Select Where using character varying ??

am 03.10.2006 06:08:07 von ben wilko

Hi Guys

I am printing names into a combo box and posting the variable. I try and use the name ($Sem) in an SQL statement; WHERE name = $Sem; but I get an error which is displayed near the end of this message. Are we able compare php string to postgresql character varying?? not sure how else to do the selection

$conn = pg_Connect("host=localhost dbname=#### user=#### password=####");
if (!$conn) {echo "An database connection error occurred.\n"; exit;}

// e.g. $Sem = "seminar one";

$Sem = $_POST['Seminars'];

$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's ID <br>"; /*exit;*/}
$Sem_No = pg_Result($Sem_No, 0);

// Error Message

Warning: pg_exec() []: Query failed: ERROR: syntax error at or near "one" at character 54 in /home/bdwilko/public_html/jet/form/insertP.php on line 56
A query error occurred in retreiving the selected seminar's ID

Table:

Column Type Not Null Default Actions Comment

seminar_id integer NOT NULL nextval('seminar_seminar_id_seq'::regclass)

name character varying

address character varying

date date

description character varying

notes character varying

Re: Select Where using character varying ??

am 03.10.2006 10:05:28 von Charley Tiggs

ben wilko wrote:
> Hi Guys
>
> I am printing names into a combo box and posting the variable. I try and use the
> name ($Sem) in an SQL statement; WHERE name = $Sem; but I get an error which is
> displayed near the end of this message. Are we able compare php string to
> postgresql character varying?? not sure how else to do the selection
>
>
> $conn = pg_Connect("host=localhost dbname=#### user=#### password=####");
> if (!$conn) {echo "An database connection error occurred.\n"; exit;}
>
>
> // e.g. $Sem = "seminar one";
>
> $Sem = $_POST['Seminars'];
>
>
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
> if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's
> ID
"; /*exit;*/}
> $Sem_No = pg_Result($Sem_No, 0);
>
> // Error Message
>
> *Warning*: pg_exec() [function.pg-exec
> ]: Query failed: ERROR:
> syntax error at or near "one" at character 54 in
> */home/bdwilko/public_html/jet/form/insertP.php* on line *56*
> A query error occurred in retreiving the selected seminar's ID
>

Make sure that you're quoting the value you want to compare. At a quick
glance, this where the error is:

$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");

should be:

$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
'$Sem'");

To be more accurate, you should probabley do:

$Sem = pg_escape ( $Sem );
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
'$Sem'");

Charley

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

Re: Select Where using character varying ??

am 03.10.2006 14:57:19 von DCarrero

2006/10/3, Charley Tiggs :
> ben wilko wrote:
> > Hi Guys
> >
> > I am printing names into a combo box and posting the variable. I try and use the
> > name ($Sem) in an SQL statement; WHERE name = $Sem; but I get an error which is
> > displayed near the end of this message. Are we able compare php string to
> > postgresql character varying?? not sure how else to do the selection
> >
> >
> > $conn = pg_Connect("host=localhost dbname=#### user=#### password=####");
> > if (!$conn) {echo "An database connection error occurred.\n"; exit;}
> >
> >
> > // e.g. $Sem = "seminar one";
> >
> > $Sem = $_POST['Seminars'];
> >
> >
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
> > if (!$SemNo) {echo "A query error occurred in retreiving the selected seminar's
> > ID
"; /*exit;*/}
> > $Sem_No = pg_Result($Sem_No, 0);
> >
I think you should try:
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =\"$Sem\"");
OR
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name ='$Sem'");
OR
$Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
='".$Sem."';";);
or something like this for escape "seminar one" with " " inside the sql query

But i look the table description you still compare a integer row with
a string row
try maki the query like this:
$Sem_No = pg_Exec($conn,"SELECT name FROM seminar WHERE name =
'$Sem'");
> > // Error Message
> >
> > *Warning*: pg_exec() [function.pg-exec
> > ]: Query failed: ERROR:
> > syntax error at or near "one" at character 54 in
> > */home/bdwilko/public_html/jet/form/insertP.php* on line *56*
> > A query error occurred in retreiving the selected seminar's ID
> >
>
> Make sure that you're quoting the value you want to compare. At a quick
> glance, this where the error is:
>
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name = $Sem");
>
> should be:
>
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
> '$Sem'");
>
> To be more accurate, you should probabley do:
>
> $Sem = pg_escape ( $Sem );
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name =
> '$Sem'");
>
> Charley
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
> choose an index scan if your joining column's datatypes do not
> match
>
Daniel Carrero Canales

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

Re: Select Where using character varying ??

am 03.10.2006 22:03:53 von Mariusz Pekala

--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> I think you should try:
> $Sem_No =3D pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name=20
> =3D\"$Sem\"");

Double quotes are for quoting column names, not string constants.

> $Sem_No =3D pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name=20
> =3D'$Sem'");

Better, but all strings, especially provided by some user, should be
treated by the function pg_escape_string.

Consider that some user types in a form field a text like this:

'; delete from seminar where ''=3D'

When you add single quotes you get two valid queries. One of them is
what you would never want to be executed ;-)

And, by the way - pg_exec is a deprecated name AFAIK. The new one is
pg_query.

--=20
Ceterum censeo Internet Explorer esse delendam.

--9amGYk9869ThD9tj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFIsIpsnU0scoWZKARAgb7AKDWyO7fVVo8eNHh2rlmAUPvnLObzgCe Ilyl
jMW3o/OJ7EUP2sZIV9f2NVA=
=duCf
-----END PGP SIGNATURE-----

--9amGYk9869ThD9tj--

Re: Select Where using character varying ??

am 04.10.2006 02:48:08 von Robert Treat

On Tuesday 03 October 2006 16:03, Mariusz PÄkala wrote:
> > I think you should try:
> > $Sem_No =3D pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > =3D\"$Sem\"");
>
> Double quotes are for quoting column names, not string constants.
>
> > $Sem_No =3D pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > =3D'$Sem'");
>
> Better, but all strings, especially provided by some user, should be
> treated by the function pg_escape_string.
>
> Consider that some user types in a form field a text like this:
>
> '; delete from seminar where ''=3D'
>
> When you add single quotes you get two valid queries. One of them is
> what you would never want to be executed ;-)
>
> And, by the way - pg_exec is a deprecated name AFAIK. The new one is
> pg_query.

probably even better would be to use pg_prepare and pg_execute.=20

--=20
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq