This question already has answers here:
how to pass a not like operator in a sqlalchemy ORM query
(2 answers)
Closed 9 years ago.
By "reverse version of like" I mean exactly like this question. The question is how to make a query like that in sqlalchemy?
I found out that to make "SELECT LIKE" query in sqlalchemy I should make something like that
session.query(Book).filter(Book.title.like("%"+my_title+"%"))
Because like is method of column, I don't know how to use like method to ask about "%" + Book.title + "%".
Thanks to this question, I figure out how to do that :)
session.query(Book).
filter(bindparam('book_title', book.title).contains(Book.title)).first()
Related
This question already has answers here:
How to pass a variable to a IN clause?
(4 answers)
Closed 5 years ago.
I need to define a list of variables to use in multiple MySQL queries.
The variable will be a list of mails. I have tried to define it in different ways but it always gives me error in the construction.
SET #listamails='mail1#gmail.com,mail2#gmail.com';
Select * from user WHERE mail IN (#listamails);
Any ideas?
Thank you
You cannot pass in a list to IN using a single variable. The simplest solution in MySQL is find_in_set():
Select u.*
from user u
where find_in_set(mail, #listamails) > 0;
However, this cannot take advantage of an index. For that, you might want to use dynamic SQL.
Try this
SET #listamails='mail1#gmail.com','mail2#gmail.com';
Select * from user WHERE mail IN (#listamails);
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$s = "Update member_date" [snip]
$p = $pdo->prepare($s, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$p->execute();
Is that considered a "prepared" statement to justify being secure from SQL injection-type attacks?
UPDATE:
$member_id= htmlspecialchars($_GET['member_id']);
s1 = "
update member_date
set member_date= now()
where member_id= $member_id";
OVERALL QUESTION: "Is this how I should format all my new SQL-related code? I'm just finally making the switch from old mysql statements after reading my (new) error logs. Do I need to add in the question mark placeholders for strings and such or is the format how I have it at the first line of code ok for security purposes? I know the SQL I need to get the tasks accomplished just not the PDO security parts."
No. You are not using a prepared statement as intended. What you should do is add your $id as a paramater, and so separate your content (id) from your code (sql).
While you can do safe SQL with filtering yourself, the absolute best way is to, as you put it:
add in the question mark placeholders for strings and such
You can say "this needs to be an int, and then it will never be something scary like a " or some code that does magic with your query.
PDO is the best way to avoid sql injection that may attack the server. The code looks fine though. But PHP PDO is the absolute right way to avoid sql injection.
This question already has answers here:
"Notice: Undefined variable", "Notice: Undefined index", "Warning: Undefined array key", and "Notice: Undefined offset" using PHP
(29 answers)
Closed 6 years ago.
I'm attempting to make a column be included only if the ID of the column is in the web address. But it's not returning the data. Any suggestions?
This is what my code looks like
$sql="SELECT * FROM orders WHERE `orders`.`id`= '$form_id'";
$order_data=mysql_query($sql);
$form_id=$_GET['id'];
If anyone has any suggestions, please let me know.
You may use this
$form_id=$_GET['id'];
$sql="SELECT * FROM orders WHERE `orders`.`id`= '$form_id'";
$order_data=mysql_query($sql);
Hopefully this will solve your problem
This question already has answers here:
Getting raw SQL Queries in CodeIgniter 1.7
(5 answers)
Closed 8 years ago.
I am just wondering if there is a built in function to call if you want to get the generated mysql generated string in codeigniter. Consider the following example
$this->db->from('mytable');
$this->db->where('id', $id);
$query = $this->db->get();
I just wondering if there is return $this->db->return_string() that would result to
SELECT * FROM mytable blablablabla blablabla
I am scheming through out their site but seems cannot find what I am looking for.. any input guys?
you could try this:
echo $this->db->last_query();
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Is there a combination of “LIKE” and “IN” in SQL?
The first where clause below runs fine for me but it does not pick up contacts that might have 45211-1234 or 45213-4321
SELECT * FROM contacts
WHERE zipcode IN ('45211','45213')
I thought I could change the where clause to the below to fix, but it fails.
SELECT * FROM contacts
WHERE zipcode IN ('45211%','45213%')
How might I change this so it brings back anything that has proper zip + dash + any zip4? For example, 45211-1234 or 45213-4321.
Note I have whole bunch of zipcodes to enter, not just these two.
How about this:
SELECT * FROM contacts
WHERE Left(zipcode,5) IN ('45211','45213')