We Keep Coding

Insert SQL statement error

Hi Im trying to insert data into a database using an insert statement. So basically, the user inputs data into a form and then once the submit button is clicked its meant to get the property_id of the table Property.
My code is this:
<?php
$id = intval($_GET['id']);
$query = mysql_query('SELECT * FROM review WHERE property_id="'.$id.'"');
if(isset($_POST['submit']))
{
$review = mysqli_real_escape_string($mysqli, $_POST['review']);
if(mysqli_query($mysqli, "INSERT INTO review(review) VALUES ('$review')"))
{
?>
<script>alert('Successfully Updated ');</script>
<?php
}
else
{
?>
<script>alert('Error...');</script>
<?php
}
}
?>
At the top of the page is my other code which is as followed:
<?php
include_once '../db/dbconnect.php';
$id = intval($_GET['id']);
$sql = 'SELECT* FROM property WHERE property_id="'.$id.'"';
$result = mysqli_query($mysqli, $sql);
$row=mysqli_fetch_array($result);
?>
The code above basically displays all the data for that individual property. Any help would be great.

There are several errors in your code:
$id = intval($_GET['id']);
$query = mysql_query('SELECT * FROM review WHERE property_id="'.$id.'"');
The mysql_* functions are deprecated in PHP 5, and totally removed in PHP 7. Don't use them!
Moreover, it's not possible to use mysql_* and mysqli_* functions together.
Yet another error: you are executing a SELECT query, but you never fetch the results!
Note: you don't need to concatenate $id. It makes the code harder to read with plenty of useless single and double quotes, and increases the likeliness of a typo. Just enclose the variables in a double-quoted string.
You are casting $id to an int value. If the field property_id is an integer, there is no need to put single quotes around $id in the query.
Updated snippet:
$id = intval($_GET['id']);
$query = mysqli_query($mysqli, "SELECT * FROM review WHERE property_id=$id") or die(mysqli_error($mysqli));
while($r = $query->fetch_assoc()) {
// do something here with the current record $r
}
Your code:
if(mysqli_query($mysqli, "INSERT INTO review(review) VALUES ('$review')"))
[...]
<script>alert('Error...');</script>
When developing, you should display (or write to a log file) the MySQL error message from each failing query. It will make debugging much easier:
<script>alert('Error: <?= mysqli_error($mysqli) ?>');</script>

How to return a JSON array from sql table with PhalconPHP

I have several tables that have JSON arrays stored within fields.
Using PHP PDO I am able to retrieve this data without issue using:
$query1 = $database->prepare("SELECT * FROM module_settings
WHERE project_token = ? AND module_id = ? ORDER BY id DESC LIMIT 1");
$query1->execute(array($page["project_token"], 2));
$idx = $query1->fetch(PDO::FETCH_ASSOC);
$idx["settings"] = json_decode($idx["settings"]);
This returns a string like:
{"mid":"","module_id":"1","force_reg_enable":"1","force_reg_page_delay":"2"}
Attempting to gather the same data via PhalconPHP
$result = Modulesettings::findFirst( array(
'conditions' => 'project_token = "' . $token . '"' ,
'columns' => 'settings'
) );
var_dump($result);
Provides a result of
object(Phalcon\Mvc\Model\Row)#61 (1) { ["settings"]=> string(167) "{"text":"<\/a>
<\/a>
","class":""}" }
What do I need to do different in Phalcon to return the string as it is stored in the table?
Thank you.

You have 2 approach
First :
Get the settings with this structure :
$settings = $result->settings;
var_dump($settings);
Second :
First get array from resultset, then using the array element :
$res = $result->toArray();
var_dump($res['settings']);
Try it.

You can decode json right in your Modulesettings model declaration:
// handling result
function afterFetch() {
$this->settings = json_decode($this->settings);
}
// saving. Can use beforeCreate+beforeSave+beforeUpdate
// or write a Json filter.
function beforeValidation() {
$this->settings = json_encode($this->settings);
}

fetch image and text from database using joomla 2.5

i have one one issue in fetch image and text from database by module what to do for this issue and i add my table name and field name #__home_service_item this is my table name in that table two field one is image and image_name than i have one error for that question i display my error
Warning: Invalid argument supplied for foreach() in C:\wamp\www\Joomla_2.5.8-Stable-Full_Package\modules\mod_home\tmpl\default.php on line 40
please give me any clue for that problem i also add my code
<?php
defined('_JEXEC') or die('Restricted access');
$items = $params->get('items', 1);
$db =& JFactory::getDBO();
$query = "SELECT id
FROM #__home_service_item
WHERE published = '1'
ORDER BY id DESC";
$db->setQuery( $query, 0 , $items );
$rows = $db->loadObjectList();
foreach($rows as $row)
{
echo 'ID: '.$row->id.' </br>';
}
?>
please give one clue

do print_r($rows) and see if any records are returning from the database. I think that you have a problem with your query. If there are no results returning try enclosing your foreach statement with in a try catch or ignore warnings.
Also try to set $db->setQuery($query); instead of $db->setQuery( $query, 0 , $items );
If you just need one row result use $db->loadResult();

