Is there a way in mysql to express 'OR' ? The idea is to search if there is a match "user.getinput()" that corresponds to the username column or the email column. How to express this in a proper way.
SELECT FROM tablex WHERE username OR email = '"+ user.getinput()+"'";
The following is the query:
SELECT FROM tablex WHERE username = ? OR email = ?
Better use PreparedStatement
String query = "SELECT FROM tablex WHERE username = ? OR email = ?";
PreparedStatement stmt=con.prepareStatement(query);
stmt.setString(1,userName);
stmt.setString(2,email);
stmt.executeUpdate();
I strongly recommend to use a prepared statement to prevent sql injection issues.
Something like this:
PreparedStatement stmt = conn.prepareStatement(
"SELECT * FROM tablex WHERE username = ? OR email = ?");
stmt.setParameter(1, "something");
stmt.setParamater(2, "something");
Related
I am running problems in implementing LIKE in PDO
I have this query:
$query = "SELECT * FROM tbl WHERE address LIKE '%?%' OR address LIKE '%?%'";
$params = array($var1, $var2);
$stmt = $handle->prepare($query);
$stmt->execute($params);
I checked the $var1 and $var2 they contain both the words I want to search, my PDO is working fine since some of my queries SELECT INSERT they work, it's just that I am not familiar in LIKE here in PDO.
The result is none returned. Do my $query is syntactically correct?
You have to include the % signs in the $params, not in the query:
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
If you'd look at the generated query in your previous code, you'd see something like SELECT * FROM tbl WHERE address LIKE '%"foo"%' OR address LIKE '%"bar"%', because the prepared statement is quoting your values inside of an already quoted string.
Simply use the following:
$query = "SELECT * FROM tbl WHERE address LIKE CONCAT('%', :var1, '%')
OR address LIKE CONCAT('%', :var2, '%')";
$ar_val = array(':var1'=>$var1, ':var2'=>$var2);
if($sqlprep->execute($ar_val)) { ... }
No, you don't need to quote prepare placeholders. Also, include the % marks inside of your variables.
LIKE ?
And in the variable: %string%
$query = "SELECT * FROM tbl WHERE address LIKE ? OR address LIKE ?";
$params = array("%$var1%", "%$var2%");
$stmt = $handle->prepare($query);
$stmt->execute($params);
You can see below example
$title = 'PHP%';
$author = 'Bobi%';
// query
$sql = "SELECT * FROM books WHERE title like ? AND author like ? ";
$q = $conn->prepare($sql);
$q->execute(array($title,$author));
Hope it will work.
I have a query, and I want to get the last ID inserted. The field ID is the primary key and auto incrementing.
I know that I have to use this statement:
LAST_INSERT_ID()
That statement works with a query like this:
$query = "INSERT INTO `cell-place` (ID) VALUES (LAST_INSERT_ID())";
But if I want to get the ID using this statement:
$ID = LAST_INSERT_ID();
I get this error:
Fatal error: Call to undefined function LAST_INSERT_ID()
What am I doing wrong?
That's because that's an SQL function, not PHP. You can use PDO::lastInsertId().
Like:
$stmt = $db->prepare("...");
$stmt->execute();
$id = $db->lastInsertId();
If you want to do it with SQL instead of the PDO API, you would do it like a normal select query:
$stmt = $db->query("SELECT LAST_INSERT_ID()");
$lastId = $stmt->fetchColumn();
lastInsertId() only work after the INSERT query.
Correct:
$stmt = $this->conn->prepare("INSERT INTO users(userName,userEmail,userPass)
VALUES(?,?,?);");
$sonuc = $stmt->execute([$username,$email,$pass]);
$LAST_ID = $this->conn->lastInsertId();
Incorrect:
$stmt = $this->conn->prepare("SELECT * FROM users");
$sonuc = $stmt->execute();
$LAST_ID = $this->conn->lastInsertId(); //always return string(1)=0
You can get the id of the last transaction by running lastInsertId() method on the connection object($conn).
Like this $lid = $conn->lastInsertId();
Please check out the docs https://www.php.net/manual/en/language.oop5.basic.php
When I run this code:
string MySQL = "Select * From RegisterDatabase Where uName = '" + Request.Form["username"] +"'";
It didn't work for me, so I tried to see what the problem was and it turns out there's a comma in MySQL.
Select * From RegisterDatabase Where uName = 'Test,'
How do I fix this?
Your code is prone to SQL Injection attack.
You want to parameterized query like this -
string query = "Select * From RegisterDatabase Where uName = #username";
// Remove "," from username
string username = Request.Form["username"].ToString().Replace(",", "");
MySqlCommand command = new MySqlCommand(query);
command.Parameters.AddWithValue("#username", username);
Or some use ?username instead of #username.
Use following
Request.Form["username"].ToString().Replace(',',' ').Trim();
$query = "SELECT username, email, password, salt
FROM tbl_memembers
WHERE (username = $resetuser) OR (email = $resetuser)";
This keeps returning that there is nothing in the database, when I know for a fact that there is matching those details entered ($resetuser = $_POST from previous page)
Try with this query
$query = "SELECT username, email, password, salt
FROM tbl_memembers
WHERE username = '$resetuser' email = '$resetuser' ";
Is there a table namned 'tbl_memembers' or should it be 'tbl_members'? As #Abhik Chakraborty points out - the parameters should be surrounded by ''. Then again - shouldn't '' just declare $resetuser as a string, not the parameter name? I'm a .NET-developer and have no experience of PHP but in .NET any parameter must be surrounded by username = '" & parametername & "'.
I have a sql statement where I want to get all the entry with the category of "Game" but do not want to retrieve the record with the code of "A00001".
Below is my sql code but there is an error in the where clause.
$sql1 = "SELECT * FROM productItem WHERE productName = '$name' AND skuCode != '$mySKU';";
$mySKU = 'A00001';
$sql1 = "SELECT * FROM productItem WHERE productName = '$name' AND skuCode != '$mySKU'";
You have an extra ; lurking somewhere in there. Be sure to sanitize $mySKU if it is user input and use prepared statements.
update: Using PDO:
$stmt = $dbh->prepare("SELECT * FROM productItem WHERE productName = :name AND skuCode != :mySKU");
if ($stmt->execute(array('name' => $name, "mySKU" => $mySKU))) {
$rows = $stmt->fetchAll(); //if you are sure there are records
Try this:
"SELECT * FROM productItem WHERE productName = '$name' AND skuCode <> '$mySKU';";
Not equal statement is <>
http://dev.mysql.com/doc/refman/5.0/en/comparison-operators.html#operator_not-equal