Not sure if it's possible but it's worth a shot.. I am trying to insert into a MySQL 'TEXT' field some text.. Some of the words within the text I want to change depending on other fields from some other tables in the MySQL database.. Something similar to a php email template where the 'Dear ${first_name}' can be changed depending on who the email is going to...
Can something like this be done within a field in a MySQL table?
I aware this can be done using a PHP file, but I was wondering if this can be done using MySQL..
Yeah, I guess you could do it, using a stored procedure.
It would have to have a REPEAT loop that uses LOCATE to find the string index of the next '${' token, takes the name from there up to the next LOCATEd '}', and replaces it by CONCAT and SUBSTRING with the value. If that value comes from a simple name-to-value lookup table that's not too bad, but if you want ${first_name} to actually use the column called first_name you would have to create some dynamic SQL in a string and run it using PREPARE...EXECUTE, which is ugly and dangerous.
It would be complex, fragile and DBMS-dependent. SQL is not really designed to be convenient for string fiddling. Any general-purpose programming language with reasonable string-manipulation facilities should be able to do it in a much more straightforward way. If you have PHP available, use it.
Related
I have a table colum with general text values ex:
"This is Gerald's Sample Text: With some special chars"
I need to convert this text to:
"this-is-geralds-sample-text-with-some-special-chars"
with MySQL InnoDB and save the value in a separate unique column in the same table. Is there a simpler way of achieving this with a query without using procedures?
The short answer is "No". You're looking for something that behaves exactly like a regular expression, and MySQL does not support regex replace natively.
The longer answer is "No, but there are workarounds." You have a couple of options, and I don't terribly like either. The first is to create a function like in this question. The second is to come up with a list of bad characters and then use a set of REPLACE calls. It's ugly, but it will work.
On a side note: you might consider creating this value with your application and then just store along with the original. That would be cleaner in some ways than using a custom MySQL function.
I'm trying to build a MySQL query to return appropriate search results, by examining several different database fields. For example if a user searches "plumber leeds", if a business had 'leeds' in the 'city' field and the word 'plumber' as part of their name, I would want that search result to be returned.
User searches could contain several words and are unpredictable. I'm currently achieving what I need by exploding the search term, trimming it and using it to compile a complex search query to return all relevant results.
I'm storing this complex query in a variable and using Codeigniter's Active Record to run the query.
$this->db->where($compiled_query, null, false);
What I'm concerned about is that I'm not protecting the query with backticks and I'm unsure if this is a security issue. I have XSS Clean enabled but still not sure if this is ok.
According to CI's user manual:
$this->db->where() accepts an optional third parameter. If you set it to FALSE, CodeIgniter will not try to protect your field or table names with backticks.
Source: http://ellislab.com/codeigniter/user-guide/database/active_record.html
Some info about how I compile the query here in a separate question. I'm aware mysql_real_escape_string is about to be deprecated and isn't a catch-all, hence part of my concern about this method.
https://stackoverflow.com/questions/13321642/codeigniter-active-record-sql-query-of-multiple-words-vs-multiple-database-fi
Any help appreciated
Backticks have nothing to do with security. They are really just a way to "stringify" your field and table names, so that you could use a field called datatype for example and not have ti conflict with mysql keywords
You are safe
I wouldn't say you're absolutely "safe", because you're never technically safe if you accept user input in a SQL query (even if you've manipulated it... when there's a will, there's a way).
Once you relinquish control over what is given to your application, you must be very careful how you deal with that data so that you don't open yourself up to an injection attack.
XSS Clean will help with POST or cookie data -- it does not run automatically on GET variables. I would manually run $data = $this->security->xss_clean($data); on the input if it's from the GET array.
I'm looking to make it easier for the clients to search for stuff like phone/mobile/fax numbers. For that to happen I want to strip both the search value and the relevant columns in my database of any non-numeric characters before comparing them. I'm using these functions to get only the numeric elements of the strings in mysql but they slow my queries down to a crawl when I use them.
Is there any way to do it without blowing my run times sky high?
The reason why your query times are exploding is because any use of such functions disables you from using any index. Since you are not searching directly on a field, but on the output of a function, there is no way mySQL can use an index to execute the query.
This is in addition to the fact that you have to compute the function output for each record.
The best way around these runtimes, if you have access and permission to do so, is to add a new column with the content you're filtering. Add a WRITE trigger to fill the column with the stripped values, run a script that updates the field once for all records. Add an index and include the new column. Then, in your application, use the new column for searches for a number value of a telephone. Downsides are table schema alterations and added code for the business logic and/or data abstraction layer.
Is it possible to make some characters stored in mysql invisible for search queries?
Of course, I can do this in application, but is there maybe some setting option in mysql for this?
I am still not sure I am following what you want. It sounds like a query like
SELECT * FROM `table` WHERE REPLACE(string_field, "#", "") = "user query"
might be what you are looking for.
See REPLACE. For more complicated matching, there's also regular expressions, although that would probably be rather messy for what you are describing.
EDIT: Just saw your comment. It sounds like you want to blacklist certain characters from the user's query as they are special to your system. No, there's no way to do that. Somewhere you are going to want a string replace operation to remove those characters; either in your application or in a stored procedure/function if you want to put it in the database.
Under what conditions do I need to single quote a variable in a Mysql statement in PHP?
If you put values directly in the query, as in SELECT * FROM users WHERE age > 25, then the single quotes are used only with strings. If you write SELECT * FROM users WHERE age > '25', the query works the same, but you are forcing MySQL to convert the string to an integer (if that field is an integer), which is a not necessary operation.
In theory only varchars, texts, and BLOBs I think, but I say quote `em all. That has nothing to do with PHP by the way but only with the way you build your mySQL query, unless you mean something completely different.
Not a direct answer, but I suggest a database class like Zend DB to interact with your database. I have found this to be a great way to abstract away some of the grunt work like figuring out what to do with variables.
For example:
$db->select()->from('users', array('uid'))->where('email = ?', $indata['email'])->where('actkey = 0')
Makes a cleaner query than building the same by hand, and also takes care of making those variables safe a lot better than I would.
Hope that's helpful info.