I'm converting a mysqli code into PDO as it was requested but I'm having a hard time trying to pass some single quotes into the new LIKE query.I will only paste the parts regarding this problem as there's no need of pasting the whole query etc I guess.
Whenever I use something like "whatever" it returns the results fine, but when I go for "what'ever" it doesn't return anything... The way I have it at the moment was working with mysqli_ but it doesn't when I changed everything to PDO. Any idea how to actually quote the string or escape it properly?
Thank you in advance.
My variable is
$FilterRaid="%{$_POST['FilterRaid']}%";
The query
$listbugs = $bugtrackerpdo->prepare('
...
INNER JOIN raid ON raid.ID = bugs.Raid
AND raid.RaidName LIKE :raid
...
');
$listbugs->bindParam(':raid', $FilterRaid);
$listbugs->execute();
Related
I need to work through how to take stored procedure functions from
region-us.INFORMATION_SCHEMA.ROUTINES
and modify the backticks that default to coming through around the project and place them around the dataset.schema.table()
The reason is more for uniform results across our system than a technical error need.
currently when I run this query
SELECT
replace(ddl, 'CREATE PROC', 'CREATE OR REPLACE PROC'),
FROM region-us.INFORMATION_SCHEMA.ROUTINES
where lower(routine_type) = 'procedure'
It will return the below:
`project-data-sandbox`.schema.MySP()
`project-data-sandbox`.schema.YourSP(MySP)
`project-data-sandbox`.inv.partnumber(orderid)
`project-data-sandbox`.inv_part.part_number(part_id)
I have tried the below query
SELECT
REGEXP_REPLACE(ddl, r"project-data-sandbox`.", "project-data-sandbox.") AS replaced_word
, REGEXP_REPLACE(ddl, r'`([a-zA-Z]+(-[a-zA-Z]+)+)`\.[a-zA-Z]+\.[a-zA-Z]+\(\)','Apples') tester
FROM region-us.INFORMATION_SCHEMA.ROUTINES
where lower(routine_type) = 'procedure'
I get part of what I want. However, the problem is our stored procedures can be named any sort of names and they could require objects to be passed to them.
I added the tester column to see if I could replace the project string with another word (or regex) but it isn't even replacing it with apples yet.
which I would want turned into this:
`project-data-sandbox.schema.MySP`()
`project-data-sandbox.schema.YourSP`(MySP)
`project-data-sandbox.inv.partnumber`(orderid)
`project-data-sandbox.inv_part.part_number`(part_id)
I'm working through Regexp_replace but I'm having difficulty figuring out how to get the backtick between the parenthesis and the last letter.
Thanks for any help!
I have some automated workflow, which includes updating a column via SQL with HTML tags in it.
The basic SQL statement goes like this:
UPDATE content SET bodytext = '<div class="one two three">Here comes a whole lot of HTML with all special chars and double quotes " and single quotes ' and empty lines and all possible kind of stuff...</div>' WHERE pid = 10;
Is there a way to make MariaDB or MySQL to escape things automatically in SQL (without PHP)?
I'd suggest to use prepared statements. This way you separate the statement from it's parameters and don't need to care about additional escaping necessary in plain SQL.
Using functionality provided in PHP's MySQLi driver would simplify the process:
https://www.w3schools.com/php/php_mysql_prepared_statements.asp
Prepared statements are also possible in plain SQL, but I'm not sure if doing it manually would be worth the hassle
https://dev.mysql.com/doc/refman/8.0/en/sql-prepared-statements.html
Thank you for your input, but I think, I found a solution which works for me. It seems that you actually can tell the SQL server to accept a raw string by this kind of syntax:
SELECT q'[The 'end' of the day]'
(Source: https://www.databasestar.com/sql-escape-single-quote/)
So I did the following:
SELECT #html := '[<div class="one two three">Here comes a whole lot of HTML with all special chars and double quotes " and single quotes '' and empty lines and all possible kind of stuff...</div>]';
UPDATE content SET bodytext = #html WHERE pid = 10;
And it works that way without any escaping problems.
I'm working in Visual Basic and using OleDb to access an Excel spreadsheet. I'm importing the data from the sheet into my DataGridView, and that works fine, but now I'm working on filtering. For the most part it works great, but I'm trying to use parameters ("#p1" and so on), and I'm getting a very strange issue.
I can have the following (excluding a bunch of irrelevant stuff before, in between, and after)
query = query & "Project" & " LIKE #Gah1"
...
MyCommand.SelectCommand.Parameters.AddWithValue("#Gah1", "%House%")
and it gives me the results I'm looking for. But I can't seem to get a parameter for the name of the column itself, for example
query = query & "#Gah1" & " LIKE #Gah2"
...
MyCommand.SelectCommand.Parameters.AddWithValue("#Gah1", "Project")
MyCommand.SelectCommand.Parameters.AddWithValue("#Gah2", "%House%")
does not work (and I've tried enclosing Project in different brackets and stuff in different ways, can't get it to work). I've found plenty of examples on using parameters, but none that use them to give the column name.
I'm guessing the parameter changes how the string is represented, seeing as you don't need to have the ' ' around string literals.
Is it not possible to give column names in parameter? If you can, what do I need to do?
