This question already has answers here:
Getting raw SQL Queries in CodeIgniter 1.7
(5 answers)
Closed 8 years ago.
I am just wondering if there is a built in function to call if you want to get the generated mysql generated string in codeigniter. Consider the following example
$this->db->from('mytable');
$this->db->where('id', $id);
$query = $this->db->get();
I just wondering if there is return $this->db->return_string() that would result to
SELECT * FROM mytable blablablabla blablabla
I am scheming through out their site but seems cannot find what I am looking for.. any input guys?
you could try this:
echo $this->db->last_query();
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 months ago.
I have the written the following code which works fine and shows me the nickname:
$stmt2 = $pdo->query("SELECT nick FROM users WHERE ID=12");
$nn = $stmt2->fetch();
echo $nn["0"];
now I tried to do it as a prepared statement, so I can use different ID numbers. But it does not work, it display nothing.
$stmt3 = $pdo->prepare("SELECT nick FROM users WHERE ID=?");
$stmt3->execute(12);
$nn3 = $stmt3->fetch;
echo $nn3["0"];
I tried looking if I did something wrong but i simply can not see what is wrong the prepared statement.
You need to pass an array as the argument to the execute method when using a prepared statement. The argument should contain the values that you want to bind to the placeholders in the prepared statement. In your case, you need to pass an array containing the value of the ID you want to use as the parameter in the query.
$stmt3->execute([12]);
You are missing the () after fetch when trying to retrieve the result from the prepared statement. The fetch method returns a row from the result set as an array, so you need to call it like a function to retrieve the result.
$nn3 = $stmt3->fetch();
When accessing an element in the array returned by fetch, you need to use the key of the element, not its index. In this case, you can use the key "nick" to access the nickname.
echo $nn3["nick"];
Here's the corrected code:
$stmt3 = $pdo->prepare("SELECT nick FROM users WHERE ID=?");
$stmt3->execute([12]);
$nn3 = $stmt3->fetch();
echo $nn3["nick"];
This question already has answers here:
"Notice: Undefined variable", "Notice: Undefined index", "Warning: Undefined array key", and "Notice: Undefined offset" using PHP
(29 answers)
Closed 6 years ago.
I'm attempting to make a column be included only if the ID of the column is in the web address. But it's not returning the data. Any suggestions?
This is what my code looks like
$sql="SELECT * FROM orders WHERE `orders`.`id`= '$form_id'";
$order_data=mysql_query($sql);
$form_id=$_GET['id'];
If anyone has any suggestions, please let me know.
You may use this
$form_id=$_GET['id'];
$sql="SELECT * FROM orders WHERE `orders`.`id`= '$form_id'";
$order_data=mysql_query($sql);
Hopefully this will solve your problem
This question already has answers here:
how to pass a not like operator in a sqlalchemy ORM query
(2 answers)
Closed 9 years ago.
By "reverse version of like" I mean exactly like this question. The question is how to make a query like that in sqlalchemy?
I found out that to make "SELECT LIKE" query in sqlalchemy I should make something like that
session.query(Book).filter(Book.title.like("%"+my_title+"%"))
Because like is method of column, I don't know how to use like method to ask about "%" + Book.title + "%".
Thanks to this question, I figure out how to do that :)
session.query(Book).
filter(bindparam('book_title', book.title).contains(Book.title)).first()
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
Is this code protected enough against sql injection
if(isset($_POST['Submit']))
{
$user = mysql_real_escape_string($_POST["user"]);
$pass = mysql_real_escape_string($_POST["pass"]);
$confirm_key=md5(uniqid(rand()));
$query = mysql_query("INSERT INTO members
(user, pass, mail, confirm_key, country, city, www, credo)
VALUES ('$user','$pass','$_POST[mail]','$confirm_key','$_POST[country]','$_POST[city]','$_POST[www]','$_POST[credo]')")
or die ("Error during INSERT INTO members: " . mysql_error());
exit();
}
Is this the right way and must be each input (like country, city...) be protected ?
DO NOT USE mysql_query for new applications. You should be using mysqli or PDO to do your escaping with placeholders. There are many examples you can use.
Generally your SQL should look like:
INSERT INTO `table` (column) VALUES (?)
It SHOULD NOT look like:
INSERT INTO `table` (column) VALUES('$dangerous_user_content')
If you use placeholders properly it's almost impossible to create a SQL injection hole.
http://php.net/manual/en/function.mysql-real-escape-string.php
Even the php docs say don't use mysql_real_escape_string
I'm giving my users the ability to create their own MySQL queries. Don't worry, I'm taking all the sql injection etc into account.
What I am wanting to do is validate the parentheses they use while creating their query...
So lets say they their query looks like this:
$string = '1 AND (2 OR 3) AND (4 AND (5 OR 6)';
See how they didn't close the open parenthesis before the number 4? Is there any regex I could run on this to validate any open or closed parentheses that haven't been added correctly?
I've been playing and searching everywhere but I have no idea how to make this work.
Thanks #Jayantha! Here's the solution I found from clicking your link:
$string = '1 AND (2 OR 3) AND (4 AND (5 OR 6)';
if (!preg_match("/^((?:[^()]|\((?1)\))*+)$/", $string, $matches))
echo 'Your parentheses are wrong!';