String name = request. getParameter ("name");
String queryString ="SELECT * FROM empy WHERE name LIKE '%'"+sname+"''";
I am using this query to search textfiled entering values. But it displays an error message..
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'textfiled value''' at line 1
You are trying to use the invalid variable 'sname' whereas you have declared the variable as 'name'
Try this
String queryString :
"SELECT * FROM empy WHERE name LIKE '%"+name+"'";
Also, if you can see the logs, see that the query generated is correct or not by hitting it directly on MySQL.
Remove the extra ' from your query. It should be like this:
SELECT * FROM empy WHERE name LIKE '%MySname'
Try this: "SELECT * FROM empy WHERE name LIKE '%" + sname + "'"
The variable name is name not sname. Also remove the ''
String queryString ="SELECT * FROM empy WHERE name LIKE '%"+name+"'";
Try this
String queryString ="SELECT * FROM empy WHERE name LIKE '%" + name + "';
Related
I'm using nodeJs and mysql package.
I want to use LIKE sql statement with varibale.
this is source code :
var likemobile = '%'+mobile;
var query = "SELECT vtiger_contactaddress.contactaddressid as 'leadid',
vtiger_contactaddress.mobile,
vtiger_contactaddress.phone
FROM `vtiger_contactaddress`
INNER JOIN `vtiger_crmentity`
ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid AND
vtiger_crmentity.deleted=0 AND
vtiger_contactaddress.mobile LIKE "+likemobile+" OR
vtiger_contactaddress.phone LIKE "+likemobile;
and this is error that returns:
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th
at corresponds to your MySQL server version for the right syntax to use near '%8
8436500 OR vtiger_leadaddress.phone LIKE %88436500' at line 1
You need to enclose the like pattern in single quotes.
Two other suggestions:
Only use single quotes for string and date constants (not column aliases).
Use parameterized queries, so you are not putting user input into query strings.
If you indeed are using node-mysql, you should run queries as instructed in the documentation. Assuming you have a connection object already, querying with bind variables becomes simple:
connection.query({
sql : "SELECT vtiger_contactaddress.contactaddressid as leadid, "
+ " vtiger_contactaddress.mobile, "
+ " vtiger_contactaddress.phone "
+ "FROM `vtiger_contactaddress` "
+ "INNER JOIN `vtiger_crmentity` "
+ " ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid"
+ " AND vtiger_crmentity.deleted=0 AND "
+ " (vtiger_contactaddress.mobile LIKE concat('%', ?) OR "
+ " vtiger_contactaddress.phone LIKE concat('%', ?))",
values: [mobile, mobile]
}, function (error, results, fields) {
// error will be an Error if one occurred during the query
// results will contain the results of the query
// fields will contain information about the returned results fields (if any)
});
Things to note here:
Bind variables are used, preventing SQL Injection
The concat function is used for prefixing the (sanitized) input with the wildcard character (%)
The two query conditions that are ORed together are now separated with parenthesis from vtiger_crmentity.deleted=0, which is probably what you want
You need to write the resultset-handling code in the callback function, accessing the data through the results and fields variables
#Gordon Linoff is correct. Somelike this:
var likemobile = mobile;
var query = "SELECT vtiger_contactaddress.contactaddressid as 'leadid', vtiger_contactaddress.mobile, vtiger_contactaddress.phone FROM `vtiger_contactaddress` INNER JOIN `vtiger_crmentity` ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid AND vtiger_crmentity.deleted=0 AND vtiger_contactaddress.mobile LIKE '%"+likemobile+"%' OR vtiger_contactaddress.phone LIKE '%"+likemobile+"%'";
... AND vtiger_contactaddress.mobile LIKE '%" + likemobile + "%' OR vtiger_contactaddress.phone LIKE %" + likemobile + "%";
try this..
var likemobile = mobile;
var query = "SELECT vtiger_contactaddress.contactaddressid as 'leadid',
vtiger_contactaddress.mobile,
vtiger_contactaddress.phone
FROM `vtiger_contactaddress`
INNER JOIN `vtiger_crmentity`
ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid AND
vtiger_crmentity.deleted=0 AND
vtiger_contactaddress.mobile LIKE '% "+likemobile+"%' OR
vtiger_contactaddress.phone LIKE '%"+likemobile +"%'";
How do I write an SSRS Wildcard search in the Report Parameters
SELECT *
FROM Table1
WHERE Table1.Name = LIKE '%'#Name'%'
or
WHERE Table1.Name = in (:Name)?
How do I do this in SSRS?
Say I have a very simple self-contained query in the report:
with val as
(
select val = 'ABC'
union all select 'DEF'
union all select '1ABC3'
)
select *
from val
where val like #Param
I also have a parameter called Param in the report.
By default, even though I have like in the query, there are no wildcards so only exact matches will be returned:
If we look at the Dataset Properties, we can update the parameter being passed to add wildcards. By default it looks like this:
Change the Parameter Value expression to:
="%" & Parameters!Param.Value & "%"
Now the query text will be using a parameter with wildcards, so partial matches are returning data in the report:
Alternative method
Actually, thinking about this, perhaps an easier way to achieve the above is to do something like this in the report query text:
SELECT *
FROM Table1
WHERE Table1.Name = LIKE '%' + #Name + '%'
i.e. Just concatenate the wildcards directly to the parameter string. This works identically to the first option.
