I'm having a problem echoing a single line from a sql query. I'm still pretty new at this but I can't figure it out at all.
I have a page titled "listing.php?id=7"
Inside the page is this script:
<?php
mysql_connect("localhost", "user", "pass");
mysql_select_db("table");
$query = "SELECT * FROM vehicles WHERE id='$id'";
$result = mysql_query($query);
while($r = mysql_fetch_array($result))
{
$year = $r["year"];
$make = $r["make"];
$model = $r["model"];
$miles = $r["miles"];
$pricepay = $r["pricepay"];
$pricecash = $r["pricecash"];
$transmission = $r["transmission"];
$color = $r["color"];
$vin = $r["vin"];
echo "$year $make $model $miles $pricepay $pricecash $transmission $color $vin<br />";
}
?>
The problem lies within "WHERE id='$id'". When I use a var, it displays nothing, but if I manually make it my ID number, example 7, it works fine. What's am I doing wrong?
if
SELECT * FROM vehicles WHERE id=7
works but
SELECT * FROM vehicles WHERE id='$id'
doesn't work
then get ride of the quotes around $id
So
SELECT * FROM vehicles WHERE id=$id
The quotes are turing $id into a string comparison - which won't work if the column type is integer.
Even better, use PDO. Create the connection:
$db = new PDO("mysql:host=localhost;dbname=someDBname", 'user', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
but do it in just one script, preferably in a singleton or somesuch. This has many advantages, including placing all database passwords in one file (which is easier to secure) and reducing the possibility of typos in the hostname, database name, username or password causing the connection to fail. Use it as:
try {
$query = $db->prepare(
"SELECT year, make, model, miles, pricepay,
pricecash, transmission, color, vin
FROM vehicles WHERE id=?"
);
$query->execute(array($_REQUEST['id']));
while ($row = $query->fetch(PDO::FETCH_NUM)) {
echo implode(', ', $row);
}
} catch (PDOException $exc) {
echo "Query failed.";
}
This uses a prepared query, which is not vulnerable to SQL injection. It also does away with "or die".
In case you haven't seen singletons, here's an example:
class DB {
private static $db;
static function open() {
if (! isset(self::$db) ) {
self::$db = new PDO('mysql:host=hostName,dbname=dbName', 'user', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
return self::$db;
}
}
Then, whenever you need a connection, just call DB::open(). If you need to connect to multiple hosts, store PDOs in an associative array within DB, rather than DB::$db. In this case, you could put the connection information in the DB script, or put it in a separate configuration file that DB parses.
Take your original code and add this line before the query:
$id = (int)$_GET['id']; // Sanitize Integer Input
And change your query as others suggested to remove the quotes:
$query = "SELECT * FROM vehicles WHERE id=$id";
I am assuming your id is a normal mysql auto_increment which starts at 1. That means if `$_GET['id'] is anything but a number, it will come back as 0 and thus not match anything in the database.
$query = sprintf("SELECT * FROM vehicles WHERE id=%d", mysql_real_escape_string($_GET['id']));
$result = mysql_query($query);
I hope you don't have register globals on which means you should use $_GET['id'];
You can't put quotes around the id field if it's an int in your table
Use mysql_real_escape_string to prevent sql injection
Related
I have a query:
//Connect to DB w/ PDO
$pdo = new PDO("mysql:host=$host;dbname=$db", $user, $pass);
$id = $_GET["id"];
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = ?", PDO::FETCH_ASSOC);
$stmt->bindParam(1, $id);
try{
$stmt->execute();
}catch(PDOException $err){
//some logging function
}
while($result=$stmt->fetch(PDO::FETCH_ASSOC)){
//select column by key and use
$FirstName = $result['Name'];
}
?>
This is the output:
object(PDOStatement)#2 (1) { ["queryString"]=> string(44) "SELECT * FROM nv_hoa WHERE id = 0100782019-8" }
The ID is being filled from the $id variable.
while ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
$Name = $row['Name'];
But when try to get
$Name = row['Name'];
I get UNDEFINED VARIABLE: FIRSTNAME
When I run:
<?php var_dump($stmt) ?>
I get this:
object(PDOStatement)#2 (1) { ["queryString"]=> string(44) "SELECT * FROM nv_hoa WHERE id = 0100782019-8" }
What am I doing wrong here? It works in another file.
But ID WILL NOT work here even know it's in the query field.
I can see you are fairly new to PHP and PDO.
You have created a script that is vulnerable to SQL-injection,so we will fix that to.
It is important to understand what pdo is doing in order to understand what is going wrong. It will also make you understand the security problem you have created for yourself.
PDO makes it posible for the programmer to "compile" the SQL query before passing it the parameters and execute it.
This has some benefits, mainly it is faster when you want to execute the same query multiple times(with different parameters) and it is much more secure.
Lets take your query as an example:
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = $id");
If I would manage to change the contents of $id to something like:
$id="1; SELECT * FROM users;"
The query you would execute would become:
SELECT * FROM nv_hoa WHERE id =1; SELECT * FROM users;
Which would result in you listing every user and password in the user table.
This is a very well know and one of the most dangerous attacks out there.
To counter this, we can use PDO's pre-compiled queries (a.k.a prepared statements)
Instead of:
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = $id");
Now use:
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = ?");
Pdo now compiled your query within the $stmt object.
So now you can execute this query (as many times as you want) using the parameters you prefer.
$stmt->execute([$id]);
This executes the compilled query with the $id parameter. If the $id parameter contains SQL code, it will not become part of the query as you have already compiled the query, as so an SQL-Injection attack becomes near to impossible.
Now that your query is executed, you can fetch the results like:
while($row=$stmt->fetch()){
...
}
So in order to make your code work:
//PDO DB Connect to Fetch & Make into Vars from table nv_hoa
try {
//Connect to DB w/ PDO
$pdo = new PDO("mysql:host=$host;dbname=$db", $user, $pass);
$id = $_GET["id"];
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = ?");
$stmt->execute([$id]);
while ($row = $stmt->fetch())
{
$Name = $row['Name'];
}
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
Please do yourself(and others) a favor and research/learn a bit more before posting, you are making class-book mistakes that have been discussed and explained multiple times on pretty much every medium (including stackoverflow).
I solved the issue of a bool(false) output from a query even though the query dump had the ID.
Here is the fix.
The output of
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = ?", PDO::FETCH_ASSOC);
was
object(PDOStatement)#2 (1) { ["queryString"]=> string(44) "SELECT * FROM nv_hoa WHERE id = 0100782019-8" }
Which showed the ID was being passed properly. But the ID contained a special character '-' which caused the $stmt->execute([$id]); to break the page because $id was empty.
This was fixed as follows with single quotes.
$stmt = $pdo->query("SELECT * FROM nv_hoa WHERE id = '$id'");
$stmt->bindParam(1, $id);
$stmt->execute();
I have found HUNDREDS of posts about this topic and this solves it. If you varaible has special chacters in a PDO statement you need to do this id = '$id'"
<?php
try
{
global $db;
$user = 'postgres';
$password = '*****'; //For security
$db = new PDO('pgsql:host=localhost;dbname=dnd', $user, $password);
$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
}
catch (PDOException $ex)
{
echo 'ERROR!!: ' . $ex->getMessage();
die();
}
$table = htmlspecialchars($_REQUEST['table']);
$idNum = htmlspecialchars($_REQUEST['id']);
try {
//$query = "SELECT * FROM $table WHERE id = $idNum"; This works
//$query = "SELECT * FROM $table WHERE id = :number"; This works
$query = "SELECT * FROM :tableName WHERE id = :number";
$statement = $db->prepare($query);
$statement->bindValue(":tableName", $table, PDO::PARAM_STR);
$statement->bindValue(":number", $idNum, PDO::PARAM_INT);
$statement->execute();
$info = $statement->fetchAll(PDO::FETCH_ASSOC);
} catch (PDOException $excep) {
echo "Opps: " . $excep->getMessage();
die();
}
Okay I'm going crazy here trying to get this to work.
I have a database set up that I need to query from. I receive the query from an AJAX request with the name of the table I want and the id for the item. When I try to query with both variables, the binding does not occur in the prepared statement and instead I get this error code
Opps: SQLSTATE[42601]: Syntax error: 7 ERROR: syntax error at or near "$1" LINE 1: SELECT * FROM $1 WHERE id = 1 ^
When I have just the straight PHP variables it works fine so I know it can work, but when I want to bind multiple it seems to fail and give a variable number as above.
I can also get it to work if I simply have one of the variables bound, such as the second commented out query in the code - this only works tho if I have the variable I want at the end and not if I wanted to lookup the table spot. (I.E.
$query = "SELECT * FROM :tableName WHERE id = $idNum"; does not work)
I need to cleanse the variables to prevent SQL injection, but I can't do that without binding the variables in a prepared statement. Any help would be appreciated!
According to the PHP manual you can't bind a tablename. As you mentioned it, you can replace it by a variable, but you can't replace it with a placeholder.
So the only solution that will work for you is the query you have above:
$query = "SELECT * FROM $table WHERE id = :number"
This will be what you're looking for. If you want to make it safe for injection, you have to find another way. (Regex for example).
Ref: http://us3.php.net/manual/en/book.pdo.php#69304
So I am new to php and I am trying to check if a mysql table contains a variable which is set when a user does a search. If the table contains the variable (it's a string) then I want to be able to do different things depending on its existence.
I should also note that I am a novice with php development!
This is what I have so far;
$db = new mysqli('IP', 'username', 'password', 'database');
$result = $db->query("SELECT * FROM tablename WHERE ColumnName = $searchVar");
if(empty($result)){
//No result Found
}else{
//Found result
}
You need to place single quotes around $searchVar in the query.
$result = $db->query("SELECT * FROM tablename WHERE ColumnName = '$searchVar'");
Then, you must fetch the results of the query.
$result = $result->fetch_row();
Okay so your current query failed because your SQL string wasn't in quotes. It also could have failed once inputted into quotes if your PHP string had a single quote in it. This is how SQL injections occur, user input should never be passed directly into a SQL query. To separate these tasks there are prepared/parameterized queries.
Here's code I think should work for you but this is untested, based off manuals.
$db = new mysqli('IP', 'username', 'password', 'database');
$stmt = $db->prepare('SELECT * FROM tablename WHERE ColumnName = ?');
$stmt->bind_param('s', $searchVar);
$stmt->execute();
if($stmt->num_rows > 0) {
echo 'there are results';
} else {
echo 'there are no results';
}
Link to thread on preventing injections: How can I prevent SQL injection in PHP?
I am using nested queries to retrieve information from multiple tables. I need advice on optimizing this php code.
This function creates an object.
public function conn($query){
$mysqli = new mysqli('test','test','test','test');
$result = $mysqli->query("SET NAMES utf8");
$result = $mysqli->query("set character_set_client='utf8'");
$result = $mysqli->query("set collation_connection='utf8_general_ci'");
$result = $mysqli->query($query);
$mysqli->close();
return $result;
}
This code uses that function.
$connect = $this->conn("SELECT * FROM Table LIMIT 100000");
while($i = $connect->fetch_assoc()){
$name = $i["name"];
$connect2 = $this->conn("SELECT * FROM Names WHERE Name = '$name'");
if($connect2 ->num_rows > 0){
echo $name.'<br>';
}
}
Need recommendations for a connection to the database.
In the while loop, as you see, I am checking for the presence of $name in other table. But I am opening and closing a connection every time through the loop. And this will be 100001 connection opens and closes.
Is it possible to open a connection to the database only once?
P.S.: The SQL is an example - Please don't suggest changes there, because I am trying to figure out how to handle the repeated queries, not optimize the SQL.
Connection objects are reusable. Make a connection, then use it to make as many queries as you want. Close each query (that is, each result set) when you're done with it, then close the connection at the end of the run.
Closing a connection is a network operation, so it takes a while. Closing a query is mostly an in-memory operation, so it is faster.
In your example, you're using nested queries (more on that in a moment). Your code should end up looking something like this pseudocode:
public function getconn(){
$mysqli = new mysqli('test','test','test','test');
$mysqli->query("SET NAMES utf8");
$mysqli->query("set character_set_client='utf8'");
$mysqli->query("set collation_connection='utf8_general_ci'");
return $mysqli; /* return the connection handle */
}
$conn1 = getconn();
$conn2 = getconn();
$resultset1 = $conn1->query("SELECT * FROM Table LIMIT 100000");
while($i = $resultset1->fetch_assoc()){
$name = $i["name"];
$resultset2 = $conn2->query("SELECT * FROM Names WHERE Name = '$name'");
if($resultset2->num_rows > 0){
echo $name.'<br>';
}
$resultset2->close();
}
$resultset1->close();
$conn1->close();
$conn2->close();
(Please note; I haven't debugged this code.)
To take this optimization one step further, you should consider using a prepared statement for the query inside the while loop. Here's documentation on that http://php.net/manual/en/mysqli-stmt.fetch.php.
