I would expect from here...
https://mariadb.com/kb/en/user-defined-variables/
and here...
https://dev.mysql.com/doc/refman/5.7/en/user-variables.html
that this would work (from python)...
conn.execute("select * from db.`My Table` where `my id` = #my_id",{'#my_id':54321}).fetchall()
but it doesn't. I can get it working using the '%s' syntax, & passing in a list but I'd like named parameters.
Do I have to run
SET #my_id = 54321
first? Do I have to use a stored proc?
As long as it is on the same connection, you can execute SET #my_id = 54321 followed by select * from db.My Table where my id = #my_id. Doing it that way, passing the value as a parameter in the .execute() shouldn't be needed.
Related
When i using user-defined variable , i want to use 'index' like 'ref..';
for example,
SET #company_code = "A002";
select *
from product_in_out
where company_code = #company_code
and product_date = "2022-04-13"
and out_type = "Q"
;
above result like this,
[enter image description here][1]
for using SQL index, i've tested that variable to plain text like "A002".
at that time, SQL use index like 'ref'
select *
from product_in_out
where company_code = "A002"
and product_date = "2022-04-13"
and out_type = "Q"
;
if so, is there any good way to use valiable for using mysql Index?!?!
As a workaround, add this composite index:
INDEX(out_type, product_date, company_code)
(I assume product_date is of datatype DATE.)
Previously, this was working:
$patient_story_set_photos = $wpdb->get_results('SELECT * FROM wp_before_after WHERE patientID = '.$post->ID.' AND patient_display = 1');
However, when I try to add another AND condition like this:
$patient_story_set_photos = $wpdb->get_results('SELECT * FROM wp_before_after WHERE patientID = '.$post->ID.' AND patient_display = 1 AND period_taken = '.$set->period_taken);
I get the following error on screen:
WordPress database error: [Unknown column '1hour' in 'where clause']
SELECT * FROM wp_before_after WHERE patientID = 8175 AND patient_display = 1 AND period_taken = 1hour
Can't see why there's a problem, are you not allowed to use multiple AND conditions in SQL?
The problem is not the AND, the problem is your 1hour, 1hour unquoted means a reference to an object (database, table) named 1hour, you need to quote '1hour'.
If you write
SELECT * FROM wp_before_after
WHERE patientID = 8175
AND patient_display = 1
AND period_taken = '1hour'
you will compare the field periodtaken to a string (CHAR,VARCHAR,TEXT) equal to '1hour'.
I assume period_taken is a field typed CHAR,VARCHAR or TEXT
Before anything, DO NOT CONCATENATE SQL STRINGS nowadays it is a MUST (see how to do it properly https://stackoverflow.com/a/60496/3771219)
The problem you are facing is because, I presume, that the period_taken field is some sort of Char/Varchar/String field and when you are filtering by a "Stringy" field you must sorround your literals values with single quotes:
SELECT *
FROM wp_before_after
WHERE patientID = 8175
AND patient_display = 1
AND period_taken = '1hour'
Hope this help
I have drop down where the drop down is list of namaJabatan
my table - infojawatan
ID - PK of the table
namaJabatan - where the condition appear ($search - its up to where the user select from Dropdown)
tarikhKemaskini - where i want to get the latest date of row
my query
$sql = "SELECT * FROM infojawatan WHERE namaJabatan = '$search' && tarikh Kemaskini IN (SELECT MAX(tarikhKemaskini) FROM infojawatan GROUP BY ID)";
$sql_rs = mysql_query($sql);
while($row_Sql = mysql_fetch_array($sql_rs)) {
$tarikhKemaskini = $row_Sql['tarikhKemaskini'];
}
echo "Current Date :" .$tarikhKemaskini;
You have a few syntax errors in your SQL.
SQL spells out AND, not &&.
tarikhKemaskini is one word.
SELECT *
FROM infojawatan
WHERE namaJabatan = :namaJabatan AND
tarikhKemaskini IN (
SELECT MAX(tarikhKemaskini)
FROM infojawatan
GROUP BY ID
)
Note carefully that I used :namaJabatan there instead of hard coding $search. Hard coding variables into SQL leaves you open to a SQL Injection Attack where a malicious attacker can craft a search query that lets them get more information than they're allowed to, or even run arbitrary SQL queries.
