|
PHP - Parametrized Queries - Why Are They Not Popular?
I was searching a bit on how to properly secure user input/queries then I stumbled upon parametrized queries, people recommended them as they were basically immune to SQL attacks while being a bit faster than the regular mysql_query function.
All well in theory. My question is, why these are not popular? I only read about them by chance and it doesn't seem to be used widely. Are there any hidden drawbacks for using parametrized queries? Should I simply keep using mysql_query and filter user input manually? I'm starting a new project so I would appreciate any input on this. Similar TutorialsHi all, I'm just wondering how everyone deletes their records using PHP or if you can give me any recommendations. Not really deleting, but I use UPDATE and change the deleteStatus column value. What is the best / recommended way, with a customer confirmation? noob question: I have following two queries I'd like to combined into one - how is this done? $temp = @mysql_query("SELECT * FROM purchased_leads WHERE leadID = '{$_REQUEST[leadid]}'"); "SELECT refundNotes FROM leads WHERE leadID = '{$_REQUEST[leadid]}'" ive had these queries working okay until i checked on it today, it's not working anymore.. these are the errors::: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\arrastre\add.php on line 105 Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\arrastre\add.php on line 117 if(isset($_POST['add'])){ if($billnmbr=="" or $orno=="" or $payor=="" or $arrastre=="" or $wharfage=="" or $total=="" or $date=="" or $tcl==""){ echo "At least one field was left blank."; } else{ $query = mysql_query("select * from `arrastre` WHERE `billnmbr`='$billnmbr'"); /*****************this is my line 105************/ $count = mysql_num_rows($query); if($count==1){ echo "This billnumber is already in the database."; } else{ $bll = strtoupper($billnmbr); $payr = strtoupper($payor); $query="insert into `arrastre` (`billnmbr`, `orno`, `payor`, `arrastre`, `wharfage`, `total`, `date`, `tcl`) values ('$bll', '$orno', '$payr', '$arrastre', '$wharfage', '$total', '$date', '$tcl')"; $result=mysql_query($query); $query = mysql_query("select * from `arrastre` where `billnmbr`= '$billnmbr'", $link); /************and this is my line 117*************/ $count = mysql_num_rows($query); if($count==1){ echo "last bill number added: ".$billnmbr; } } Thank you very much for your time and have a nice day. Hey guys - me again! I have a discount box, where i wish to check two "if" queries. These are i) the 'uniquecode' and ii) the 'uses' - so a code can only be used a set amount of times. 1) How do i state that question in php, bearing in mind the "if uses > 0" needs to relate to the same row as the unique code entered? 2) Also, i have stored the session price in $_SESSION['sessionprice'] - is this the best way to do this, and if not how should i store the current price. 3) Lastly, and how do I do the php mathematics of "$_SESSION['sessionprice'] minus the discount" - again bearing in mind the "discount" needs to relate to the same row as the unique code entered? (as different codes will have different discounts). This is how far i've gotten: Code: [Select] <?php //connection settings bla bla bla $uniquecode = $_POST['discountcode']; mysql_connect($localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $discountcodecheck = mysql_query("SELECT uniquecode FROM discounttable WHERE uniquecode = '".$uniquecode."'"); $remainingusescheck = mysql_query("SELECT uses FROM discounttable WHERE uniquecode = '".$uniquecode."'"); if (mysql_num_rows($discountcodecheck) > 0) and if (mysql_num_rows($remainingusescheck) > 0) // <-- this "and if" doesn't work { // discount calculation: // session price minus the unique code's corresponding discount // update $_session['discountammount'] } else { ?><script type="text/javascript"> alert("Discount Code Entered Is Either Not Valid Or Has Been Previously Used."); history.back(); </script><?php } // rest of code and close connection ?