I'm giving my users the ability to create their own MySQL queries. Don't worry, I'm taking all the sql injection etc into account.
What I am wanting to do is validate the parentheses they use while creating their query...
So lets say they their query looks like this:
$string = '1 AND (2 OR 3) AND (4 AND (5 OR 6)';
See how they didn't close the open parenthesis before the number 4? Is there any regex I could run on this to validate any open or closed parentheses that haven't been added correctly?
I've been playing and searching everywhere but I have no idea how to make this work.
Thanks #Jayantha! Here's the solution I found from clicking your link:
$string = '1 AND (2 OR 3) AND (4 AND (5 OR 6)';
if (!preg_match("/^((?:[^()]|\((?1)\))*+)$/", $string, $matches))
echo 'Your parentheses are wrong!';
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I hope you all have a good day.
Actually I'm deploying a query to get a complete array of data. But the fact is that I need an Id, first of all, I guess, I must get the last Id first, then I can apply a mathematic operation to get its value + 1. The fact is that I've been trying different sentences and queries with no result.
This is my code:
function obtener_Id(){
global $mysqli;
$resultado_oId = $mysqli ->query("SELECT TOP 1 'id' FROM 'pacient' ORDER BY RowID DESC ")
$id_sacada = mysqli_fetch_assoc($resultado_oId);
$id_enLaMano = $id_sacada['id'];
return $id_enLaMano;
//$id_dinamica = $id_enLaMano + 1;
//return $id_dinamica;
}
As you can see guys, I've commented on the last two lines, cause I´m looking to get at least a value (The result from a query) But Idk if that is correct. Looking on the Internet I've seen relative posts which are solved just to apply the query that we can view under global declarations...
I've tried that on phpMyAdmin with no results and a bunch of errors...
You guys know the correct way to get the max value in the Id column? Or even if I'm doing badly correct me.
A lot of hugs and Luck!
Mizar ^^
I would suggest putting the serial number in a table. Read the serial no before insert, (lock the table, if required) insert the data, then increase the serial no by 1 and update the serial no table with increased value.
This question already has answers here:
How to pass a variable to a IN clause?
(4 answers)
Closed 5 years ago.
I need to define a list of variables to use in multiple MySQL queries.
The variable will be a list of mails. I have tried to define it in different ways but it always gives me error in the construction.
SET #listamails='mail1#gmail.com,mail2#gmail.com';
Select * from user WHERE mail IN (#listamails);
Any ideas?
Thank you
You cannot pass in a list to IN using a single variable. The simplest solution in MySQL is find_in_set():
Select u.*
from user u
where find_in_set(mail, #listamails) > 0;
However, this cannot take advantage of an index. For that, you might want to use dynamic SQL.
Try this
SET #listamails='mail1#gmail.com','mail2#gmail.com';
Select * from user WHERE mail IN (#listamails);
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$s = "Update member_date" [snip]
$p = $pdo->prepare($s, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$p->execute();
Is that considered a "prepared" statement to justify being secure from SQL injection-type attacks?
UPDATE:
$member_id= htmlspecialchars($_GET['member_id']);
s1 = "
update member_date
set member_date= now()
where member_id= $member_id";
OVERALL QUESTION: "Is this how I should format all my new SQL-related code? I'm just finally making the switch from old mysql statements after reading my (new) error logs. Do I need to add in the question mark placeholders for strings and such or is the format how I have it at the first line of code ok for security purposes? I know the SQL I need to get the tasks accomplished just not the PDO security parts."
No. You are not using a prepared statement as intended. What you should do is add your $id as a paramater, and so separate your content (id) from your code (sql).
While you can do safe SQL with filtering yourself, the absolute best way is to, as you put it:
add in the question mark placeholders for strings and such
You can say "this needs to be an int, and then it will never be something scary like a " or some code that does magic with your query.
PDO is the best way to avoid sql injection that may attack the server. The code looks fine though. But PHP PDO is the absolute right way to avoid sql injection.
I have a simple PHP script that does a FULLTEXT search inside a MySQL database. I am hoping there is something I can do on the PHP side to resolve this as it seems there is not much I can do on the MySQL side.
I currently have this in a PHP class, and works 100% in my localhost but fails when uploading to my shared Godaddy hosting.
$pieces = explode(" ", $searchstring);
$searchwords = '';
foreach($pieces as $value) {
$searchwords .= '+'.$value.' ';
}
$sql = "SELECT * FROM items WHERE MATCH ( ItemName, ItemDescription ) AGAINST ('$searchwords' IN BOOLEAN MODE)";
I have done a lot of research on a solution to this but haven't found any answers yet. All documentation and forums suggest to change the my.ini file ft_min_word_len=4 to for example ft_min_word_len=0 which works perfectly when testing on my localserver.
Since I need to upload my project to a godaddy shared hosting account I am unable to change the my.ini configuration file so I need a work around this error.
Example of what I am trying to achieve:
Search for 'iphone 5 LCD' the database will return all the results that have 'iphone' so it will show all 'iphone 4 home button' 'iphone 3 back' because from the original search query it skips the '5' and the 'lcd' for being less than 4 charcters. In my local copy since ft_min_word_len is set to ft_min_word_len=0 'iphone 5 lcd' only returns the items that I actually need! It works just perfect! I have attempted to fill short words like '5' with '5...' or '5___' or 'LCD_' or 'LCD*' or '5*' but it does not work. I read a solution that suggested 'padding' the short words but they didn't explain what characters to use.
Wouldn't a LIKE clause work.
Cut your search words to the desired length in php, then query WHERE (columnA LIKE '$searchword%' OR columnB LIKE '$seachword%')
or simply use php strlen to remove the words shorter than desired.
This question already has answers here:
MySQL find_in_set with multiple search string
(7 answers)
Closed 9 years ago.
The following query works good.
SELECT FIND_IN_SET('b','a,b,c,d');
// output -> 2
I need to fetch the record having multiple options. Just for an example,
SELECT FIND_IN_SET('b,c','a,b,c,d');
// output -> ??????????
Please how do i get the record with multiple selection option "b,c" in "a,b,c,d".
mysql function find_in_set can search only for one string in a set of strings.
the second its not a string in set of strings
take a look here
edit:
to change the mode
This can be done in two ways...
1- Open your "my.ini" file within the MySQL installation directory, and look for the text "sql-mode".
Find:
Code:
Set the SQL mode to strict sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Replace with:
Code:
Set the SQL mode to strict sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
Or
2- You can run an SQL query within your database management tool, such as phpMyAdmin:
Code:
SET ##global.sql_mode= '';