I'm using prepared statement for MySQLi PHP which is all working. However, the application that I'm using this in has 108 different possible statements all very similar that can be run either without condition:
select * from table1
or with
select * from table 1 where user_level = 1)
The question that I'm asking: Is there a way that I can create the statement that covers all possibilities such as
select * from table 1 where user_level = {special input}
that will give the same outcome as
select * from table1
Otherwise I'm looking at a lot of repetition.
You would use parameter binding. See https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php.
Related
I would like a select query that would be able to select a value that may or may not be present in the where clause. Schema:
----------------------------------
studentid|firstname|lastname|major
My select clause would be
select * from students where studentid?={param} AND firstname?={param} AND lastname?={param} AND major?={param};
I put a question mark because I mean to say I could pass a value in the where clause or I might not. It could be
select * from students where studentid?=34344 AND firstname?="john" AND lastname?="smith" AND major?="";
select * from students where studentid?=34344 AND firstname?="john" AND lastname?="smith" AND major?="english";
Is there a way to do this easily without a stored procedure?
You can do that by using variables and checking null like this:
Declare #StudentId nvarchar(100) --can be null or evaluated
select * from students
where (#StudentId is null or studnetId= #StudentId) AND -- for other properties as well
Another option is using dynamic sql and first you have to build your sql query and then execute it (I don't like it)
You can handle it in the application side if possible:
string query= "select * from students where 1=1 /*trick for adding more conditions*/"
if(numberId is not null)
query += "AND studentId= {numberId} ";
//for other conditions ...
I have tons of queries and wanna count their occurrence.
Problem: the same query can have different parameters.
I thought about using EXPLAIN and then hash the array.
But i guess that wont work well.
Is there any way to get a hash of a query without including the params and "style" (format?)?
F.e. can the mysql (mariadb) server return a prepared statement from a query?
(EDIT: i do not have the prepared statements from code. I got SQL strings only.)
Simple example:
SELECT * FROM foo where bar = 'baz
SELECT * FROM `foo` WHERE `bar` = 'baz';
SELECT * FROM `foo` WHERE `bar` = 3
SELECT * FROM `foo` WHERE `bar` = 3;
...
This is the same query with different "style" and different parameters.
What i would like to count up is the occurrence of SELECT * FROM `foo` WHERE `bar` = {.*};
Note: the queries will contain multiple joins, subqueries, ect.
In this case I got those SQL queries from a general_log table.
No code, just SQL strings.
It's not a question of "how can I do this better".
It's a "how can I get a better result from what I got".
You can get the count of queries by "digest" — a kind of anonymized version of the query with all constant values replaced with ? — from the performance_schema.
SELECT
SCHEMA_NAME,
digest,
digest_text,
round(sum_timer_wait/ 1000000000000, 6),
count_star
FROM performance_schema.events_statements_summary_by_digest
ORDER BY sum_timer_wait DESC LIMIT 10;
See https://www.percona.com/blog/2015/10/13/mysql-query-digest-with-performance-schema/ for a blog on this solution.
So I am doing a little sql injection challenge because I wanted to learn about it and I have a question. I type 'hi' into the HTML form and I get this back as a response
Error: The following error occurred: [near "hi": syntax error]
Query: SELECT * FROM personnel WHERE name=''hi''
The information we need to get is located in a table called users. I was looking at sql and I see here the union operator which combines the results of 2+ select statements.
So, I try this as input: 1 UNION SELECT * FROM users and I get nothing back so it looks like it searched from that input as a name in table personnel. I thought this would work because the query would look like: SELECT * FROM personnel WHERE name=1 UNION SELECT * FROM users. Am I not understanding how the union operator works or is something else wrong in my input
This one:
set #hi = "'hi'";
select #hi;
SELECT * FROM personnel WHERE name="'hi'"
Simulate:
insert into personnel (`name`) values("'hi'");
insert into personnel (`name`) values("'hello'");
select * from personnel where `name` != "'hi'"
-- you can't use a double '' in sql query
Query: SELECT * FROM personnel WHERE name='hi'
Probably the SQL is invalid because personnel and users have different shape. You need to inject something that is identical to the initial select.
Also your entire problem goes away if you have parameterised queries instead of concatenating into SQL.
I want to know can i run a query in iif function used in ms access database. My case
Select field1,(iif(3<4,'Select * from tbl1','select * from tbl2')) from tblmain
I am facing syntax error when i try to executed query like that whats the problem
What you're trying to achieve isn't clear from your sample query.
You can use IIF functions in Access queries, for example:
SELECT IIF([SomeField]<15, "Smaller than 15", "Greater than!") As Whatever
FROM myTable
You can use subselects in Access as well, for example (example shamelessly stolen from http://allenbrowne.com/subquery-01.html):
SELECT MeterReading.ID, MeterReading.ReadDate, MeterReading.MeterValue,
(SELECT TOP 1 Dupe.MeterValue
FROM MeterReading AS Dupe
WHERE Dupe.AddressID = MeterReading.AddressID
AND Dupe.ReadDate < MeterReading.ReadDate
ORDER BY Dupe.ReadDate DESC, Dupe.ID) AS PriorValue
FROM MeterReading;
Note that the specified subselect query must be guaranteed to return a single record - either by specifying TOP 1 or using an aggregate function - and must link back to the parent query in the WHERE clause.
You can't use an IIF statement the way you're trying to in your question, however, even if your subselect was valid, which it is not.
Two options to suggest, although it is less than clear to me what you're trying to achieve here. First, you might want to consider doing it in VBA instead. Something like:
const query1 As String = "Select * from tbl1"
const query2 As String = "select * from tbl2"
Dim recset as DAO.Recordset
set recset = CurrentDB.OpenRecordset(iif(3<4, query1, query2))
Alternatively, if both tbl1 and tbl2 had the same fields you could do something like this:
SELECT * FROM tbl1 WHERE 3<4
UNION ALL
SELECT * FROM tbl2 WHERE NOT (3<4)
If you replace 3<4 by whatever actual condition you're checking for, you'll only get back records from one or the other or query, never both. However, my suspicion is that if you need to do this, your database may have design issues - I can think of many questionable scenarios where this would be needed, and few valid ones, although I'm sure they exist.
I was wondering if something like this is possible in MySQL:
SELECT * FROM tmpTable WHERE id = 1 AND ISTRUE(UPDATE tmptTable SET value = 1)
Or
SELECT * FROM tmpTable WHERE id = (INSERT INTO tmptTable (name) VALUES ('test'))
Or the same query with UNION or something
What i'm trying to do with this is SELECTing only the records that are updated/by the ID's they are inserted. I want to know if it's acutally possible to do an Update or Insert query INSIDE an other query.
Looks like you are trying to do composable DML. No this isn't supported in MySQL. – Martin
https://stackoverflow.com/users/513811/martin
He just gave the answer, but as a comment...