> Any help or comments will, as always be politely welcomed and appreciated Cheers, Tom. Hello all, I've tried several ways to calculate a commission in the multi level marketing script, but it all ended up with nothing, recursive functions, nested sets nothing worked, and i'm running out of time to keep trying I've made multiple queries on the same table, and it's working, but only the first 3 queries, not more, I tried to perform it 4 times (although I need the queries to be performed 13 times) but still only 3 times example: A recruited B and C, and B recruited D, and D recruited E.... what's supposed to happen is A takes a commission on B, C, D, and E but now it only takes commission on the first three, and no commission for anyone comes after that, and the same for B, C, D, and E each takes commission on only 3 members down the line, and no more here is the queries Code: [Select] <? $result = mysql_query("SELECT * FROM users"); echo "<table width='589' border='1'> <tr> <th>ID</th> <th>Name</th> <th>National ID</th> <th>Commission</th> </tr>"; while($row = mysql_fetch_array($result)) { $query = mysql_query("SELECT * from users where recruiteris = '".$row['id']."'"); $num_rows=mysql_num_rows($query); $id1 = $row['id']; $commission = $num_rows; $_SESSION['id1'] = $id1; echo "<tr>"; while ($roww = mysql_fetch_array($query)) { $querry=mysql_query("select * from users where recruiteris = '".$roww['id']."'"); $num_rowss = mysql_num_rows($querry); while ($rowws= mysql_fetch_array($querry)) { $var3= '10'; $querrys=mysql_query("select * from users where recruiteris = '".$rowws['id']."'"); $num_rowsss = mysql_num_rows($querrys); while ($rowwss= mysql_fetch_array($querrys)) { $querryss=mysql_query("select * from users where recruiteris = '".$rowwss['id']."'"); $num_rowssss = mysql_num_rows($querryss); while ($rowwsss= mysql_fetch_array($querryss)) { $querryr=mysql_query("select * from users where recruiteris = '".$rowwsss['id']."'"); $num_rowssr = mysql_num_rows($querryr); } } } } $total= ($commission + $num_rowws + $num_rowwss + $num_rowwsss + $num_rowss + $num_rowssr) * $var3; echo "<td><a href=\"user.php?id=".$row['id']."\">".$row['id']."</a></td>"; echo "<td>" . $row['fname'] .''. $row['lname'] ." </td>"; echo"<td> ". $row['nid'] ." </td>"; echo "<td>".$total."</td> </tr>"; } echo "</table>"; ?> Good day everyone. I go by the nickname Sbosh and I am a newbie in PHP. I am currently learning php using video tutorials. I need help with regards to php queries. I have the following code: "SELECT 'food', 'calories' FROM 'diet' ORDER BY 'id'" which is supposed to display content from a table inside phpmyadmin which i created manually using phpmyadmin. But It gives an error saying i must check the MariaDB version on how to right this query, something like that. Please assist on the proper way of writing this code. Again I am a newbie in PHP and just starting to learn, so your help will be highly appreciated. whats the differance between mysql_query("UPDATE banned SET time and doing $safe4 = "UPDATE banned SET time mysql_query($safe4); is there a reason as to why do it the 2nd way i mentioned? if someone could please explain it to me so i wont be in confusion on this anymore This topic has been moved to MySQL Help. http://www.phpfreaks.com/forums/index.php?topic=319917.0 The first query goes through but the second does not just seeing if I'm missing something. <?php // Include the database page require ('../inc/dbconfig.php'); if (isset($_POST['submittitle'])) { $titlename = mysqli_real_escape_string($dbc, $_POST['titlename']); $titleshortname = mysqli_real_escape_string($dbc, $_POST['titleshortname']); $titlestyle = mysqli_real_escape_string($dbc, $_POST['titlestyle']); $titlestatus = mysqli_real_escape_string($dbc, $_POST['titlestatus']); $query = "INSERT INTO `titles` (titlename, titleshortname, style_id, status_id, creator_id, datecreated) VALUES ('$titlename','$titleshortname','$titlestyle','$titlestatus', 1, NOW())"; mysqli_query($dbc, $query); $query_id = mysqli_insert_id($dbc); $query1 = "INSERT INTO `champions` (title_id) VALUES ('$query_id')"; mysqli_query($dbc, $query1); } ?> Hi all, I've built a few amateur sites in the past but am keen to utilize php combined with mysql for my current project. However, I have little knowledge of php and am just picking it up as I go (same way I've done for all my computer knowledge) What I'm looking for may sound simple, but I really don't know where to start and I'm hoping there are some kind souls here that will lend a hand. I've got some fantastic help here before and am hoping I'll get lucky again. SQL Database meetingid venue 001 new york 002 chicago 003 new york 004 new york 005 new york 006 texas 007 texas 008 chicago 009 new york 010 new york Question If I hard code everything around it, I'm just looking for the code I would need to have it display as follows: (hard coded text in