I have a situation where I am able to choose from multiple tables in a MYSQL database. At any given time I only need to access one table.
Can I put the name of the table inside a variable and then set that within the query? Such that when I want to change the table, I only need to update a variable?
I am thinking kind of like this:
Instead of:
$order = "SELECT * FROM 2FieldForm ORDER BY ID";
do this:
$table = mysql_select_table("2FieldForm");
$order = "SELECT * FROM $table ORDER BY ID";
Now I am not sure if mysql_select_table is even valid, but I hope it gets the idea across!
Thanks in advance!
The SQL is simply a string, so have the table name inside a variable and execute the query using mysql_query()
$table_name = "users";
$order = "SELECT * FROM `".$table_name."` ORDER BY `ID`;";
mysql_query($order) OR DIE(mysql_error());
Be sure to add quotes to your table name and field in order to make sure it's properly interpreted by the database. The semi-colon at the end isn't necessary, but helps.
$table = "2FieldForm";
$order = "SELECT * FROM `$table` ORDER BY ID";
Related
I want to save the last generated voucher in a variable and used as an input for another query..
$last = $this->db->query('SELECT MAX(voucherno) AS `last` FROM `purchasebill` ORDER BY no DESC LIMIT 1')->row_array();
$result = $this->db->query("SELECT * FROM `purchaseitem` where vno= '$last[0]' ORDER BY vno " )->result_array();
I tried like the above code it gives me an error undefined offset 0..Help me to save the last generated voucher no in an last variable
As per the document, $last[0] will return entire first row. In your case you want to access the value of MAX(voucherno) which is stored in an alias last.
Change $last[0] to $last['last'] in your next query and it shall work.
"SELECT * FROM `purchaseitem` WHERE vno = '{$last['last']}' ORDER BY vno"
I have selected all the appropriate columns for this statement. When I change WHERE user_id = $user, and the $user is a number, that works. However it doesn't seem to like the username letters. User is a valid column in my table and 'john' does exist. What am I doing wrong?
$user = 'john';
// Set the timestamp from the current system time
$time = time();
// Put our query together:
$query = "UPDATE table set
`time` = {$time}
WHERE user = {$user}";
In your query, here:
`user_id` = {$user},
`time` = {$time}
WHERE user = {$user}";
You're pointing twice to the same value $user, one for id, one for user, Are you sure you haven't defined that value twice in your JS scripts? Try giving different names to each value and that could help
do you miss a "," after "{$time}"?
Check the data in the user column, I have a feeling it's numeric. If you insist on using the username the look in MySQL documentation of a function to convert username to user-number and use it in your WHERE clause.
I have a search form something like
My Database table looks like
If user type compay name and city i can search that using
if (!empty($_POST["company"]) && !empty($_POST["city"])) {
$company = mysqli_real_escape_string($conn,$_POST["company"]) ;
$city = mysqli_real_escape_string($conn,$_POST["city"]) ;
$result = mysqli_query($conn, "SELECT * FROM companies_active_accounts WHERE Company_Name='$company' AND City='$city'");
}
But I want such a query that first box should contain company but second box can contain city or state. How to write query for that so that it searches for company with city/state.
Since city/state are same box. I have given the input field name of "city".
Thank You very much!
you could use a or condition
SELECT *
FROM companies_active_accounts
WHERE Company_Name='$company'
AND ( City='$city' OR State = '$city')
For my MySQL query, I need to select a specific value like:
$query = "Select * from playerdata where name = $name"
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
However, I want to take that grabbed specific table value (the * operator) and then edit that one like so:
$newquery = "insert into [I want to insert some values from the
old query's selection] [not the general table]"
I know how to use queries and how to execute them. It would be great if I could condense both the select and the insert into one query.
You can use the SQL INSERT INTO SELECT Statement
INSERT INTO table2
Select * from playerdata where name = 'Pedro';
To use this in your PHP script it would look something like this:
$nameSafe = mysql_real_escape_string($name);
$newquery = "INSERT INTO table2
Select * from playerdata where name = '$nameSafe';";
It's good to understand the aspects of security from early on and for that PHP Security Cheat Sheet is a good read.
I am trying to ensure I protect against SQL Injection properly.
If I had a MySQL table T1 containing a column C1, and the value stored in C1 for a row was some SQL, is there any SQL that could be stored that would be executed when it is selected?
If it contained "SELECT * FROM T2", then selecting C1 would just return that SQL string, but I am just wondering if there is any way that the SQL stored could be executed?
I wouldn't want to store unvalidated data from a user in a db table, such that when I select it, expecting it to be First Name or something like that, it executes some malicious SQL.
Thanks,
Paul
would be executed when it is selected?
No.
would be executed when it is selected?
No, not if all you do is select the content.
You could executed the SQL only if you subsequently copy it into another string in an unsafe manner and execute that string as a query.
For example:
$sql1 = "SELECT name FROM users";
$name = $pdo->query($sql1)->fetchColumn();
// the following is unsafe:
$sql2 = "SELECT * FROM user_activity WHERE user_name = '$name'";
$stmt = $pdo->query($sql2);
This is called "second order SQL injection" and it's not uncommon. The fix is the same as for any other dynamic values in an SQL query: use query parameters.
$sql2 = "SELECT * FROM user_activity WHERE user_name = ?";
$stmt = $pdo->prepare($sql2);
$stmt->execute(array($name));