What is the best way to save a URL or symbols into a MYSQL database.
I'v seen this being used "{$htmlOutputArray[1]}"
and then else where this "$htmlOutputArray[1]"
and some other places do what i'v done below... but which is the best?
So far I have: (example code)
$html = "034251\nhttp://stackoverflow.com/questions/ask"
$htmlOutputArray = explode("\n", "$html");
$htmlOutput = $htmlOutputArray[0];
$postIDOutput = $htmlOutputArray[1];
$con = mysql_connect('localhost', 'user', 'pass') or die('Could not connect: ' . mysql_error());
#echo 'Connected successfully';
mysql_select_db("dbName", $con);
mysql_query("UPDATE tableName SET PostidINT='$postIDOutput', URLofPostTXT='$htmlOutput' WHERE id='$unID'");
mysql_close($con);
First of all you should look into the dangers of SQL injection and how you can prevent it.
Here's both a way you can do this and the safer version.
mysql_select_db("dbName", $con);
$sql = sprintf("UPDATE tableName SET PostidINT=%d, URLofPostTXT='%s' WHERE id=%d",
mysql_real_escape_string($htmlOutputArray[1]),
mysql_real_escape_string($htmlOutputArray[0]),
mysql_real_escape_string($unID));
mysql_query($sql);
mysql_close($con);
What mysql_real_escape_string() is doing is preventing unsafe characters from being entered into your database.
What sprintf() is doing is formatting your string, so for example, only numbers will be entered in the PostidINT and id variables.
I'd vote for prepared statements (and mysqli):
$connection = new mysqli("localhost", "user", "pass", "db");
$statement = $connection->prepare("UPDATE tableName SET PostidINT=?, URLofPostTXT=? WHERE id=?");
$statement->bind_param("i", $postIDOutput);
$statement->bind_param("s", $htmlOutput);
$statement->bind_param("i", $unID);
$statement->execute();
Related
BIt of a php/mysql noob here, hope someone can help.
Ok so i have a URL which has an id in the querystring like so: wwww.mysite.com/page1.php?id=1
What i want to do is connect to a table in the database and get the data from the columns on one row where the first column named ID equals the id number held in the querystring.
I then want to print the data from each column in different div's elsewhere on the page.
There's also the additional issue of what to do if there's no row in the table with the same id as the querystring, i'd want it to change the id in the querystring to 1 and load that rows data.
I had a little go, i know it connects ok but i have no idea if the rest is what i want:
<?php
$link = mysql_connect('Address', 'Database', 'Password');
if (!$link) {
die('Could not connect to MYSQL database: ' . mysql_error());
}
$per = $_GET['id'];
$query = "select A,B,C,D,E,F,G,H,I,J,K,L from table_name where per=".$_GET['ID']."";
echo $result['A'];
mysql_close($link);
?>
And then put this in the div's to print the data.
<?php echo $result['A']; ?>
Am i along the right lines or completely wrong?
$dbConnection = mysql_connect('Address', 'Database', 'Password');
if (!$dbConnection) {
die('Could not connect to MYSQL database: ' . mysql_error());
}
$per = $_GET['id'];
$query = $dbConnection->prepare("select A,B,C,D,E,F,G,H,I,J,K,L from table_name where per = ?");
$query->bind_param('s', $per);
$query->execute();
$result = $query->get_result();
<?php echo $result; ?>
use this code first to avoid SQL Injection second that's the way it should work in PHP first prepare the query second execute and only then show it.
Use mysql_query function in your code.
mysql_* functions is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used.
<?php
$link = mysql_connect('Address', 'Database', 'Password');
if (!$link) {
die('Could not connect to MYSQL database: ' . mysql_error());
}
$per = $_GET['id'];
$query = "select A,B,C,D,E,F,G,H,I,J,K,L from table_name where per=$per";
$result = mysql_query($query, $link) or die(mysql_error());
$row = mysql_fetch_assoc($result);
echo $row['A'];
mysql_close($link);
?>
I have a few string variables I am trying to insert them into my DB but I am having trouble because nothing is being inserted into the DB. I know the variables are populated. Since all variables are string I'm converting some of them to integers because those fields in the db table are type integer. I tried assigning the mysql_query to a variable and then check to return an error but it didn't display anything. I'm a bit new at PHP so I'm not sure what's wrong with my code below. I appreciate the help.
$connect = mysql_connect("localhost", "user", "pass");
if (!$connect) { die("Could not connect: ". mysql_error()); }
mysql_select_db("dbname");
mysql_query($connect,"INSERT INTO table1 (id, AU, TI, JO, VL, ISS, PB, SN, UR, DO, SP, EP, PY) VALUES ('NULL', '".$authors."', '".$title."', '".$journal."', '".(int)$volume."', '".(int)$issue."', '".$publisher."', '".$serial."', '".$url."', '".$doi."', '".(int)$startpage."', '".(int)$endpage."', '".(int)$year."')");
mysql_close($connect);
Try to debug your code, adding some more useful checks.
