Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I have a MySQL column with data looking like this,
I need to convert the column to the JSON format via convert(somecolumn,JSON). However, it seems that I first need to remove the escape symbols (e.g., \"). I did some search and found that mysql_real_escape_string will do the job (from this question).
But if I understand correctly, mysql_real_escape_string is a PHP command. Is there any native MySQL command that do similar thing as mysql_real_escape_string (something like convert(mysql_native_function(somecolumn),JSON))?
Use REPLACE. For harder things REGEXP_REPLACE.
SELECT REPLACE(somecolumn, '\"', '"')
SELECT REGEXP_REPLACE('"..."', '(^"|"$)', '')
The latter will unquote the entire string, as ^ is the start, and $ the end.
BTW I would actually correct all the data in the table once. (After a backup.)
The mysql library is old.. if you really need to use something like it - use mysqli
the mysql_real_escape_string is not as secure as you would think it to be, see this: https://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l
That said you're much better off by not using any of them but using Php PDO and replacing something like:
$data = [
'name' => $name,
'surname' => $surname,
'sex' => $sex,
];
$sql = "INSERT INTO users (name, surname, sex) VALUES (:name, :surname, :sex)";
$stmt= $pdo->prepare($sql);
$stmt->execute($data);
it will take care of the 'escaping' problems for you.
more examples here: https://phpdelusions.net/pdo_examples/insert
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I have a database where i store my photos title, tags, and their path on sever some of the records have names like:
photo 1234.png. I need to make them like photo1234.png
Why can't I use a query like
UPDATE tblPhoto a
set a.photoLink = replace(a.photoLink , ' ', '')
where a.photoLink like '% %';
And which is the best way to rename them in Linux Server, can I use php ?
You don't need where clause
UPDATE tblPhoto SET photoLink = REPLACE(photoLink , ' ', '');
For replacing the file name on your Linux Server you can try to look in this answer.
https://stackoverflow.com/a/2709619/7921383
Use php method for example:
$old_name="Hello World";
echo str_replace(" ","",$old_name);
//output Helloworld
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I have a MySQL Database but my function is not working. I want to know how many results I get for my database query, but I just get nothing back, not even 0. I also tried $values->num_rows; same result. Do not get back a number... just nothing
My Code:
$values = $database->query("SELECT * FROM `wp_all_import_xml` WHERE name = '$title' AND price = '$price' AND shop = '$shop' AND link = '$link'");
$count_values = mysqli_num_rows($values);
echo "ERROR by detecting Product (More than 1 Row return by SQL!): " .$title. " Preis: " .$price. " Shop: " .$shop. " Link: " .$link. "\t num_rows: " .$count_values. "\n";
How can I get the amount of rows I get returned?
Greetings
The mysqli_num_rows function does work.
The most likely explanation for the observed behavior is an error is occurring and being ignored.
For debugging this, start with making sure error reporting is enabled.
Modify the code to check the return from the query. Verify that it's not returning FALSE, by performing a conditional test.
if ($values = $mysqli->query(...) ) {
// query returned a resultset
} else {
// query returned FALSE
}
If all we need to retrieve is the number of rows, then we can use COUNT(*) in the SELECT list.
if ( $res = $mysqli->query("SELECT COUNT(*) AS cnt FROM ... ") ) {
If the query is successful, then we get a row back, even if the count is zero. And we can easily process the result like we process results from other queries, without the need to muck with num_rows, and worrying about whether the query is buffered or unbuffered, etc.
We're going to assume that $database is a mysqli connection, and not a PDO connection, since the code includes a call to the mysqli_num_rows function. If it's PDO connection, then "num_rows doesn't work".
The code in the question follows the pattern frequently seen in code that is vulnerable to SQL Injection. (In this excerpt, we can't determine if the values of the variables being included in the SQL text are potentially unsafe, so we can't tell if it's vulnerable or not.)
If this was a prepared statement with bind placeholders, then we could tell.
Use prepared statements with bind placeholders. It isn't hard.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$s = "Update member_date" [snip]
$p = $pdo->prepare($s, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$p->execute();
Is that considered a "prepared" statement to justify being secure from SQL injection-type attacks?
