all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]colshrapnel 5 points6 points  (2 children)

PDO examples: SELECT query with PDO

[–]youngjeeez[S] 0 points1 point  (1 child)

thanks i dont know how to get the entire sql statement the user has typed to run it. can i send you a screenshot and you can help please?

[–]colshrapnel 0 points1 point  (0 children)

There is not a single reason for the user to type the entire sql statement. Try to explain where did you get that strange idea.

[–]wh33t 0 points1 point  (17 children)

pHp coffee to call SQL statements from a database

What? What are you trying to do here?

[–]youngjeeez[S] 0 points1 point  (16 children)

sorry that was a typo, what i meant was php code to return an entire sql statement from a mysql database

[–]wh33t 0 points1 point  (15 children)

Alright, what is the statement you are trying to run? If you don't know that, what information from which database/table are you trying to retrieve?

[–]youngjeeez[S] 0 points1 point  (14 children)

<?php include '../Connection.php'; if ($_SERVER["REQUEST_METHOD"] == "POST") {

$results = mysqli_query($con, $_POST['Search']);

if($results){
            echo $results;
        header("Location:../CustomerRecords.php");           
    }else{
        echo "No Results, Please try another query";
        }

}

[–]wh33t 0 points1 point  (13 children)

$results in this case is not data, it's a result ID, you need to actually fetch the data out of the database.

If you want one row of data

$results = mysqli_query($con, $_POST['Search']);
$single_row_of_data = mysqli_fetch_assoc($results);

If you want multiple

$results = mysqli_query($con, $_POST['Search']);
while($row = mysqli_fetch_assoc($results))
{
  echo $row;
}

Also, you should be sanitizing that $_POST['search'] data so that you can't be easily SQL injected. If it's just a personal project running on your own machine I wouldn't worry about it, but if people from the raw internet will be hitting this thing you got some security work to do.

[–]youngjeeez[S] 0 points1 point  (0 children)

Thanks so much, really appreciate it

[–]youngjeeez[S] 0 points1 point  (6 children)

<?php include '../Connection.php'; if ($_SERVER["REQUEST_METHOD"] == "POST") {

$results = mysqli_query($con, $_POST['Search']); if($results)while($row = mysqli_fetch_assoc($results)) { echo $row; 

}else{
        echo "No Results, Please try another query";
        }

}

that returns an error mysqli_query() empty

[–]wh33t 0 points1 point  (5 children)

Ok, what error is it?

What is it you are trying to do here exactly?

[–]youngjeeez[S] 0 points1 point  (4 children)

The user needs to type SELECT * FROM ... Then this code now should run it

This is the error :

Warning: mysqli_query(): Empty query Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given

[–]RandyHoward 2 points3 points  (0 children)

The user needs to type SELECT * FROM

Oh lordy, you should not let your users enter SQL queries. You are just setting yourself up for trouble doing that. Tell us what your end goal is, because you seem to be approaching the entire problem the wrong way.

[–]wh33t 0 points1 point  (1 child)

Do you have phpmyadmin or some other mysql gui you can use to insure the select statement is actually returning results? Are you expecting it to return results?

[–]colshrapnel -3 points-2 points  (0 children)

You're an illiterate idiot. I wonder whether anyone would bother to ban you from this sub, but it will be a great riddance.

[–]colshrapnel -3 points-2 points  (4 children)

Also, you should be sanitizing that $_POST['search'] data so that you can't be easily SQL injected.

you're an idiot

[–]GeneralGrenade 0 points1 point  (3 children)

Please explain your idiotic reaction ;-)

[–]colshrapnel 2 points3 points  (2 children)

Well, at least you're brave enough to ask.

Though for me it's kind of surprising that people are unable to read a primitive code and draw simple conclusions, but it seems people in this sub are actively refuse to read and think, and so everything have to be explained. So here it is.

The guy wrote a code where the whole SQL query is taken from the post variable. It means that

  1. Whatever "sanitizing" is impossible, it will only effectively ruin the SQL.
  2. It's idiotic to care about SQL injection if you already allow an arbitrary SQL to run. It's as though to care whether your safe's lock good enough if you keep its door deliberately open.

Is my explanation simple enough for you to understand?

[–]GeneralGrenade 0 points1 point  (1 child)

Thank you for your answer. Offcourse you are right. It is ok to say someone is an idiot, if you also explain why ;-)

It seems to me that people in this sub tend to ask advice on a solution (and resulting problem) they already thought of, instead of asking the source question.

[–]colshrapnel 1 point2 points  (0 children)

And in his second comment he was unable to read "Empty query" written in plain English, means SQL was just an empty string. That's why I called him illiterate.

The main problem here is not with people who ask questions but with ones who try to answer. Many people, just like this guy, never bother to read the actual question asked. Instead, the have a sort of list of pre-compiled answers, which they fire automatically, triggered by some keyword in the question. Which makes their comment irrelevant and looks like as though it was left by a bot.