I would like to know if there is a away to remove the backtick in the default SQL query window for all queries in phpymyadmin (on Linux)
I'm thinking there might be a phpmyadmin config file responsible for this setting.
For example:
In order to build a query based on the current table invoices, I would first click on the SQL tab in phpmyadmin window, and this is what appears:
SELECT * FROM invoices WHERE 1
If I then select a table column on the right hand side to add to the query, eg. invoice_number, the query may then read:
SELECT * FROM invoices WHERE invoice_number
What I want is:
1) for the default SQL (ie when I first press SQL tab) to read:
SELECT * FROM invoices WHERE 1
and
2) as I build the query with selected columns from the right, it would then read:
SELECT * FROM invoices WHERE invoice_number
and so on and so forth.
There surely must be a config setting somewhere in the phpmyadmin environment that I can adjust so that no backtick or quote_backtick ever appears in the SQL I build?
Any ideas appreciated.
At this point it is easier to modify the backquote function in
libraries/Util.class.php:881
Replace $do_it default value from true to false
public static function backquote($a_name, $do_it = true)
to
public static function backquote($a_name, $do_it = false)
The actual source code shows that there is no such configuration entry (backquote is hardcoded):
A possible solution is to edit these lines in sql_query_form.lib.php:
line1
$query = PMA_Util::expandUserString(
$GLOBALS['cfg']['DefaultQueryDatabase'], 'backquote'
);
replace to:
$query = PMA_Util::expandUserString(
$GLOBALS['cfg']['DefaultQueryDatabase']
);
line2
$query = PMA_Util::expandUserString(
$GLOBALS['cfg']['DefaultQueryTable'], 'backquote'
);
replace to:
$query = PMA_Util::expandUserString(
$GLOBALS['cfg']['DefaultQueryTable']
);
line3
$html .= '<option value="'
. PMA_Util::backquote(htmlspecialchars($field['Field'])) . '"';
replace to:
$html .= '<option value="'
. htmlspecialchars($field['Field']) . '"';
(It seemed to be working for phpmyadmin 4.0.10.)
Related
I am creating a reset password procedure. this way:
1- Send reset email to the user (whom forgot his/her password), and this email contain a link to this address:
http://www.example.com/resetpassword.php?userid=1b2798bad6ee465d967cdb71ced504f7
The value of the parameter [userid] is generated by this PHP code:
<?php
md5($row_Recordset2['userID'].date('d-m-Y'));
?>
Note: I did this so that I can get a unique parameter value containing: The MD5 hash of the real user id + the current date (concatenation) , Why? so the link in the email will be available for the current date only. I do not want that link to work in the next day.
2- When the person click on the above link, he/she will be taken to the page [resetpassword.php]
3- In the page [resetpassword.php] page I have this piece of code:
$colname_Recordset1 = "-1";
if (isset($_GET['userid'])) {
$colname_Recordset1 = $_GET['userid'];
}
mysql_select_db($database_aaa_database, $aaa_database);
$query_Recordset1 = sprintf("SELECT * FROM users WHERE md5(CONCAT(userID,
DATE_FORMAT(NOW(),'%d-%m-%Y'))) = %s ", GetSQLValueString($colname_Recordset1,
"text"));
$Recordset1 = mysql_query($query_Recordset1, $aaa_database) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
The SELECT statement return [Query was empty] ... What is the problem and how to solve it?
I have tested this MySQL statement manually:
SELECT userFirstName, md5(CONCAT(userID, DATE_FORMAT(NOW(),'%d-%m-%Y'))) from users
And it return many rows, one of the rows is like this:
Sam 1b2798bad6ee465d967cdb71ced504f7
So, the:
md5(CONCAT(userID, DATE_FORMAT(NOW(),'%d-%m-%Y')))
works fine and it return the same exact value generated by the PHP code :
<?php
md5($row_Recordset2['userID'].date('d-m-Y'));
?>
PHP give: 1b2798bad6ee465d967cdb71ced504f7
MySQL give: 1b2798bad6ee465d967cdb71ced504f7
But this:
md5(CONCAT(userID, DATE_FORMAT(NOW(),'%d-%m-%Y')))
seems to be NOT WORKING in the WHERE clause:
sprintf("SELECT * FROM users WHERE md5(CONCAT(userID,
DATE_FORMAT(NOW(),'%d-%m-%Y'))) = %s ", GetSQLValueString($colname_Recordset1,
"text"));
By the way, I am using Dreamweaver.
