted this in a comment (believe me), because the comment box doesn't show backticks properly (I know there's a trick to it, but I don't know it, yet.)
Use this:
$sql = "SELECT * FROM `users`
WHERE (`Email`='".$User."' OR `Username`='".$User."')
AND `Password`='".$Password."'";
You had one too many quotes in '".$User."''
$sql = "SELECT * FROM `users`
WHERE (`Email`='".$User."' OR `Username`='".$User."'')
----^
AND `Password`='".$Password."'";
And do consider reading this article on how to prevent injection.
Footnote: And if by the slightest chance that you would be using the now-deprecated mysql_* functions, STOP and start using mysqli_* functions with prepared statements and/or PDO.
Try this :
$sql = "SELECT * FROM `users` WHERE (`Email`='".$User."' OR `Username`='".$User."') AND `Password`='".$Password."'";
There was an extra quote after $user variable.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am a beginner with MySQL. I have this code and I would like an explanation on how the function knows which database to use since $conn and $db are defined?
$conn = mysql_connect("localhost","primeb5_mysql","***");
$db = mysql_select_db("primeb5_unigis");
$query = "SELECT * FROM lesson3";
$result = mysql_query($query);"
From PHP manual:
http://php.net/manual/en/function.mysql-query.php
The MySQL connection. If the link identifier is not specified, the
last link opened by mysql_connect() is assumed.
So, In case you don't specify the connection (second parameter) to the mysql_query() function, the last one is used.
On the side note, I'd like to notify you, that mysql_* functions have been deprecated in PHP 5.5.0. Do not use them, because if you do, your site might stop working soon.
mysql is deprecated use mysqli or PDO instead
You don't have to use an PHP function to select your database
just use this
mysqli_query("SELECT * FROM primeb5_unigis.lesson3");
or join example between multiple databases after ON missing...
mysqli_query("SELECT * FROM database1.table1 INNER JOIN database2.table2 ON ...");
edit
i think topicstarter means connection to database but i leave the answer could be helpfull
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I've just completed my first prepared statement, converted to using them for security reasons. I've tested it and it works however I am looking for feedback (constructive criticism welcomed) regarding the code itself although I understand it 's fairly basic. Also, I have a few queries:
Am I correct in saying you do not require using mysqli_escape_string if you use prepared statements?
Will using the mysqli_stmt_get_result function cut down on the amount of writing I have to do and be as effective?
Is using mysqli_stmt_close necessary? Am I correct saying that without using this function I will not be able to create another prepared statement within that script?
Here is my code:
<?php
//prepared statement example
include 'database.php';
$query = "SELECT ID FROM users WHERE email = ?";
$email = 'myemail#gmail.com';
$statement = mysqli_stmt_init($connect);
mysqli_stmt_prepare($statement, $query);
mysqli_stmt_bind_param($statement, 's', $email);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $id);
mysqli_stmt_fetch($statement);
echo $id;
?>
Am I correct in saying you do not require using mysqli_escape_string if you use prepared statements?
Yes. It's bad sign you're asking it - means you don't clearly understand how does all that mess works.
Will using the mysqli_stmt_get_result function cut down on the amount of writing I have to do and be as effective?
Yes. But here are bad news: is is not always supported. So, on some installations it won't work.
Is using mysqli_stmt_close necessary? Am I correct saying that without using this function I will not be able to create another prepared statement within that script?
Why, no.
You can simply recreate another prepared statement into this variable.
BTW, it'd strongly recommentd to use PDO over mysqli. It's way more consistent and user-friendly.
Just try to bind an array for use in IN() operator and see.
After all, it takes 2 times less code:
$stm = $pdo->prepare($query);
$stm->execute(array($email));
$id = $stm->fetchColumn();