include variable in mysql function UPDATE - mysql

Why work only $txt4 and $textfinal not working?
$txt = $_GET['value'];
$txt2 = $_GET['value2'];
$txt3 = $_GET['value3'];
$txt4 = $_GET['value4'];
$txtfinal = $txt . $txt2 . $txt3;
$conn->query("UPDATE '".$txtfinal."' SET quantita = quantita + '".$txt4."'");

Remove the quotes around the table name
$conn->query("UPDATE ".$txtfinal." SET quantita = quantita + '".$txt4."'");
^-------------^---- here
But beware - your code is wide open to SQL injections! You should use Prepared Statements and stop patching your queries together. There is almost never a reason to make the table name variable.

Try
$txtfinal = "'".$txt."',"."'".$txt2."',"."'".$txt3."'";

Related

Backslashes in MySql update query not working

Running the following query in MySql workbench as \ is an escape character.
UPDATE midshared.SETUP
SET DATAVALUE = 'C:\Documents and Settings\ADMINISTRATOR\Desktop\'
WHERE CODE = 'SAGEPATH'
manually changing to this does work.
UPDATE midshared.SETUP
SET DATAVALUE = 'C:\\Documents and Settings\\ADMINISTRATOR\\Desktop\\'
WHERE CODE = 'SAGEPATH'
However trying these methods that I've found on Stack Overflow don't work either -
UPDATE midshared.SETUP
SET DATAVALUE = REPLACE('C:\Settings\ADMINISTRATOR\Desktop\','\','\\')
WHERE CODE = 'SAGEPATH'
or
UPDATE midshared.SETUP
SET DATAVALUE = QUOTE('C:\Documents and Settings\ADMINISTRATOR\Desktop\')
WHERE CODE = 'SAGEPATH'
Can anyone point me in the right direction to fix it please?
Thanks
A
I tried the queries listed above
You can use double quotes safely and escape slashes as follows:
UPDATE midshared.SETUP
SET DATAVALUE = "'C:\\Documents and Settings\\ADMINISTRATOR\\Desktop\\'"
WHERE CODE_ = 'SAGEPATH'
Check the demo here.

How to solve sql error " product portfolio has diversified to encompass a highly successful multi-brand' at line 1"

I am kind of new one for mysql and php. a week ago this code worked perfectly and when now I am trying it shows this error message
Error : You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 's product portfolio has diversified to encompass a highly
successful multi-brand' at line 1
I search how to solve that after spending a whole day, but couldn't figure it out.
I have tried similar questions here in stackoverflow, Yet I am stucked here.
A help would be really admired
Given below is my code
<?php
if(isset($_POST['upload']))
{ $company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
$fileName = $_FILES['Filename']['name'];
$fileName1 = $_FILES['Filename1']['name'];
$fileName2 = $_FILES['Filename2']['name'];
$fileName3 = $_FILES['Filename3']['name'];
$fileName4 = $_FILES['Filename4']['name'];
$target = "company_images/";
$fileTarget = $target.$fileName;
$fileTarget1 = $target.$fileName1;
$fileTarget2 = $target.$fileName2;
$fileTarget3 = $target.$fileName3;
$fileTarget4 = $target.$fileName4;
$tempFileName = $_FILES["Filename"]["tmp_name"];
$tempFileName1 = $_FILES["Filename1"]["tmp_name"];
$tempFileName2 = $_FILES["Filename2"]["tmp_name"];
$tempFileName3 = $_FILES["Filename3"]["tmp_name"];
$tempFileName4 = $_FILES["Filename4"]["tmp_name"];
$result = move_uploaded_file($tempFileName,$fileTarget);
$result1 = move_uploaded_file($tempFileName1,$fileTarget1);
$result2 = move_uploaded_file($tempFileName2,$fileTarget2);
$result3 = move_uploaded_file($tempFileName3,$fileTarget3);
$result4 = move_uploaded_file($tempFileName4,$fileTarget4);
$file = rand(1000,100000)."-".$_FILES['file']['name'];
$file_loc = $_FILES['file']['tmp_name'];
$file_size = $_FILES['file']['size'];
$file_type = $_FILES['file']['type'];
$folder="pdf_uploads/";
// new file size in KB
$new_size = $file_size/1024;
// new file size in KB
// make file name in lower case
$new_file_name = strtolower($file);
// make file name in lower case
$final_file=str_replace(' ','-',$new_file_name);//anthima
if(move_uploaded_file($file_loc,$folder.$final_file))
{
$query = "INSERT INTO company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4) VALUES ('$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4')";
$con->query($query) or die("Error : ".mysqli_error($con));
mysqli_close($con);
}
}
?>
<?php
Given below is the test data error
VALUES ('singer','Hardware','singer#gmail.com','singer','Singer has been in Sr' at line 1
Because you never sanitize anything and put the data straight into your query,
$company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
...
$query = "INSERT INTO
company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4)
VALUES (
'$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4'
)";
your problem is most likely in the data
's product portfolio has diversified to encompass a highly successful multi-brand
Maybe you have unscaped apostrophes in your data, so you're kinda SQL-injecting yourself. The query ends before the string shown in the error.
The solution is to escape special chars before inserting like in this question: How do I escape only single quotes?
In your case, start with the details
$details = addcslashes($_POST['details'], "'");
or
$details = addslashes($_POST['details']);
But keep adding test scenarios for your code. E.g. what happens if company name gets something like Mc'Donaldson? What is the set of chars you want to accept for each field? Then you will know how to validate those fields and create your functions (or reuse something)