Zend sql injection prevention

Hi I have this small code fragment from a web application built on ZEND framework that is not safe since 'name' is fetched from post request. Is there a standard ZEND way to prevent special symbols in $data? Like $where has the quoteInto.
$name = $this->_request->getParam('name');
// update query
$data = array(
'name' => $name
);
$where = array(
$users->getDbAdapter()->quoteInto('user_id = ?', $userId),
);
$users->update($data, $where);

This is safe from SQL injection. Zend_Db treats the array you pass to update() as an array of named parameters, so these values are escaped automatically.

Tim is correct if a bit terse. :)
The $data array in an update statment in Zend_Db is broken down into bound parameters. You can find the exact code in Zend_Db_Adapter_Abstract.
There are a number of procedures involved but the array ultimately ends up in this statement.
$set[] = $this->quoteIdentifier($col, true) . ' = ' . $val;
where your original array was $col => $val
then the SQL is created:
$sql = "UPDATE "
. $this->quoteIdentifier($table, true)
. ' SET ' . implode(', ', $set)
. (($where) ? " WHERE $where" : '');
It looks reasonably secure against SQL injection.
However you can always employ Zend_Filter_Input with Zend_Validate and Zend_Filter to really sanitize your input values.

sql update codeigniter

I am using codeIgniter..
I want to update a table column is_close when id=$ticket_id of my table= tbl_tickets.
I am doing this :-
$data=array(
'is_close'=>1
);
$this->db->where('id',$title_id);
$this->db->update('tbl_tickets',$data);
and I have also done this :-
$sql = "UPDATE tbl_tickets SET is_close={1} WHERE id='$title_id'";
$this->db->query($sql);
both are not working,i.e., my table is not updating the value to 1 and also no error is being shown in the broswer. :(
Edited: Included my model part :
function setClosePost($title_id){
$sql = "UPDATE tbl_tickets SET is_close=0 WHERE id='$title_id'";
$this->db->query($sql);
// $data=array(
// 'is_close'=>1
// );
// $this->db->where('id',$title_id);
// $this->db->update('tbl_tickets',$data);
}
My controller :-
function closePost(){
$this->load->model('helpdesk_model');
$this->helpdesk_model->setClosePost($this->input->post('title_id'));
}

first of all use a get method to check if ticket_id is exist or not.
another thing is always use return in your functions in models so you can check them by if(function_name){...}else{...}
then if your get method returned data correctly try
Model Method
public function set_closed($ticket_id){
$this->db->set(array(
'is_close'=>1
)); // pass fields in array
$this->db->where('id',$ticket_id);
$this->db->update('tbl_tickets'); // table name
return true;
}
then check that in your controller
if($this->Ticket_model->set_closed($ticket_id) == true){
echo 'ticket set to closed correctly';
}else{
echo 'there is some error on updating database'.$this->db->error(); // to checkout db error .
}

First, check $title_id before passing:
var_dump($title_id);
Then, try do "select a row with this id" before updating and after.
$query = $this->db->get_where('tbl_tickets', array('id' => $id));
foreach ($query->result() as $row)
{
var_dump($row->is_close);
}
$data=array(
'is_close'=>1
);
$this->db->where('id',$title_id);
$this->db->update('tbl_tickets',$data);
$query = $this->db->get_where('tbl_tickets', array('id' => $id));
foreach ($query->result() as $row)
{
var_dump($row->is_close);
}
Then, give your table structure.

Just try like this
$sql = "UPDATE tbl_tickets SET is_close='1' WHERE id=".$title_id;
$this->db->query($sql);

just try like this
**function edit($close,$id) {
$sql = "UPDATE tbl_tickets SET is_close= ? WHERE id = ? ";
$this->db->query($sql, array($close,$id));
}**

To handle this type of errors, i mean if reflection is not happen in database, then use below steps to resolve this type of error.
1) use $this->db->last_query() function to print query, using this we can make sure our variable have correct value (should not null or undefined), using that we can make sure also SQL query is valid or not.
2) If SQL query is valid then open phpmyadmin & fire same query into phpmyadmin, it will return error if query columns or table names are invalid.
Use this way, its best way to cross check our SQL queries issues.
I hope it will work.
Thanks

You are trying to update integer(INT) type value, just cross check with your column datatype if that is varchar then you have to put value in a single or double quote.
Like this
$data=array('is_close'=> '1');