Instead, use parameters, the :namaJabatan there, and pass your variables in when you execute the query.
Unfortunately the mysql_query interface doesn't support this. Fortunately it was deprecated and there are now better interfaces. Here's a breakdown. I'd recommend using PDO as it is a generic interface applicable to any SQL database. Then you can use the more secure and efficient prepared statements with bind parameters.
$stmt = $dbh->prepare("
SELECT *
FROM infojawatan
WHERE namaJabatan = :namaJabatan AND
tarikhKemaskini IN (
SELECT MAX(tarikhKemaskini)
FROM infojawatan
GROUP BY ID
)
")
$stmt->execute(array( ':namaJabatan' => $search));
while( $row = $stmt->fetch() ) {
echo $row['tarikhKemaskini'];
}
Why is this SQL Statement
$array = $wpdb->get_results('SELECT * FROM wp_before_after WHERE patient = '.$patientName );
Generating this error?
WordPress database error: [Unknown column 'sarah' in 'where clause']
SELECT * FROM wp_before_after WHERE patient = sarah-jordon
It's like it's swapping round 'patient' and 'sarah-jordon', and thinking sarah-jordon is a column in the database.
You are missing quotes around your value.
$array = $wpdb->get_results('SELECT * FROM wp_before_after WHERE patient = "'.$patientName . '"');
But it will be more robust if you use a parameterized query.
Edit
I checked quickly in wordpress reference, and they have a prepare method
While A.D.'s answer is correct...
$array = $wpdb->get_results('SELECT * FROM wp_before_after WHERE patient = "'.$patientName . '"');
... and makes mention that the OP example is not really robust/secure (vulnerable to SQL injections) I thought it would be worthwhile to post an example that is secure using the prepare statement:
// Usage: $wpdb->prepare( 'query' [, value_parameter, value_parameter ... ] );
// Example:
$patient_name = .$patientName;
$patient = $wpdb->get_var(
$wpdb->prepare( "SELECT * FROM wp_before_after WHERE patient = %d", $patient_name ));
Documentation can be found here
The reason for using prepare is it prevents SQL Injection Attacks on queries that take parameters. For example, in the OP example, if someone were to enter..
sarah; DROP TABLE wp_before_after
or maybe less insidiously:
sarah OR 1=1
.. into the Patient Name field, that SQL would be executed and presumably drop your wp_before_after table or return all of the records in your patient table.
The prepare method SQL escapes the values prior to executing the query -- and that prevents your variables/parameters from being potentially read as SQL. It's basically saying "hey, make sure you read these as values, not part of the query."
As a general rule of thumb, you want to use prepare in all circumstances where a query takes user input as a parameter. You do not want to use prepare in circumstances where no user input is needed -- for example, getting all patients with a first name starting with 's'.
I have procedure with a single string parameter to retrieve records from my table test which has two fields id(int) and Name(varchar).
the query in the procedure is shown below
Select * from test where id in (strParam);
and value in the parameter will be
strParam="1,2";
but the result will be wrong because query will be as shown below
Select * from test where id in ('1,2');
but i need the query to be like shown below
Select * from test where id in (1,2);
please help me with a solution
the programming language is C#
thanks,
suraj
Usually you construct the SQL correctly in your programming language:
Select * from test where id in ('1,2');
should come from your application code, where it's easier to change strParam="1,2"; to strParam="'1','2'":
Split (explode) the string into an array
escape each element in the array (using the correct MySQL-ESCAPE function)
Join (implode) the array back into a string,
If you really can't change the application code, maybe some SQL tricks could work. Try:
SELECT * FROM test where FIND_IN_SET(ID,strParam) > 0
Not sure if this is the most efficient way:
Explode the value strParam to an array and then build up the string you need in the query:
<?php
$arrayParam = explode(',', $strParam);
$strParamQuery = '(';
foreach ($arrayParam as $Param) {
if ($strParamQuery != '(') { $strParamQuery = $strParamQuery.','; //Add a comma to all but the first occurence
$strParamQuery = $strParamQuery.$param;
}
$strParamQuery = $strParamQuery.')';
$query = 'Select * from test where id in '.$strParamQuery.';';
?>