how to use getNumRows() in Joomla after a second query

I am developing a php script within the Joomla environment which queries the same table / database twice. Each time I need to know whether any matches are found.
It seemed that the best way would be to use the getNumRows(). The Joomla documentation is very specific on its use:
Miscellaneous Result Set Methods getNumRows()
getNumRows() will return the number of result rows found by the last
query and waiting to be read. To get a result from getNumRows() you
have to run it after the query and before you have retrieved any
results.
I follow this in my script. At the first query there is no problem, but the second query always throws up a warning - most likely because the getNumRows() call for the second time is after the retrieving results from the first query - which does not comply with the Joomla requirement.
Any ideas how to solve? Many thanks!
The part of my script in question reads:
$db = JFactory::getDBO();
$query = "SELECT * FROM #__art_mobiles WHERE user_agent_header='$ua'";
$db->setQuery($query);
$rowsAG = $db->getNumRows();
$replyAG = $db->loadRow();
if ($rowsAG == 0) {
//if no match check www.handsetdetection.com
//see https://www.handsetdetection.com/properties/vendormodel for current list of models in database together with headers
echo "not in local database - try external<br/>";
$prod = '';
if ($hd3->siteDetect()) {
$replyHD = $hd3->getReply();
$man = $replyHD['hd_specs']['general_vendor'];
$dev = $replyHD['hd_specs']['general_model'];
$os = $replyHD['hd_specs']['general_platform'];
echo "found in handsetdetection.com database<br/>";
//check for provisional match in local database
$query = "SELECT * FROM #__art_mobiles WHERE manufacturer='$man' AND device='$dev'";
$db->setQuery($query);
$rowsAGprov = $db->getNumRows();
$replyAGprov = $db->loadRow();
if ($rowsAGprov == 0) { **[ETC]**
I think this could be an issue with using $db->loadRow(); as getNumRows relies on an executed query.
For example you could try:
$db = JFactory::getDBO();
$query = "SELECT * FROM #__art_mobiles WHERE user_agent_header='$ua'";
$db->setQuery($query);
$replyAG = $db->query();
$rowsAG = $db->getNumRows();
And:
$query = "SELECT * FROM #__art_mobiles WHERE manufacturer='$man' AND device='$dev'";
$db->setQuery($query);
$replyAGprov = $db->query();
$rowsAGprov = $db->getNumRows();
Though I am not sure what/if the difference will be between the results returned from query and loadRow. It would be worth experimenting and seeing if this works.
Alternately, if you are only using getNumRows to see if a record exists, you could do some kind of check on your $replyAG variable instead. It again might be worth experimenting to see what loadRow returns if there are no results.
You need to add the following code before you write the the query:
$query = $db->getQuery(true);
You need to use
$db = JFactory::getDbo();
$query = $db->getQuery(true)
->select($db->qn(array('id')))
->from($db->qn('#__social_notifications'))
->where($db->qn('status') . ' = ' . $db->q(0));
$db->setQuery($query);
$db->execute();
$resultData = $db->getNumRows();