blue) "New York has been used * times." (Where * would count the number of times "New York" appears in the venue column of the database.) "The most consecutive times New York has been used is % ." (Where % would count the maximum number of consecutive times "New York" appears in the venue column of the database.) Giving the output: New York has been used 6 times. The most consecutive times New York has been used is 3. I was wondering if it is possible to perform the following query. Say I have a list of names each with an id number ranging from 1 to 10. Is it possible to perform a query where you list all of these records while repeating one records. For example could I do a query that lists record number 6 then 10, 9, 8, 7, 6 etc. Or another example would be listing record number 10, then 10, 9, 8, 7, 6 etc? Thanks for any help. Hello I have this query and it is working well: Code: [Select] $data = mysql_query(" SELECT `title`, `body`, 'condoms_en' as REF FROM `condoms_en` UNION SELECT `title`, `body`, 'discr_en' as REF FROM `discr_en` UNION SELECT `title`, `body`, 'diseases_en' as REF FROM `diseases_en` UNION SELECT `title`, `body`, 'express_en' as REF FROM `express_en` UNION SELECT `title`, `body`, 'gender_en' as REF FROM `gender_en` UNION SELECT `title`, `body`, 'get_informed_en' as REF FROM `get_informed_en` UNION SELECT `title`, `body`, 'get_tested_en' as REF FROM `get_tested_en` UNION SELECT `title`, `body`, 'newly_en' as REF FROM `newly_en` UNION SELECT `title`, `body`, 'news_hiv_en' as REF FROM `news_hiv_en` UNION SELECT `title`, `body`, 'nutrition_en' as REF FROM `nutrition_en` UNION SELECT `title`, `body`, 'phdp_en' as REF FROM `phdp_en` UNION SELECT `title`, `body`, 'press' as REF FROM `press` UNION SELECT `title`, `body`, 'r_o_en' as REF FROM `r_o_en` UNION SELECT `title`, `body`, 'stats_en' as REF FROM `stats_en` UNION SELECT `title`, `body`, 'stigma_en' as REF FROM `stigma_en` UNION SELECT `title`, `body`, 'think_news_en' as REF FROM `think_news_en` UNION SELECT `title`, `body`, 'think_reports' as REF FROM `think_reports` UNION SELECT `title`, `body`, 'treatment_en' as REF FROM `treatment_en` where`title` like '%$kw%' OR `body` like '%$kw%'") or die(mysql_error()); $rows = mysql_num_rows($data); I need to add to the same query this part: Code: [Select] SELECT `cont`, 'about_us_en' as REF FROM `about_us_en` UNION SELECT `que`,`ans`, 'faq_en' as REF FROM `faq_en` UNION SELECT `orga`, `lnk`, 'links_en' as REF FROM `links_en` UNION SELECT `title`, `desc`, 'publications' as REF FROM `publications` IF I add this part as is, I get an error saying that the select has different columns. Please Help and how do I modify the where if they are combined?! Thank you // Check for this userID if exsist in cp_credits $sql = "SELECT * FROM `cp_credits` WHERE account_id = $userid"; // Execute Query $r = mysqli_query($dbc, $sql); // If there are result in $r if($r){ // Print a message indicating success or not: while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)){ $user_balance = $row['balance']; $user_last_donation_date = $row['last_donation_date']; } } else{ $user_balance = "nothing"; $user_last_donation_date = "nothing"; } but either of my else statement does not work. Whats wrong with this? Hi everyone I have the following PHP code $sql.= "INSERT INTO `data` (`info`, `write`, `date`) VALUES"; $sql.= "("; for ($c=0; $c < $num; $c++) { $sql.= '"'.str_replace('"', "", $data[$c]).'",'; } $sql.= "'".date('Y-m-d')."');"; If I print $sql; I get Code: [Select] INSERT INTO `data` (`info`, `write`, `date`) VALUES("data99","n",'2010-10-05'); INSERT INTO `data` (`info`, `write`, `date`) VALUES("data101","y",'2010-10-05'); INSERT INTO `data` (`info`, `write`, `date`) VALUES("data876","n",'2010-10-05'); what would I need to do to my PHP code in order for it to process each QUERY either all at once or one at a time Whatever I try, it either inserts nothing, or just does the first INSERT Any ideas? Thanks Can any boy clarify these queries. How do I find out if an array has values posted to each of its elements? I need to know that EVERY element has been filled out. How can I send variables from a PHP script to another URL using POST without using forms and hidden variables? Hello, in short, here is my problem: There are 2 tables: a table called postcodes, which contains UK postcodes and a table called wp_bp_xprofile_data (i want to integrate this search with the Buddypress plugin's tables) which contains the user data. I tried searching this, but to be honest, i didn't quite know how to go about it.. Here is what i have: $query1 = "SELECT value, user_id, (SQRT(POW((b.x - a.x), 2) + POW((b.y - a.y), 2))/1000) * 0.621 AS distance FROM postcodes a, postcodes b, wp_bp_xprofile_data WHERE a.outcode = '"$postcode"' AND b.outcode = wp_bp_xprofile_data.value HAVING (distance < '"$area"') ORDER BY distance asc "; $result1=mysql_query($query1) or die(mysql_error()); echo "<p style=\"font-size:10px;line-height:14px;color:#888;\">Straight line distances shown.