My query is throwing up this error. Can anyone see why?
$query = "SELECT * FROM Units WHERE ID = `$uniqueUnits[a]`";
Unknown column '' in 'where clause'
Two problems.
You're using backticks to delimit a string. Backticks delimit fields, so MySQL thinks you're trying to give it a column name.
The error message indicates that, in fact, this value that it thinks is a column name, is empty. So your value $uniqueUnits[a] is probably broken, or not being interpolated correctly.
You should do the following:
Interpolate your variables explictly with the "complex syntax" to be sure that the string forms properly;
Check the value of $query so that you can see what's going on:
print $query;
Use actual quotation marks to delimit strings:
$query = "SELECT * FROM Units WHERE ID = '{$uniqueUnits[a]}'";
// ^ quote
// ^ PHP variable interpolation
try
$query = "SELECT * FROM Units WHERE ID = '$uniqueUnits[a]'";
^--- ^---
Backticks are for escaping reserved words, so mysql is translating your variable's contents into a field name.
Because apparently $uniqueUnits[a] resolves to the empty string. And there is no column like this in the database.
Try surrounding your array with {}, like this:
$query = "SELECT * FROM Units WHERE ID = `{$uniqueUnits[a]}`";
Also, is column ID actually in your table?
Related
I'm trying to get a row from the database but when using binding. I know that this doesn't work because the query automatically puts single quotes so it will be like this: select model, magazine, round('name', 2) etc. This doesn't work of course but how do I get rid of the single quotes?
$merkinformation = DB::select('select Model, Magazine, round(?, 2) as Rondetijd from rondetijden where Merk = ? order by ? limit 3;', [$track, $merk, $track]);
You can't use column nmaes like this.
You must concatinate the name of the column. But this is vulnerable to sql injection. So you must check if $track has a valid content
$merkinformation = DB::select('select Model, Magazine, round(`' . $track . '` , 2) as Rondetijd from rondetijden where Merk = ? order by ? limit 3;', [$merk, $track]);
there is ['] single quote and [`] punctuation mark. If start with single quote or double quote mysql will translate that as string where punctuation mark will be recognize as field name.
Are you sure that is a single quote ?
I'd like to CONCAT two column value into one string in string in JSON format. However I have problem with the quote and double quote in the query. How do I fix my query so it success produce the expected result?
$concat = "CONCAT('{"CODE":"pm_r.CODE","NAME":"pm_r.NAME"}') AS `JSON`"
$query = $this->db->query(
'SELECT pm_r.ID_REQUIREMENT, '.$concat.'FROM `pm_requirement` `pm_r`'
);
The expected out should be:
ID_REQUIREMENT JSON
ID001 {"CODE":"001","NAME":"Shane"}
To avoid quoting clashes, a solution is to use a php HEREDOC string.
I also fixed you CONCAT, where the names of the column to concatenate should be separated from the fixed parts of the string.
$query = $this->db->query(<<<EOT
SELECT
pm_r.ID_REQUIREMENT,
CONCAT('{"CODE":"', pm_r.CODE, '","NAME":"', pm_r.NAME, '"}') AS `JSON`
FROM `pm_requirement` `pm_r`
EOT
);
https://github.com/mysqljs/mysql#introduction
mysqljs is pretty inconsistent with escaping values, or I am not understanding the docs.
Error:
this.table = 'elections';
mysql.query('SELECT * FROM ? where name = ?', [this.table, this.votesTable]
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax error:
'SELECT * FROM \'elections\' where name = \'prim1000\''
But this works:
`mysql.query('UPDATE elections SET updated_at = ? WHERE name = ?', [this.getTimeStamp(), this.votesTable])
But if I remove "elections" in the query above and put "?" instead it will throw an error. So the following won't work.
mysql.query('UPDATE ? SET updated_at = ? WHERE name = ?', [this.table, this.getTimeStamp(), this.votesTable])
Referring to the documentation page you linked to, under the section "Escaping query identifiers", you should be able to do this:
mysql.query('SELECT * FROM ?? where name = ?', [this.table, this.votesTable]
Most SQL frameworks do not allow parameters to be used for anything besides individual values. I.e. not table identifies, column identifiers, lists of values, or SQL keywords. The mysqljs library is uncommon in that it has support for quoting identifiers and key/value pairs.
Re your comment:
The ?? placeholder is for identifiers. Identifiers must be quoted differently from values. In MySQL, a string value is quoted like 'string' but an identifier is quoted with back-ticks.
SELECT * FROM `mytable` where name = 'myname'
The mysqljs class uses the ?? as a special placeholder for an identifier, so you can tell the class it must be quoted with back-ticks.
I have this query:
$sql = "
INSERT INTO table SET
name = '$name',
sku = '$number',
description = '$desc'
";
But the rows containing some special characters (in my case this ') are not inserted.. How I can solve?
Thanks in advance.
When you construct your query, you need to escape the data you are inserting.
You need to at least use addslashes() function in PHP, like this:
$sql = "INSERT INTO table SET name = '".addslashes($name)."', sku = '".addslashes($number)."', description = '".addslashes($desc)."'";
However more correct way is to use a different function than addslashes, which would properly handle all characters in the data, not only apostrophes.
I am using my custom 'escape' function like this:
function escape($text)
{
return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $text);
}
So using this function, you would write:
$sql = "INSERT INTO table SET name = '".escape($name)."', sku = '".escape($number)."', description = '".escape($desc)."'";
You must use parameterised queries instead of manually appending those values. Currently if name, number or description would contain any sql it would get executed.
A lot more detailed answer is in How can I prevent SQL injection in PHP?
Read about escaping characters in mysql. I think it is done with \
I have the following query attempting an update in CodeIgniter:
$sql = "UPDATE fanout.manual_data
SET call_leader_id = ?
WHERE id IN (?)";
$q = $this->db->query($sql, array($leaderID, implode(", ", $empIDs)));
The implode is creating a string of all the IDs in my array. However, that is resulting in the query looking like:
UPDATE fanout.manual_data SET call_leader_id = '55993' WHERE id IN ('57232, 0097726, 0076034');
When what I need is:
UPDATE fanout.manual_data SET call_leader_id = '55993' WHERE id IN (57232, 0097726, 0076034);
Only difference, is the single quotes surrounding the string of IDs. Is this something I need to do myself and skip over CI's query bindings (http://codeigniter.com/user_guide/database/queries.html) or is something CI can handle and I'm just missing a step?
Thanks.
I don't think you can skip that behavior. You're technically passing a string, so CI interprets it as such and simply surrounds it with quotes.
I think you're better off simply concatenating the $empIDs by hand (e.g. using a foreach loop), escaping them with $this->db->escape() in case you wanna be sure.