I'm running the following query:
INSERT INTO deal (`site_id`, `status`, `slug`, `title`, `description`, `condition`, `sale_price`, `shipping`, `deal_url`, `buy_url`, `start`, `added`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW()) ON DUPLICATE KEY UPDATE `site_id` = ?,`status` = ?,`slug` = ?,`title` = ?,`description` = ?,`condition` = ?,`sale_price` = ?,`shipping` = ?,`deal_url` = ?,`buy_url` = ?,`start` = ?
Built by this code:
$this->db->query('INSERT INTO
deal
(`'.implode('`, `', array_keys($insert)).'`, `added`)
VALUES
('.implode(', ', array_fill(0, count($insertValues), '?')).', NOW())
ON DUPLICATE KEY UPDATE
'.implode(',', array_keys($update)), array_merge($insertValues, array_values($update)));
The issue with this is that my query isn't properly escaping....
INSERT INTO deal (`site_id`, `status`, `slug`, `title`, `description`, `condition`, `sale_price`, `shipping`, `deal_url`, `buy_url`, `start`, `added`) VALUES ('2', 1, http://www.woot.com/sale/sony-dash-personal-internet-viewer-7, 'Sony Dash Personal Internet Viewer', 'Finally, someone made me my own, personal internet!', 'New', '69.99', $5 shipping, http://www.woot.com/sale/sony-dash-personal-internet-viewer-7, , 1305867600, NOW()) ON DUPLICATE KEY UPDATE `site_id` = '2',`status` = 1,`slug` = http://www.woot.com/sale/sony-dash-personal-internet-viewer-7,`title` = 'Sony Dash Personal Internet Viewer',`description` = 'Finally, someone made me my own, personal internet!',`condition` = 'New',`sale_price` = '69.99',`shipping` = $5 shipping,`deal_url` = http://www.woot.com/sale/sony-dash-personal-internet-viewer-7,`buy_url` = ,`start` = 1305867600
I have XSS filtering setup.... am I missing something?
Odd. What's the database definition? The only thing I can think of is that the DB layer is concluding that some of those columns don't need escaping.
Related
I have a MySQL query that filters all emails from a csv file and combine multiple records before inserting them to a custom datatable in wordpress. This works:
$cntSQL = "SELECT count(*) as count FROM {$tablename} WHERE email='".$email."'";
but i need a multiple condition like following but this is not working
$cntSQL = "SELECT count(*) as count FROM {$tablename} WHERE email='".$email."' AND phone='".$phone."'";
I also tried this but not working.
$cntSQL = "SELECT count(*) as count FROM {$tablename} WHERE {email='".$email."'} AND {phone='".$phone."'}";
Debugging
[09-Oct-2020 18:49:07 UTC] WordPress database error for query INSERT INTO `wp_lubuvna_subscribers` (`first_name`, `last_name`, `email`, `phone`, `birthday`, `gender`, `customer_type`, `id_company_number`, `street_address`, `address_line_2`, `city`, `state_area`, `zip`, `customer_from`, `groups`, `last_visit`, `send_sms`, `send_email`, `join_date`, `post_author`) VALUES ('Joshua', 'Hodges', 'guj#wote.bj', '(603) 280-6605', '04/25/1953', 'Male', '499242365', '79808607399', 'Jomuz Street', 'Alser Grove', 'Custipeva', 'MO', '41789', 'tada', 'pacseztoj', '08/20/1988', 'TRUE', 'TRUE', '01/10/1920', 1) made by do_action('wp_ajax_new_subscriber_batch'), WP_Hook->do_action, WP_Hook->apply_filters, maybe_insert_new_subscriber_batch_database_table
the results i am getting from follwoing:
$record = $wpdb->get_results($cntSQL, OBJECT);
results:
Array ( [0] => stdClass Object ( [count] => 0 ) )
Based on your comment you need an OR operator not AND operator.