$link = mysql_connect("localhost", "user", "pass");
if (!$link) {
die("Could not connect: ". mysql_error());
}
$dbSelected = mysql_select_db("dbname", $link);
if (!$dbSelected) {
die ("Can't select db: " . mysql_error());
}
$result = mysql_query("YOUR_QUERY", $link);
if (!$result) {
die("Invalid query: " . mysql_error());
}
ps: you may want to use mysqly::query, just because mysql_query is deprecated
ps2: you should google about SQL Injection, since your statement doesn't look secure (unless those values are escaped somewhere)
NOTE: I just noticed that you are using a wrong order for the parameters on mysql_query($query, $link). You have put $link as first parameter.
I'm trying to update a record in my database using the code below. I'm trying to change the product name but I am getting the following error:
Could not update data: Unknown column 'Earrings' in 'field list'
Code:
<?php
if(isset($_POST['update']))
{
$dbhost = 'databasehost';
$dbuser = 'username';
$dbpass = 'password';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
$ProductsID = $_POST['ProductsID'];
$ProductsName = $_POST['ProductsName'];
$sql = "UPDATE Products ".
"SET ProductsName = $ProductsName ".
"WHERE ProductsID = $ProductsID" ;
mysql_select_db('databasename');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not update data: ' . mysql_error());
}
echo "Updated data successfully\n";
mysql_close($conn);
}
else
{
?>
The query should be
$sql = "UPDATE Products ".
"SET ProductsName = '$ProductsName' ".
"WHERE ProductsID = $ProductsID" ;
You forgot to wrap $ProductName with quotations. Don't forget to do so when dealing with string values.
You want something like this:
ProductsName = '$ProductsName'
Also, be sure to escape that input, else you'll be subjected to SQL injections.
Your are trying to set the ProductsName to an existing column, add quotes to let sql interpret a value:
$sql = "UPDATE Products ".
"SET ProductsName = '$ProductsName' ".
"WHERE ProductsID = $ProductsID" ;
You are not sanitizing your data, so there is a good chance that your query could break depending on the value submitted, not to mention it leaves your database wide open for an attacker to manipulate via SQL Injection.
Please do not use mysql_ functions, as they are depricated. You should be using prepared statements, please see PDO and mysqli.
As for your answer, you need to put 'quotes' around the $variable
I am new for PHP5 OOP concept.
Please give some example source code for "How to insert data using oops concept?".I want to use pure php5 concept for this even in the connection.php page also.
I want to improve my knowledge. please any one help me....
I know below the basic concept
insert_db.php
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con)
connectio.php
<?php
// connect database code
$dbhost ='localhost';
$dbuser = 'tomking';
$dbpass = 'dsfds';
$dbname = 'mydb';
//connectivity of database
$conn = mysql_connect($dbhost,$dbuser,$dbpass) or die ('Error Connecting to mysql');
mysql_select_db($dbname);
?>
Use Mysqli or PDO for using sql queries instead of directly pass variables to query.
This will cause sql injection when you directly pass variable to query
If you want to pass variable to sql query , you have to use filters for this
filtering-escaping-post-data-from-injection-attacks
PDO Documentation
MySQLi Documentation
And this is all pure PHP5 concept.
$mysqli = new mysqli($hostname, $username, $password, $database_name);
if($mysqli->error)
die($mysqli->error);
$mysqli->query("SET NAMES 'UTF8'");
$query = "INSERT INTO my_table VALUES ('value_1', 'value_2')";
$mysqli->query($query);
if(!$mysql->error)
echo 'do something';
$query = "SELECT * FROM my_table";
$sql = $mysqli->query($query);
if($sql->num_rows > 0) {
while($row = $sql->fetch_assoc()) {
echo $row['field_1'];
}
}
$sql->close();
I have been able to manually insert values in my table using phpmyadmin, and even if i end up using the same php code i get from php my admin to call the query it STILL won't add the value to the table. here is the code:
<?php
$link = mysql_connect('localhost', 'username', 'password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_select_db('sc2broating1', $link);
$sql = "INSERT INTO `sc2broad_tesing1`.`Persons` (`re`) VALUES (\'hello11\')";
mysql_query($sql);
mysql_close($link);
?>
Don't escape value.
$sql = "INSERT INTO `sc2broad_tesing1`.`Persons` (`re`) VALUES ('hello11')";
I would also consider using bound parameters, as seen in mysqli::prepare, if Mysqli is an option.