I need to search same query on multiple columns using fatfree.
This works correctly on one column:
$f3->set('list', $users->find(array('name LIKE ?','%'.$queries.'%')));
However, if I try:
$f3->set('list', $users->find(array('name, email LIKE ?','%'.$queries.'%')));
I get error:
PDOStatement: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' email LIKE '%invent%'' at line 1
How can I do this?
Regards.
It should be:
$f3->set('list', $users->find(array(
'name LIKE ? OR email LIKE ?',
'%'.$queries.'%',
'%'.$queries.'%'
)));
NB: PDO doesn't allow to use a same placeholder twice so you have to give twice the same argument ('%'.$queries.'%').
Related
I want to create simple app to search some data in specific table.
I've got one database and can connect to it.
Also when I hardcoded table name it works great.
But I want to make url like that:
/demo/{table}/{author}
It should work that i give specific table for eg. 'comedy' and next I set name of author for eg. 'smith'.
My booksRepository:
#Query(value = "SELECT * FROM :table WHERE author = :author",
nativeQuery=true)
public List<Book> findByAuthor(#Param("author") String author, #Param("table") String table);
But it didn't work. I've got error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''comedy' WHERE author = 'Smith'' at line 1
It's adding ' to Query. Is there way to delete that? Is it possible or I need to put everything in one table?
Cheers :)
I haven't looked it up, but it seems that the variables in the query SQL can only be used to insert quoted values, not unquoted identifiers like a table name.
I get the usual errors ( already tried to read previous questions ) Query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''','',now(),'','This is great! ','', 'published')' at line 1
Thank you for helping!!
Here is my code:
My Code
The page in question is here:enter link description here
Thanks you very much for helping
The problem was on the line 20--> $query .= "VALUES({$post_category_id}. It need to be quotes around '{$post_category_id}'.
I don't know exactly why. the category id is a number , so for that shouldn't be around quotes because is a number.That's how our teacher explained to as.Thanks for your help.
The $connection variable isn't defined anywhere...
I just populated your page with some example data and that was the query I got:
INSERT INTO posts(post_category_id, post_title, post_author,post_date,post_image,post_content,post_tags,post_status) VALUES(,'','',now(),'',' Test','', 'Test')
The problem is near the VALUES keyword: VALUES (, is wrong. You should check first if every input value is populated correctly, eg if $post_category_id is defined with a valid value.
I have 5.1 MySQL version on my server. I am trying to perform this query:
SELECT File_Name
FROM Words_DB
WHERE Word_Name=" . $element . "
EXCEPT
SELECT File_Name
FROM Files_DB
WHERE Display=0
I am getting an error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'EXCEPT SELECT File_Name FROM Files_DB WHERE Display=0' at line 4
Can someone tell me how can i perform this query in an alternative form?
Thank you, Max.
As far as I know MySQL does not support theEXCEPToperator. Try this instead:
SELECT File_Name
FROM Words_DB
WHERE Word_Name=" . $element . "
AND File_Name NOT IN (
SELECT File_Name
FROM Files_DB
WHERE Display=0
)
You could also use either a correlatedNOT EXISTSor aLEFT JOIN. As I don't use MySQL much I can't say which performs best.
I think you can find better answers on the following site:
http://www.tutorialspoint.com/sql/sql-except-clause.htm
It says you can use except query. But you can also use answer provided by JPW above that instead of using except you can use NOT IN key word which works in the same way.
I'm auditing a project and I found a way to inject data in a query.
The project uses Hibernate and for this piece of code Session.createSqlQuery() and then a .list()
The SQL is something like : "SELECT * FROM tablename ORDER BY column XXXXXX"
XXXXXX can be modified using Fiddler. So I tried
SELECT * FROM tablename ORDER BY column DESC; truncate table tablename;
Unfortunately (well only for my injection attempt) it's not working and I'm getting :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'truncate table tablename'
My question is, since they're using createSQLQuery, are they safe from injection. If they're not, could you give me an example to highlight the issue.
I tried using %08 (Backspace character) thinking I would be able to delete previous query characters for example (It didn't work ;) )
Thanks.
After some research it seems I won't be able to modify data with this security hole, however using ORDER BY (CASE WHEN ...) would allow to "scan" the tables and the data.
Is the column name specified using a parameterized statement or are you just concatenating text?
ex: in perl::DBI, the drivers support the following syntax:
$dbh->do("SELECt * FROM asdf ORDER BY ?", undef, $order_by);
The ? there is a form of parameterized statement which sanitizes the input automatically.
I have the below data in my MySQL table "categories":
id Name
-----------------
1 Books & CDs
2 Dress
When I try to get the value from table it works fine with below SQL.
SELECT * FROM `categories` WHERE `name` = 'Books & Cds';
But when using in PHP, it gives me some SQL error.
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' at line 5
Where can I find the actual reason for this? How to debug this?
If you want to search for rows in your Category table in your PHP code, I recommend that you add a column in your table for a code to use instead of searching on the name that you use for the end users. The potential problem that you're facing is that if you want to change the name of a category, you'd have to find everywhere in your code that you referred to that category by name and change it too. But if your table looked like this:
ID code name
1 BCDS Books & CDs
2 DRS Dress
then your code can do things like "where code = 'BCDS'" and you can call that category "Books & CDs", "CDs and Books", or anything else you like.
Now, as far as fixing your syntax problem, you'll have to post the PHP that you use to generate the query that fails. As another poster said, you're probably escaping something incorrectly and MySQL isn't getting the query you think it's getting.