Well it won't let me post comment, so here
a) Oops, no, I guess not
b) The string query that I end up sending in my test query here is
"select * from [Bid Summary$] where #Gah1 LIKE #Gah2"
I can post the procedure if absolutely need be, but it isn't the problem because the whole thing works perfectly fine if I replace #Gah1 with Project or [Project], so I just showed the lines that I change.
I'm very new to parameterized queries, can you explain how to avoid query strings using it? If there's a better way to do what I'm doing I'm happy to use it =)
And thanks for response and edit
I use combination of string methods and parameters, like this:
//replace field name in a query template
query = String.Format("select * from [Bid Summary$] where {0} LIKE ?", "#Gah1");
//set value (name is in OleDb parameter ignored, so it could be null)
MyCommand.SelectCommand.Parameters.AddWithValue(null, "%House%");
Note: There is possibility of a sql injection, so be sure about origin of field name (not from user input).
I tested this query in my database, and it works fine:
select * from variables where value = 'commas-:-)';
I get a result. Now, I stored the value in a variable and use the query class.
$value = 'commas-:-)' <<< this is passed as a parameter
$query = "select * from variables where value = '$value'";
$this->db->query($query);
Now, this query works for every other value except for this one - but what's odd is that if I PRINT out the exact query (print_r of $query) and execute it on the database, it returns the correct result. So I'm left to think that the query class is screwing with my query, which it shouldn't because everything is properly escaped and $value is a string literal.
What is going on?
$sql = "SELECT * FROM variables WHERE value = ?";
$this->db->query($sql, array('commas-:-)'));
More info
$get_data = $this->db->from('variables')
->where('value', $value)
->get();
Hope this will work...!
try to use these things for checking the queries
echo $this->db->last_query();
print_r($this->db->result_array($get_data));
I found the issue - it was the rerouting function that was causing the mishap. More specifically, the segment filtering function within the route folder in the system core.
This is what happened:
I created an anchor with the encoded value (commas:-)) and I configured the route to reroute the uri to a function I had in my controller. Each time I clicked the link, the value gets passed, and (supposedly) rerouted to the function. Which it did, for almost all the values I used. Except this one.
1st assumption: the db query function is escaping the values. But I turned off the escape, as well as checked the query by printing. The value was correct. I then tried other query formats, and still no results. Conclusion: There's nothing wrong with the database query functions.
2nd assumption: the data must be corrupt - although the value is correct (I'm getting commas:-)), it's not returning anything except when I type in the value manually. So I tested this:
I created a seperate value, and set it equals to the one I typed in(the one that works). I then printed the original value(one passed) and the newly created value using VAR_DUMP.
Turns out, the argument value (one that doesn't work) is a string with length 14 whereas my new variable was a string with a length of 10. WTF? Conclusion: Something occured during the rerouting / passing process that changed the variable.
I went back to the config folder, and replace the variable $i in the reroute to the literal string value commas:-). And guess what? It worked perfectly. And just to make sure it wasn't the regex, I wrote my own custom regex and it matched fine, but the value was still being changed. So I decided to get under the hood.
I traced the URI manipulation in the routes class to the _explode_segment() function, which was used to perform the regex and analyse the uri for other variables. It also did this thing ...
_filter_uri($str)
for each part of the uri segment that was matched.
What did it do? It replaces programmable characters like ( and ) with their HTML ENTITY. Now, if you don't know, html entities have long lengths than url encoding. LOL. So what happened was this:
Original segment : commas-%3A-%29 <- very nice!
Filtered segment : commas-%3A-) <- NOOOOOOOOO! (the right paren encoded with ).)
urldecode(")") = string(4)
urldecode("%29") = string(1)
Fail.
or WIN?!
I need to remove leading zeros from a string field in an Access database that is destroyed and recreated every time it is used within a C# program. Most string libraries (even SQL ones) include a Trim function to remove leading or following whitespace. Unfortunately, Access does not seem to have a LTrim(string s, char[] trimChars) or something similar. To get around this, I concocted this monstrosity:
Replace(LTrim(Replace(ADDRNO,'0', ' ')),' ', '0')
But this resulted in an undefined function reference for Replace, even though it is obviously an Access function.
What I am looking for is a way to trim these zeros, either by getting the JET engine to let me use the Replace function or by some other method entirely.
EDIT: Fixed syntax of Replace function. Problem still persists.
I suggest
Val(ADDRNO)
It will return the number portion without the leading zeros.
I think it's just the order of your parameters that is wrong:
debug.? Replace("My string", "i", "o") -> "My Strong"
You can use Trim and Replace.
I'm not sure what context you are running this but this seems to show the parameter order is different and uses double quotes instead of single quotes(I haven't used Access in awhile so maybe it doesn't matter), also try square brackets on column name:
http://www.techonthenet.com/access/functions/string/replace.php
Replace(LTrim(Replace([ADDRNO], "0", " "))," ", "0")
If that gives the same error just try the replace function by itself to narrow down the problem:
Replace ("alphabet", "a", "e")
If this works then you know the Replace function works, and there is some other issue.
Edit: If it doesn't work at all, then Replace is likely a VBA function available only in the Access application, and is not part of Jet. You could try some combination of Left/Right function and chop the string up, this can get quite ugly. I personally would just iterate over the record set and use C# code to modify the values. Hopefully you don't have such a large number of records that this would be a problem.