mysql update 2 blobs at once not working

i'm having an issue when trying to update two BLOB fields in a row using mysql and php commands.
Inserting the BLOBs into the row seems to work no problem, here is what I do.
$logotemp = $_FILES['eventlogo']['tmp_name'];
$thumbnailtemp = $_FILES['eventthumbnail']['tmp_name'];
$openlogo = fopen($logotemp, 'r');
$openthumbnail = fopen($thumbnailtemp, 'r');
$logo = fread($openlogo, filesize($logotemp));
$logo = addslashes($logo);
$thumbnail = fread($openthumbnail, filesize($thumbnailtemp));
$thumbnail = addslashes($thumbnail);
fclose($openlogo);
fclose($openthumbnail);
So I have two form file inputs, and those files are read, and then set as the variables $log and $thumbnail. I then use the following command to enter this into the DB:
$qry = "INSERT INTO $table (`Event Logo`, `Venue Logo`) VALUES ('$logo', '$thumbnail')";
$result = mysql_query($qry);
if(!$result) {
die(mysql_error());
}
The above works fine, although I have trimmed out the rest of the fields that also get filled. The query works, and I can return the images to a page, and then display them along with all of the other information from that row.
I then want to edit the row, so created a new php file called edit.php, which is a copy of the php file used above, called new.php.
This means that the form is identical, and when the page is displayed, the value for each input is prefilled with the info from the database, the logo and thumbnail are shown next to the upload fields.
If I then run a query to update the row, using almost the same code as above, it always enteres an empty value into both blobs, essentially deleting the uploaded images. Here is what happens:
$id = $_POST['eventid'];
$logotemp = $_FILES['eventlogo']['tmp_name'];
$openlogo = fopen($logotemp, 'r');
$logo = fread($openlogo, filesize($logotemp));
$thumbnailtemp = $_FILES['eventthumbnail']['tmp_name'];
$openthumbnail = fopen($thumbnailtemp, 'r');
$thumbnail = fread($openthumbnail, filesize($thumbnailtemp));
fclose($openlogo);
fclose($openthumbnail);
So once again, the form fields are still called eventlogo and eventthumbnail, and the variables are still $logo and $thumbnail. I then use the following query to update the row:
$qry = "UPDATE $table SET `Event Name` = '$name', `Date` = '$date', `Time` = '$time', `Venue` = '$venue', `Price` = '$price', `Open To` = '$opento', `Rep Name` = '$repname', `Rep Email` = '$repemail', `Address` = '$address', `Website` = '$website', `Phone` = '$phone', `Description` = '$description', `Event Logo` = '$logo', `Venue Logo` = '$thumbnail' WHERE `Event ID` = '$id'";
I have left in the other variables that are updated this time.
$result = mysql_query($qry);
if(!$result) {
die(mysql_error());
}
When the query runs, it will update any other fields I want, except for the two image BLOB fields at the end. Considering I copied and pasted the code for the upload fields, the code to read the contents of that field, and then manually typed out a query to update those fields, I can't see what's going wrong.
Am I missing something obvious? Any help is greatly appreciated.
Thanks, Eds
Cant find the code I sorted this with, but I think I ended up just updating one at a time.

MySQL Update Statement + File Upload

Been staring at this all day and can't seem to figure out why my update statement fails to update the field 'image_filename':
$fileName = $_FILES['image_filename'];
if($fileName["name"] <> ""){
$imageFile = $fileName['name'];
$destination = "../../../../assets/resources/images/".$fileName['name'];
move_uploaded_file($fileName['name'], $destination);
}
$updateSQL = sprintf("UPDATE content SET image_filename='$imageFile' WHERE id=%s",
GetSQLValueString($_POST['resource_id'], "int"));
mysql_select_db($database_conn_talent, $conn_talent);
$Result1 = mysql_query($updateSQL, $conn_talent) or die(mysql_error());
Can a SQL pro tell me what I"m missing? Much thanks in advance for your feedback!
You appear to be building a query, but never executing it. Also, Drupal'll handle all the sprintfing for you, if you let it.
$query = "UPDATE content SET image_filename='$imageFile' WHERE id=%i";
db_query($query, $_POST['resource_id']);