$cntSQL = "SELECT count(*) as count FROM {$tablename} WHERE email='".$email."' OR phone='".$phone."'";
Im getting below error
org.hibernate.hql.internal.ast.QuerySyntaxException:unexpected token values: values near line 1, column 161 .
[insert into shop_information(storeName, ownername, license, email, dlnumber, gst, pan, pincode, phonenumber, mobile, fax, cst, phone, district, state, country) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]
You have to use
session.createSQLQuery(SQL_QUERY);
not
session.createQuery(SQL_QUERY);
HQL only supports insert from another table.
e.g.
INSERT INTO Entity properties_list select_statement.
If you wan't to use standard insert statement like
INSERT INTO Table properties_list values ( :vals)
you need
session.createSQLQuery(SQL_QUERY)
Edit, to answer the comment:
I think that the parameters are 0-based, so try to start the parameters from 0:
query.setParameter(0,storeName);
query.setParameter(1,ownerName);
etc...
However the better way is to use named parameters:
sessionFactory.getCurrentSession()
.createSQLQuery("update table set field = 1 where id = :id")
.setParameter("id", someId)
.executeUpdate();
My rails code is something simple like (code and sql output changed to make it generic)
Router.new(
:name => params[:data][:name],
:subid => params[:data][:subid],
:info => params[:data][:info],
:parent => #parent)
Rails generated INSERT sql
INSERT INTO `mydb` (`name`, `subid`, `info`, `parent_id`, `created_at`, `updated_at`)
VALUES (?, ?, ?, ?, ?, ?) [["name", "myname"], ["subid", ""], ["info", ""], ["parent_id", 2], ["created_at", "2016-09-09 06:06:37"], ["updated_at", "2016-09-09 06:06:37"]]
This is the error I am getting:
Mysql::Error: Incorrect integer value: '' for column 'parent_id' at row 1: INSERT INTO mydb (name, subid, info, parent_id, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)
Looks like mysql doesn't like this type of syntax. I have version 5.6.32.
The values look work when I modify the command to the values directly into "VALUES". Is there a way to go back to the format where the values are inserted at "VALUES" or get the insert working without having to recreate the INSERT statement.
EDITED: I think it is not the actual the SQL. Is there a way to print the actual SQL?
I am trying to do a batch of insert to mysql. I got this code to work without the inner select question. How do I do a bulk insert in mySQL using node.js But when i add the select i get "ER_PARSE_ERROR".
var arr = [[1, '123456789', '2000-01-01', 1],[2, '123456789', '2000-01-02', 1],[3, '123456789', '2000-01-03', 1]];
objConn.query("INSERT INTO stats (`name`, `phone`, `dayOfCall` , `calls`) \
VALUES ((SELECT `name` as myname FROM `contact` WHERE `id` = ? \
LIMIT 1), ?, ?, ?)",
[arr],
function (err, row, fields){
if(err)
logger.info(err);
}
);
I have 2 insert queries that I need to execute. each query will insert data in a different table. The first query has ON DUPLICATE KEY UPDATE clause. What I need to do is to prevent the second query from running is the first one cause an update due to a DUPLICATE KEY.
here is my code currently.
$insertEvent = $db->processQuery('INSERT INTO calendar_events (start_on, end_on, subject, owner_id, created_by, phone_call_id, status )
VALUES (?, ?, ?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE start_on = ?, end_on =?, status = ? ',
array($start, $end, $subject, $owner, $created_by, $phone_call_id, $status, $start, $end, $status) );
$event_id = $db->lastinsertid();
$insertEvent2 = $db->processQuery('INSERT INTO calendar_attendees (event_id, owner_id) VALUE (?, ?)', array($event_id, $owner));
I only want to execute $insertEvent2 only if $insertEvent created a new record otherise ignore the second statement.
Thanks
I believe you can use INSERT IGNORE syntax on your second INSERT, so that your query will look like
INSERT IGNORE INTO calendar_attendees (event_id, owner_id) VALUES (?, ?)
Make sure that you have a UNIQE constraint on (event_id, owner_id).
BTW you have a typo in your second insert. It should be VALUES instead of VALUE.