I escape all input with db->escape method on joomla.
For example :
site.com/index.php?view=test&id=5'
In my model ,i use id in my query,
Query code:
$db= JFactory::getDBO();
$id = $db->escape($id);
$query="SELECT name FROM jos_test WHERE id=$id"
$database->setQuery($query);
$result = $database->loadResult();
Now,i add a ' to end of url
Joomla add a backslash before '.
But it's give syntax error and show table name.it is a security problem.
how to disable joomla sql syntax error?
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 SQL=SELECT `name` FROM `jos_test` WHERE id=5\'
You should be parsing your GET parameters using either
JRequest::getVar method if this is an old Joomla 1.5 or
using the JInput class in Joomla 2.5/3+.
$input=JFactory::getApplication()->input;
$id = $input->get('id', 0, 'INT');
This way you can be safe using them with database queries.
Also the correct way to do database queries is described here.
Finally be sure to disable error reporting before going public by editing the configuration.php file. Change the $error_reporting parameter to 'None'.
Try the following:
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select($db->quoteName('name'))
->from($db->quoteName('#__test'))
->where($db->quoteName('id') . ' = ' . $id);
$db->setQuery($query);
$results = $db->loadResult();
This uses up to date coding standards for database queries.
Hope this helps
You should try something like this (from table names i suppose you're using Joomla 1.5):
$db = JFactory::getDBO();
$id = JRequest::getVar('id', 0, 'INT');
$query="SELECT name FROM #__test WHERE id = " . $id;
$db->setQuery($query);
$result = $db->loadResult();
In Joomla 3 you can use query builder and avoid depreached JRequest:
$db = JFactory::getDBO();
$id = JFactory::getApplication()->input->get('id', 0, 'INT');
$query = $db->getQuery(true);
$query->select('name')
->from('#__test')
->where('id = ' . $id);
$db->setQuery($query);
$result = $db->loadResult();
Related
I have a postgresql code like this and it runs correctly but I'm confused to enter the laravel model
postgresql :
select * from anggota a where id_parpol = 4 and a.nik in ('2816742691102816','8939799808489659','4757527446829790') or a.no_kta in ('2816742691102816','8939799808489659','4757527446829790')
anggotaContoller :
$aa = "2816742691102816,8939799808489659,4757527446829790";
$bb = explode(",", $aa);
$model = Anggota::where('id_parpol', Auth::user()->id_org)->whereIn('nik', $bb)->whereIn('no_kta', $bb)->get();
dd($model);
You can use closure based grouping of queries
$model = Anggota::where('id_parpol', Auth::user()->id_org)
->where(function($query) use($bb){
$query->whereIn('nik', $bb)
->orWhereIn('no_kta', $bb);
})->get();
Laravel DB::select returns
General error: 2031
It looks like quotes are not added to the statement and it tries to execute the statement like this:
$sql = 'SELECT id FROM users where email=email#email.com';
The code looks like this:
$sql = 'SELECT id FROM users where email=?';
$results = DB::select($sql, ['email' => $email]);
I thought this is handled automatically by PDO but do I need to add anything to the code above so the statement looks like?
$sql = 'SELECT id FROM users where email="email#email.com"';
I recommend you to read the select docs from Laravel Query Builder.
The Query Builder provides a complete API to make it easier and safer. Your query would look like:
$results = DB::table("users")->select("id")->where("email",$email);
EDIT
The problem is that you're trying to pass a named parameter, but inside the string you didn't named it.
As the doc example shows:
$results = DB::select('select * from users where id = :id', ['id' => 1]);
Your query should look like:
$sql = 'SELECT id FROM users where email=:email';
$results = DB::select($sql, ['email' => $email]);
#mthrsj has correctly identified a better solution in your particular query.
Your underlying issue with the DB::select call is you're using non-named placeholders ? while passing it named data.
This should work:
$sql = 'SELECT id FROM users where email=?';
$results = DB::select($sql, [$email]);
as should this:
$sql = 'SELECT id FROM users where email=:email';
$results = DB::select($sql, ['email' => $email]);
If you have models setup, you can also call the DB using your User model:
$user = User::select('id')->where('email', $email)->get();
This uses Eloquent, which uses PDO.
I wrote the following code to get virtuemart category id with name "app" from database. but its not displaying anything.please help. I use joomla 2.5 and latest version of virtuemart
$db =& JFactory::getDBO();
$query = $db->getQuery(true);
$query->select('virtuemart_category_id');
$query->from('#__virtuemart_categories_en_gb');
$query->where('category_name = "app" '); //put your condition here
$db->setQuery($query);
$o= $db->loadObjectList();
echo $o[0]->virtuemart_category_id;
my database table prefix is nyhar_ . I wrote the above code in category view page and it doesn't show anything.
Try this:
$db = JFactory::getDBO();
$query = $db->getQuery(true);
$query->select('*');
$query->from('#__virtuemart_categories_en_gb');
$query->where('category_name = "app" ');
$db->setQuery($query);
$o= $db->loadResult();
echo $o;
To select an id value, you can use $query->select('virtuemart_category_id');
I am trying to grab the category id from a single item (article) K2 page. I tried doing:
JRequest::getVar( 'catid' )
But that returns blank. I am running this code from index.php and not item.php, so I don't have access to the $item object.
Any ideas?
for get current itemid modified query is
$item_id = JRequest::getVar('Itemid');
$db = & JFactory::getDBO();
$query = "SELECT catid FROM #__k2_items WHERE id =".$item_id;
$db->setQuery($query);
$result = $db->loadResult();
echo $result;
You could try use the following:
$db = JFactory::getDBO();
$query = "SELECT catid FROM #__k2_items WHERE id = 1";
$db->setQuery($query);
$result = $db->loadResult();
echo $result;
You will need to change id = 1 to whatever the id of your article is.
Please let me know if it works.
I want to connect the Joomla DB and i have created table in PHPmyAdmin.
And want to get the row and values from the field.
Best way when having a proper JTable:
$row =& JTable::getInstance('my_table', '');
$row->load($id);
When working without JTable:
$db = &JFactory::getDbo();
$sql = 'SELECT * FROM #__table WHERE id ='.$id;
$db->setQuery($sql);
$object = $db->loadObject();
OFC you can make that more elegant inside MVC. BUT for starters maybe enough.
$db = JFactory::getDBO();
$query = "select id,title from #__content";
$db->setQuery($query);
$result = $db->loadObjectList();//here we got array of stdClass===prepared objects in PHP 5.3
foreach($result as $res){
echo $res->id."".$res->title;
}