I don't know how to solve this problem. Any help will be highly appreciated.
i have a problem i need to delete from cache table specific rows. I have like 3 rows to delete by one submit.
cache_73_content
cache_73_work
cache_73_header
I tried like this :
$cache_delete = sprintf('cache_%s', $form_state['values']['node_tid']) . '%';
db_delete('cache')
->condition('cid', $cache_delete)
->execute();
But didn't work. Please need your help
It would make more sense to use the API:
$cache_delete = sprintf('cache_%s', $form_state['values']['node_tid']);
cache_clear_all($cache_delete, 'cache', TRUE);
If you must use the database directly:
$cache_delete = sprintf('cache_%s', $form_state['values']['node_tid']) . '%';
db_delete('cache')
->condition('cid', $cache_delete, 'LIKE')
->execute();
Are there pre-existing libraries that will take a user input and transform it into a SQL WHERE clause?
For example given a database that has columns first_name, last_name, and address the user could input something like:
John State St
and the library would build a query such that it would return rows that match a guy named John that lived on State St (or a guy named State that lived on John St, for that matter).
It could also support things like specifying the column:
first_name:John address:State
I have some simple code to handle some of these cases already but it's getting a little unwieldily. I would think there are some pre-existing solutions to this problem but I'm having a hard time finding them. Generally, the problem is how to enable the user to easily search a structured database with a single input field.
In this matter you can break down string as multiple values using string manipulation, and then search for each word in each column using "or" conditions.
additionally you can define index on columns so as to achieve faster search.
You might have tried this technique since you mentioned, but you have to look up each word in each column
Jquery UI autocomplete could be what you are looking for. the css along with it is also necessary please see this link http://api.jqueryui.com/autocomplete/ for the .js ans css needed.
$( "#myInputBoxId" ).autocomplete({
source: "search.php",
minLength: 2,
select: function( event, ui ) {
log( ui.item ?
"Selected: " + ui.item.value + " aka " + ui.item.id :
"Nothing selected, input was " + this.value );
}
});
and in search.php
<?php
include 'config.php';
$results =array();
$req = "SELECT product_name "
."FROM table4 "
."WHERE product_name LIKE '%".$_REQUEST['term']."%' LIMIT 5";
$query = mysqli_query($con,$req);
while($row = mysqli_fetch_array($query))
{
array_push($results,$row['product_name']);
}
echo json_encode($results);
}
For example, user wants to search the movie database, by director's last name, so the user will type in Smith and then in the drop down menu will choose Director's Last Name. I just need to know how to get the post variables into the SELECT --> WHERE function
$columnsch = $_POST["columnsearch"];
$contentsch = $_POST["contentsearch"];
$result = mysql_query("SELECT * FROM movies WHERE $columnsch ='$contentsch'");
if (!$result) {
die ("Database Query Failed: ".mysql_error());
I know the above code is incorrect but it gives the general idea of what I want to achieve.
Zdravko, Im really new to this, Im not sure where your lines of code for example the sql would fit in with what I have.
you can do 2 things: first is to generate the sql based on the search criteria:
sql = sql + 'WHERE ' + SearchField + ' = "'+ SearchValue + '";'
the other is to write sql like this:
WHERE (#SearchField = 'Director' and Ditector = #SearchValue)
OR (#SerarchField = 'Star' and Star = #SearchValue)
....
I know I am simply missing the simplest thing here but cant seem to figure it out.
so this works with this code but changes all rows of the database as opposed to just the one with the page id...
<? $pageid= $_GET["id"];
$sql = "SELECT id, first_name, last_name, email, bio, job, job2, job3 FROM `".weapons."` WHERE id = $pageid";
if(isset($_POST['Update']))
{
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$job = $_POST['job'];
$job2 = $_POST['job2'];
$job3 = $_POST['job3'];
$bio = $_POST['bio'];
$email = $_POST['email'];
$sql = "UPDATE weapons SET first_name='$first_name', email='$email' , job='$job', job2='$job2', job3='$job3', bio='$bio', last_name='$last_name'";
if (#mysql_query($sql)) {
echo('<p>Update Complete</p>');
} else {
echo('<p>Error updating: ' . mysql_error() . '</p>');
}
}else{ ...
however when adding the WHERE clause, like as follows
$sql = "UPDATE weapons SET first_name='$first_name', email='$email' , job='$job', job2='$job2', job3='$job3', bio='$bio', last_name='$last_name' WHERE id = $pageid";
I get an error
Error updating: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Any help would be great, thanks
EDIT
I actually missed a super easy thing, which is what I initially assumed, I had at first in my form had <form method='post' enctype='multipart/form-data' action='submit.php'> however that obviously messed up the get id because there isnt an idea, so even if that page was submit.php?id=4 when you hit submit it wouldnt run because the id would be gone.
Switching the code to <form method='post' enctype='multipart/form-data' action='#'> did just the trick.
Thanks for the help guys and I am looking into the sql injection now and working on how to better secure my site.
Please escape your strings before you create your SQL statement. Various characters in your input values will both break your query and open a HUGE security hole. That may very well be your problem. Look at this post for more info How can I prevent SQL injection in PHP?
In short, you assignments would look like this:
$first_name = mysql_real_escape_string($_POST['first_name']);
echo $sql; before you run it and post what that outputs.