UPDATE:
$member_id= htmlspecialchars($_GET['member_id']);
s1 = "
update member_date
set member_date= now()
where member_id= $member_id";
OVERALL QUESTION: "Is this how I should format all my new SQL-related code? I'm just finally making the switch from old mysql statements after reading my (new) error logs. Do I need to add in the question mark placeholders for strings and such or is the format how I have it at the first line of code ok for security purposes? I know the SQL I need to get the tasks accomplished just not the PDO security parts."
No. You are not using a prepared statement as intended. What you should do is add your $id as a paramater, and so separate your content (id) from your code (sql).
While you can do safe SQL with filtering yourself, the absolute best way is to, as you put it:
add in the question mark placeholders for strings and such
You can say "this needs to be an int, and then it will never be something scary like a " or some code that does magic with your query.
PDO is the best way to avoid sql injection that may attack the server. The code looks fine though. But PHP PDO is the absolute right way to avoid sql injection.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Here's how bind_params seem to be preparing sql statements:
stmt = db.prepare( "select * from table where a=? and b=?" )
stmt.bind_params( 15, "hello" )
So in reality inside the stmt, we need to have map/array or something that will eventually map the arguments and create the right stmt. What's the most optimal way of doing this internally? Plus strings need extra precaution I imagine - the above will have to be mapped like "select * from table where a = 15 and b = \"hello\" ".
I looked into SQLite3 and OCI and they seem to be passing these to internal C code.
I am trying to prepare the queries at the client side and send it to the server
If you're trying to do what it sounds like you're trying to do... don't try to do that.
That's not what a prepared statement is (or at least that isn't what it should be).
Your client code should not be trying to interpolate values into the query string in order to generate a "finished" query to send to the server for execution. That is a recipe for disaster, not to mention a false sense of security.
Prepared statements deliver the statement with ? placeholders to the server as-is, where the server "prepares" the statement for execution... and then the client send the parameters to the server ("binding" the parameters) for execution. Doing this, the server will never be confused as to "which part is the SQL" and "which part is the data," making sql injection impossible and making escaping and sanitizing the data unnecessary.
mysql_stmt_bind_param() is used to bind input data for the parameter markers in the SQL statement that was passed to mysql_stmt_prepare(). It uses MYSQL_BIND structures to supply the data. bind is the address of an array of MYSQL_BIND structures. The client library expects the array to contain one element for each ? parameter marker that is present in the query.
— http://dev.mysql.com/doc/refman/5.6/en/mysql-stmt-bind-param.html
If you are not communicating directly with the C-API then you should be calling the methods in your library that expose those same functions to you.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I can't believe I am having this problem. I've been looking and looking but I can't see what is wrong. I hate this error message.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' poster_ip, message, posted, thread_id INTO posts ' at line 1
mysql_query("INSERT poster, poster_ip, message, posted, thread_id
INTO posts
VALUES (
{$post_info['poster']},
'".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."',
'".mysql_real_escape_string($post_info['message'])."',
{$post_info['posted']},
{$post_info['thread_id']}") or die (mysql_error());
Your SQL syntax is wrong.
You should be using something similar to:
INSERT INTO posts (poster, poster_ip, message, posted, thread_id) VALUES (...)
Maybe you should look at the doc ;)
Insert Syntax
If you're going to put the column names you should put it after the table name.
Example:
INSERT INTO table (col1, col2) VALUES (val1, val2)
Looks like a good opportunity to practice some debugging techniques. Try building the string you are passing to the function and assigning it to a variable, then echoing that variable to see what it is you are actually passing to the function. You can learn a lot that way about why you are getting errors. Also, it would help to know the data types of the columns you are inserting values into.
I have written this code to show you why arrays are useful for query generation and less likely to make a syntax error if you need to add more fields in future.
$fields = array('poster, poster_ip, message, posted, thread_id'); // Our fields
$table = 'posts'; // Our table name
$values = array(
$post_info['poster'],
$_SERVER['REMOTE_ADDR'],
$post_info['message'],
$post_info['posted'],
$post_info['thread_id']
);
$values = array_map('mysql_real_escape_string', $values); // Secure all inputs
// Generate query
$query = "INSERT INTO $table (" . implode(',', $fields) . ") VALUES ('" . implode("','", $values . "')";
// Run query
$result = mysql_query($query) or die('query error: ' . mysql_error());