This is how I did it:
Create a report parameter (data type text) named MyFilter
Create a DataSet ReportData with an expression for the source query, something like:
="SELECT FilteredField, FieldValue FROM DataTable " & IIF(Parameters!MyFilter.Value.ToString() = "", "", "WHERE
FilteredField LIKE '%" &
REPLACE(REPLACE(Parameters!MyFilter.Value.ToString(),"*","%"),"?","_")
& "%'")
As you can see, I have a basic SELECT statement which I concatenate with an empty string if the value for MyFilter is an empty string. If a value is filled in, I add a WHERE clause in which I replace the "*" by "%" and "?" by "_"
This is just a simplified version of what we actually did, allowing only "?" and "*" to be used as wildcards, but it works fine for our users.
Use this will solve ur issue
="" & Parametername.value & ""
I've read almost every single thread around the net about the Unknown column 'dfsd' in 'where clause
the dfsd is the string that I entered through a html form using the post method..
the php file(where the forms data are being sent) just checks if the line above is an existing user name.
function authCheck($usr,$psw){
print $usr;
mysql_real_escape_string($usr);
$sql = "select usrNameMarket from marketusr where usrNameMarket=$usr";
$result = mysql_query($sql) or die(mysql_error());
$records=mysql_num_rows($result); //elenxw gia eggrafes
if($records){
$queryData=mysql_fetch_array($result);
if($queryData['usrNameMarket']==$usr){
$usrNameChk="ok";
}
else{
$usrNameChk=null;
}
}
else{
$usrNameChk=null;
}
rest of the file ....
I get the error from MySQL telling me the column doesn't exist (although the value has been passed correctly, that's why I used the print function just to double check it)...
I add the single quotes:
$sql = "select usrNameMarket from marketusr where usrNameMarket='$usr'";
Then I get a syntax error when mysql_query executes...
Then I tried
$sql = "select usrNameMarket from marketusr where usrNameMarket='".$usr."'";
Still I get the same syntax error.
I don't know what is wrong I've tried everything...
Is it possible that I get that error because of the database structure or scheme or the data type of that field(which is varchar)?
Use marketusr.usrNameMarket instead of just usrNameMarket
try with:
$sql = "select usrNameMarket from marketusr where usrNameMarket='$usr'";
I am trying to query some tables in my database using a simple dropdown in which the name of the tables are listed. the query has only one record result showing the name and age of the youngest institute registered in the database!
$table = $_GET['table'];
$query = "select max('$table'.est_year) as 'establish_year' from '$table' ";
I need to send the name of the table as variable to the querier php file. no matter the method is GET or POST in both ways when I put the variable name in the query statement, it gives the error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.order) as 'last' from 'customers'' "
You are wrapping the table name in single quotes, which is not valid SQL (that's the syntax for strings, not table names). You should either not wrap the name at all or else wrap it in backticks (on the american keyboard layout, that's the key above TAB).
You should also not quote the alias established_year:
select max(`$table`.est_year) as establish_year from `$table`
Also, your code is vulnerable to SQL injection. Fix this immediately!
Update (sql injection defense):
In this case the most appropriate action would likely be to validate the table name against a whitelist:
if (!in_array($table, array('allowed_table_1', '...'))) {
die("Invalid table name");
}
single quote ('), in mysql, it represents string value.
SELECT *, 'table' FROM `table`;
Demo
So your query should be
$table = $_GET['table'];
$query = "select max($table.est_year) as 'establish_year' from $table ";
Also read old post, phpmyadmin sql apostrophe not working.
Also your code is vulnerable to SQL Injection. You can use something like this
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = #trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
$firstName = clean($_POST['firstName']);
$lastName = clean($_POST['lastName']);
.
.
.
My query is throwing up this error. Can anyone see why?
$query = "SELECT * FROM Units WHERE ID = `$uniqueUnits[a]`";
Unknown column '' in 'where clause'
Two problems.
You're using backticks to delimit a string. Backticks delimit fields, so MySQL thinks you're trying to give it a column name.
The error message indicates that, in fact, this value that it thinks is a column name, is empty. So your value $uniqueUnits[a] is probably broken, or not being interpolated correctly.
You should do the following:
Interpolate your variables explictly with the "complex syntax" to be sure that the string forms properly;
Check the value of $query so that you can see what's going on:
print $query;
Use actual quotation marks to delimit strings:
$query = "SELECT * FROM Units WHERE ID = '{$uniqueUnits[a]}'";
// ^ quote
// ^ PHP variable interpolation
try
$query = "SELECT * FROM Units WHERE ID = '$uniqueUnits[a]'";
^--- ^---
Backticks are for escaping reserved words, so mysql is translating your variable's contents into a field name.
Because apparently $uniqueUnits[a] resolves to the empty string. And there is no column like this in the database.
Try surrounding your array with {}, like this:
$query = "SELECT * FROM Units WHERE ID = `{$uniqueUnits[a]}`";
Also, is column ID actually in your table?