$sql = "SELECT COUNT(ID) AS total
FROM ".$datatable."
WHERE STATE=".$category ;
Im trying to figure out why this isnt working.
$sql = "SELECT COUNT(ID) AS total
FROM ".$datatable."
WHERE STATE='AL'" ;
this one hwoever works. Im unsure of what concactinate or " ' syntax issue it is.
You need to include single quotation marks for the where statement. Also, since you're using double quotes you don't actually need to escape from the string to include the PHP variables.
$sql = "SELECT COUNT(ID) AS total FROM $datatable WHERE STATE='$category'";
Related
i've create a Command in my controller like this :
public function actionTotal($id)
{
$query1 = new Query;
$query1 ->select('sum(patient_services.price) price, sum(receipts.price) receipts ,')
->from('patient_services ')
->leftJoin(' receipts ON patient_services.patient_id=receipts.patient_id')
->where('patient_services.patient_id=:id', array(':id'=>$id));
$command1 = $query1->createCommand();
$price = $command1->queryAll();
echo Json::encode($price);
}
when i try it ... the select code have a comma and idon't know how to remove it
SELECT sum(patient_services.price) price, sum(receipts.price) receipts FROM `patient_services` LEFT JOIN ` receipts ON` `patient_services`.`patient_id=receipts`.`patient_id` WHERE patient_services.patient_id=1
when i remove all commas from the sql code and try it in phpmyadmin .. it works fine :(
You have an invalid leftJoin replace it with this:
->leftJoin('receipts', 'patient_services.patient_id = receipts.patient_id')
also it seems you have an extra comma at the end of your select query remove that last comma the select query would look like this:
$query1 ->select('sum(patient_services.price) price, sum(receipts.price) receipts')
Hope this works.
I am trying to update mysql table MYTABLE using two value. One is STAR column which should be incremented by one on each query, and the second one is COMMENT column which should be concatenated with existing one on each time and separated by comma.
Below is the command I used, but not working.
$query = "update MYTABLE set STAR=STAR+1,COMMENT= CONCAT(COMMENT, ','.$comment) where ID='$id'";
$query = "update MYTABLE set STAR=STAR+1,COMMENT = CONCAT(COMMENT, ',', '$comment') where ID=$id";
where ID='$id'
is incorrect because $id might be a number, so, delete the "'".
Have you escaped the $comment variable ?
Otherwise you may use prepared statements with PDO :)
I hope you're using PDO...
you should but string in '' and update your query, it has error syntax :
$query = "update MYTABLE set STAR=STAR+1,COMMENT= CONCAT(COMMENT, '$comment') where ID='$id'";
To make it more secure, just use following code...
$query = "update MYTABLE
set `STAR` = `STAR`+1,
`COMMENT`= CONCAT(COMMENT, '$comment')
where `ID`='$id'";
Happy Coding...
I'm a newbie to mysql, I managed to scrape this together to get the result I wanted. Can it be coded better? Are there any security risks? Its being output in php.
$qwe = $product->virtuemart_product_id;
$id = mysql_real_escape_string($qwe);
$result = mysql_query('SELECT * FROM virtuemart_product_medias where virtuemart_product_id = ' . $id . ' LIMIT 1');
$row = mysql_fetch_assoc($result);
$matched = $row['virtuemart_media_id'];
$result2 = mysql_query('SELECT * FROM virtuemart_medias where virtuemart_media_id = ' . $matched . ' LIMIT 1');
$row2 = mysql_fetch_assoc($result2);
$matched2 = $row2['file_url_thumb'];
echo $matched2;
I don't know whether or not there is a security hole in the specific code you provided - that depends on what other validation exists elsewhere in your program, and what you consider to be a security hole. But the way you are coding means that there definitely could be security holes. Let's look at your first query:
$id = mysql_real_escape_string($qwe);
$result = mysql_query('SELECT *
FROM virtuemart_product_medias
WHERE virtuemart_product_id = ' . $id . ' LIMIT 1');
Imagine if $qwe is the string 0 OR 1=1 --. The mysql_real_escape_string only escapes certain characters such as quotes and backslashes.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \\, ', " and \x1a.