$conn1 = getconn();
$conn2 = getconn();
/* create a prepared statement with placeholder parameter ? */
$stmt = $mysqli->prepare("SELECT * FROM Name WHERE Name = ?"));
$name = '';
$name_out = '';
$stmt->bind_param("s", $name);
$stmt->bind_result($name_out);
$resultset1 = $conn1->query("SELECT * FROM Table LIMIT 100000");
while($i = $resultset1->fetch_assoc()){
$name = $i["name"];
$resultset2 = $stmt->execute(); /* run query with bound parameter */
if ($stmt_fetch() ( {
echo $name.'<br>';
}
$resultset2->close();
}
$resultset1->close();
$conn1->close();
$conn2->close();
(Please note; I haven't debugged this code either.)
Now, it's possible your pair of queries are just an example to show a set of nested queries. If so, that's fine. But, you are performing this task (retrieve 100K names) in an almost unimaginably inefficient way. You've said you don't want anybody to rewrite this query, but I am sorry, I can't just let this one pass.
This code would do a far more streamlined job.
$conn = getconn();
$q = "SELECT t.name FROM Table t JOIN Name n ON t.name = n.name LIMIT 100000";
$resultset = $conn->query($q);
while($i = $resultset->fetch_assoc()){
$name = $i["name"];
echo $name.'<br>';
}
$resultset->close();
$conn->close();
It's more efficient for two reasons. First, it doesn't use SELECT *, which ends up sending all sorts of data over the network from your MySQL server to your php program, just to throw it away.
Second, it doesn't use the nested queries. Instead, the JOIN query pulls all the name columns from Table that have a matching name column in Names.
I have a database table and i am updating the table columns this way.
$mysqli = new mysqli('localhost', 'root', '', 'db');
if (mysqli_connect_errno()) {
echo 'failed to connect to db.. <br>' . mysqli_connect_errno();
return 'error';
}
$username = $data['username'];
$data['image'] = $this->replace_whitespace($data['image']);
foreach($data as $key=>$value){
$this->query = "UPDATE users SET $key=? WHERE username='$username'";
$this->statement = $mysqli->prepare($this->query);
if($this->statement){
$this->statement->bind_param('s', $value);
$this->statement->execute();
$this->statement->close();
}
}
Is it possible to update more than one table columns in one go. I tried this but in-vain.
$this->query = "UPDATE users SET col1=?, col2=?, col3=? WHERE username='$username'";
$this->statement = $mysqli->prepare($this->query);
if($this->statement){
$this->statement->bind_param('sss', $value1, $value2, $value3);
$this->statement->execute();
$this->statement->close();
}
Is there a better way doing this?
$mysqli = new mysqli('localhost', 'root', '', 'db');
if (mysqli_connect_errno()) {
echo 'failed to connect to db.. <br>' . mysqli_connect_errno();
return 'error';
}
$username = $data['username'];
$this->query = "UPDATE users SET fname=?, lname=?, email=?, tpin=?, image=?, address=? country=?, city=?, state=?, postal=? WHERE username='$username'";
$this->statement = $mysqli->prepare($this->query);
if ($this->statement) {
$this->statement->bind_param('ssssssssss', $data['fname'],$data['lname'],$data['email'],$data['tpin'], $data['file'], $data['address'],$data['country'],$data['city'],$data['state'], $data['post_code']);
$this->statement->execute();
$this->statement->close();
}
This is my real code.
Remove the "," after col3=?
This will fix the syntax error
$this->query = "UPDATE users SET col1=?, col2=?, col3=?, WHERE username='$username'";
You have an extra comma, meaning your SQL is reading "WHERE" as another column and everything gets messed up.
$this->query = "UPDATE users SET col1=?, col2=?, col3=? WHERE username='$username'";
Should work fine.
In response to the comment below, this is the correct way of going about it, so it must be a faulty variable somewhere, what error messages are you getting? (If any)
It could also be that one of the parameters you are binding is not a string. Regardless, we'd need a more in-depth example.
Is it possible to update more than one table columns in one go
Yes. Actually, updating many fields in one query is a very core feature of any DBMS. You can always expect it to be supported.
I tried this but in-vain.
Well, you have to try more, like we all do. After all, it's your job.
Two notes regarding your "real" code:
You have to bind ALL variables in the query, not only some of them
you have to configure mysqli to report errors:
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
I assume it works the same way as putting new values into the database.
Update a row mysql in php