<br>"; echo "<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\" ><tr>"; // display results while ($list = mysql_fetch_array($result1)) { $user_postcode = $list['value']; $distance = $list['distance']; $distance = round($distance); echo "<td align=\"right\">$distance miles away</td></tr>"; echo "<tr><td colspan=\"3\" align=\"left\" width=\"130px\">$user_postcode </td>"; echo "<td align=\"right\"><a href=\"blahblah\">Directions using Google Maps</a></td>"; echo "<tr><td align=\"left\"> </td><tr>"; echo "</tr>"; } echo "</table>"; Code: ("wp_bp_xprofile_data") [Select] id field_id user_id value 1 1 1 admin 8 3 3 NW10 6 1 3 Test User 1 9 4 3 IT, Web Development 11 1 4 Test User 2 12 3 4 HA5 13 4 4 Test, It, Some Work Code: ("postcodes") [Select] outcode x y latitude longitude B10 392900 804900 57 -2 AB11 394500 805300 57 -2 AB12 393300 801100 57 -2 AB13 385600 801900 57 -2 AB14 383600 801100 57 -2 Here is an example of what i need: field_id "3" corresponds to a postcode. My script so far, can search a postcode and return results with the postcodes sorted by distance. What i'm trying to do, is also get the username on the result (i.e the 'value' column again..). in short, im trying to search a postcode, find it on wp_bp_xprofile_data, associate it with the correspondent user, and return both. Someone told me i need to INNER JOIN, but im lost.. The end result im looking for is if i type the search: "NW9 1AA" It returns: Test User 1 NW10 Test User 2 HA5 (the code sorts them by distance. So far i can get it to return the postcode, but cannot associate the relevant name. Can anyone help me with this? I hope this is in the right forum. Thanks for your attention. I've been playing around with PDO lately, and I've been trying to get use to the basic functions as I've mentioned in some of my other posts/questions. Recently I switched to the ? bind/token (can't remember it's called), so I reformatted my processQuery. I've also tried to add in a fetching option in the method, but I can't seem to get anything to work. I've looked up several internet tutorials but it seems like I'm doing everything the same. Yet, the query doesn't seem to run. :/ $database->processQuery2("INSERT INTO test (test, testa) VALUES (?, ?)", array('noob', 'newb2'), false); Now for my method: public function processQuery2($query, array $binds, $fetch) { $query_handle = $this->dbc->prepare($query); if(count($binds) > 0) { $i = 1; $value = array(); foreach($binds as $bind) { $query_handle->bindParam($i, $value[$i]); $value[$i] = $bind; $i++; } } $query_handle->execute(); //if($fetch == true) //{ //return $query_handle->fetchAll(); //} } Any reasons to why it's not working? No errors are outputted, either. Hi, I am trying two compare to dates but have not been successful. A row is filled in Mysql database called htime with $check=mktime(17,0,0,04,10,2011); My first question is that in the mktime function I have entered 17 which is hours. I would like to know if thats like the 17th hour of the given day or thats not how it works? My second question is it a valid query to use <= or >= or < in a mysql query for example. $query="SELECT * FROM hdb WHERE htime <='".time()."'"; Thirdly I want to know if a row is filled with mktime(17,0,0,04,10,2011); for example How can I only extract the day from the database based on the time has passed? This is because my own query doesnt seem to be working which is the query above I have no errors but the results dont seem to be right. Any help is much appreciated thanks. Ive just implemented a function which shows how many queries have been run on the specific page. Since the result returned 38 queries on the index page alone i need a way of listing all of these queries. I could just go through the code and find them all but there are several pages to go through. so does anyone know of a function which will list all the queries that have been run? |
|||||||