The string 0 OR 1=1 -- that I mentioned above does not contain any of these characters so it will not be affected at all by mysql_real_escape_string. After you substitute in the value of $id, the resulting SQL query will look something like this:
SELECT *
FROM virtuemart_product_medias
WHERE virtuemart_product_id = 0 OR 1=1 -- LIMIT 1
As you can see, this will return all rows.
Long story short: Use PDO and parameterized queries.
Related
How can I prevent SQL injection in PHP?
Firstly, never use the mysql_* functions. They are deprecated and relying on them is highly discouraged. Use either MySQLi or PDO
The above query could be rewritten as
SELECT file_url_thumb FROM virtuemart_medias where virtuemart_media_id = (SELECT virtuemart_media_id FROM virtuemart_product_medias where virtuemart_product_id = ' . $id . ' LIMIT 1) LIMIT 1
Never do a SELECT *. Include only those fields in your query which you need in your code.
Use one query instead of two, and select only the fields you're using, like so:
SELECT `file_url_thumb` FROM virtuemart_medias where virtuemart_media_id = (SELECT `virtuemart_media_id` FROM virtuemart_product_medias where virtuemart_product_id = ' . $id . ' LIMIT 1) LIMIT 1
You can always use a join;
SELECT a.virtuemart_media_id, b.file_url_thumb
FROM virtuemart_product_medias a
LEFT JOIN virtuemart_medias b
ON a.virtuemart_media_id = b.virtuemart_media_id
WHERE virtuemart_product_id = $id
LIMIT 1
That'll always get you the virtuemart_media_id and, if it exists file_url_thumb.
Your query has a problem also, mysql_real_escape_string only escapes strings, since you're not quoting the $id in the query, it won't be handled as a string and the escaping will not help you. As other replies point out, you should really be using mysqli or PDO.
How about this:
SELECT a.file_url_thumb
FROM virtuemart_medias a
LEFT JOIN virtuemart_product_medias b on a.virtuemart_media_id=b.irtuemart_media_id
WHERE a.virtuemart_product_id=' . $id . ' LIMIT 1
I'm displaying Spotlight post on search page.
When a user enters a keyword to search for a post I like to bring a Spotlight post using that keyword. If there is no post with that keyword then I would want to just bring any Spotlight post from database.
My questions is, can I check this in a MySQL query to see if they will be any results with this keyword, if not then ignore this keyword?
My query
SELECT id, title, desc
FROM post
WHERE isActive = 1
AND title = 'keyword'
but if I'm getting 0 results with this query I would like to ignore this and run this instead
SELECT id, title, desc
FROM post
WHERE isActive = 1
desc is MySQL's reserved keyword (used for ordering results in a *desc*ending order). To use it as a column name, you need to put it in backticks
$select = " SELECT id, title, `desc` ";
$from = ' FROM post';
$where = 'WHERE isActive=1 and title="%$keywords%"';
$sql = $select.$from.$where;
This is what I have done to solve my problem.
$select = " SELECT id, title, desc ";
$from = ' FROM post';
$where = 'WHERE isActive=1 and title="%$keywords%"';
$sql = $select.$from.$where;
if no result then overwrite
$where = 'WHERE isActive=1';
$sql = $select.$from.$where;
If anyone know anyother way please let me know.
I have a string of IDs separated with comma
$myIDs = 22,23,45,895;
How do I write a query to return records for values that correspond to the IDs in my string?
This does not seem to be right:
SELECT *
FROM t1
WHERE itemID IN ($myIDs)
I guess I'm trying PHP array function here, hah? Is there something like this in mySQL?
Appreciate any suggestions. Thanks.
I think you're missing quotes, ie, the exact query should look like this before evaluation
SELECT *
FROM t1
WHERE itemID IN ('22','23','45','895');
Hence all you've got to do to fix this is:-
$myIDs = array(22,23,45,895);
$myIDs_string = "'".implode("','",$myIDs)."'";
then in whatever PHP/SQL library/framework you select, use PHP to execute the following php query:-
SELECT *
FROM t1
WHERE itemID IN ($myIDs_string);
Hope this helps.
$IDs = array(1,2,3,4,5);
// alternatively, you can write it like this...
// $IDs = "1,2,3,4,5";
if(is_array($IDs))
$IDs = implode(",",$IDs);
$query = "SELECT * FROM t1 WHERE itemID IN ($IDs)";
echo $query;