Обсуждение: Select Where using character varying ??
Hi Guys
I am printing names into a combo box and posting the variable. I try and use the name ($Sem) in an SQL statement; WHERE name = $Sem; but I get an error which is displayed near the end of this message. Are we able compare php string to postgresql character varying?? not sure how else to do the selection
$conn = pg_Connect("host=localhost dbname=#### user=#### password=####");
if (!$conn) {echo "An database connection error occurred.\n"; exit;}
if (!$conn) {echo "An database connection error occurred.\n"; exit;}
// e.g. $Sem = "seminar one";
$Sem = $_POST['Seminars'];
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's ID <br>"; /*exit;*/}
$Sem_No = pg_Result($Sem_No, 0);
if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's ID <br>"; /*exit;*/}
$Sem_No = pg_Result($Sem_No, 0);
// Error Message
Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: syntax error at or near "one" at character 54 in /home/bdwilko/public_html/jet/form/insertP.php on line 56
A query error occurred in retreiving the selected seminar's ID
A query error occurred in retreiving the selected seminar's ID
Table:
| seminar |
| Column | Type | Not Null | Default | Actions | Comment | ||
|---|---|---|---|---|---|---|---|
ben wilko wrote:
> Hi Guys
>
> I am printing names into a combo box and posting the variable. I try and use the
> name ($Sem) in an SQL statement; WHERE name = $Sem; but I get an error which is
> displayed near the end of this message. Are we able compare php string to
> postgresql character varying?? not sure how else to do the selection
>
>
> $conn = pg_Connect("host=localhost dbname=#### user=#### password=####");
> if (!$conn) {echo "An database connection error occurred.\n"; exit;}
>
>
> // e.g. $Sem = "seminar one";
>
> $Sem = $_POST['Seminars'];
>
>
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
> if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's
> ID <br>"; /*exit;*/}
> $Sem_No = pg_Result($Sem_No, 0);
>
> // Error Message
>
> *Warning*: pg_exec() [function.pg-exec
> <http://www.citanalyst.com/jet/form/function.pg-exec>]: Query failed: ERROR:
> syntax error at or near "one" at character 54 in
> */home/bdwilko/public_html/jet/form/insertP.php* on line *56*
> A query error occurred in retreiving the selected seminar's ID
>
Make sure that you're quoting the value you want to compare. At a quick
glance, this where the error is:
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
should be:
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
'$Sem'");
To be more accurate, you should probabley do:
$Sem = pg_escape ( $Sem );
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
'$Sem'");
Charley
2006/10/3, Charley Tiggs <lists@tiggs.net>:
> ben wilko wrote:
> > Hi Guys
> >
> > I am printing names into a combo box and posting the variable. I try and use the
> > name ($Sem) in an SQL statement; WHERE name = $Sem; but I get an error which is
> > displayed near the end of this message. Are we able compare php string to
> > postgresql character varying?? not sure how else to do the selection
> >
> >
> > $conn = pg_Connect("host=localhost dbname=#### user=#### password=####");
> > if (!$conn) {echo "An database connection error occurred.\n"; exit;}
> >
> >
> > // e.g. $Sem = "seminar one";
> >
> > $Sem = $_POST['Seminars'];
> >
> >
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
> > if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's
> > ID <br>"; /*exit;*/}
> > $Sem_No = pg_Result($Sem_No, 0);
> >
I think you should try:
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =\"$Sem\"");
OR
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name ='$Sem'");
OR
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
='".$Sem."';";);
or something like this for escape "seminar one" with " " inside the sql query
But i look the table description you still compare a integer row with
a string row
try maki the query like this:
$Sem_No = pg_Exec($conn,"SELECT name FROM seminar WHERE name =
'$Sem'");
> > // Error Message
> >
> > *Warning*: pg_exec() [function.pg-exec
> > <http://www.citanalyst.com/jet/form/function.pg-exec>]: Query failed: ERROR:
> > syntax error at or near "one" at character 54 in
> > */home/bdwilko/public_html/jet/form/insertP.php* on line *56*
> > A query error occurred in retreiving the selected seminar's ID
> >
>
> Make sure that you're quoting the value you want to compare. At a quick
> glance, this where the error is:
>
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
>
> should be:
>
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
> '$Sem'");
>
> To be more accurate, you should probabley do:
>
> $Sem = pg_escape ( $Sem );
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
> '$Sem'");
>
> Charley
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
> choose an index scan if your joining column's datatypes do not
> match
>
Daniel Carrero Canales
> I think you should try: > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name > =\"$Sem\""); Double quotes are for quoting column names, not string constants. > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name > ='$Sem'"); Better, but all strings, especially provided by some user, should be treated by the function pg_escape_string. Consider that some user types in a form field a text like this: '; delete from seminar where ''=' When you add single quotes you get two valid queries. One of them is what you would never want to be executed ;-) And, by the way - pg_exec is a deprecated name AFAIK. The new one is pg_query. -- Ceterum censeo Internet Explorer esse delendam.
Вложения
On Tuesday 03 October 2006 16:03, Mariusz Pękala wrote:
> > I think you should try:
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > =\"$Sem\"");
>
> Double quotes are for quoting column names, not string constants.
>
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > ='$Sem'");
>
> Better, but all strings, especially provided by some user, should be
> treated by the function pg_escape_string.
>
> Consider that some user types in a form field a text like this:
>
> '; delete from seminar where ''='
>
> When you add single quotes you get two valid queries. One of them is
> what you would never want to be executed ;-)
>
> And, by the way - pg_exec is a deprecated name AFAIK. The new one is
> pg_query.
probably even better would be to use pg_prepare and pg_execute.
--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL