A database for my data

From: Matt 3 Dec 2008 23:42
To: ANT_THOMAS 49 of 158
php code:
$tableid = $_GET['id'];
$query  = "SELECT * FROM nmr WHERE id >= $tableid LIMIT 5";
 


Of course change the name of the id column, if it's different.

Also, if you're not already you should really be using mysql_escape_string / mysql_real_escape_string on the variables you take from $_GET / $_POST / $_COOKIE etc. to use in your queries, or you risk SQL injection.

I could for instance do:

http://www.yourdomain.com/script.php?id=;DELETE%20*%20FROM%20nmr

And empty your database for you.
From: ANT_THOMAS 4 Dec 2008 00:00
To: Matt 50 of 158
Thank you both of you.

Hmm, I think I should too because someone emptying my database would make me cry.

Would this be sufficient?

PHP code:
 
$getid = $_GET['id'];
$tableid = mysql_escape_string($getid);
$query  = "SELECT * FROM nmr WHERE id >= $tableid LIMIT 5";
 
From: Peter (BOUGHTONP) 4 Dec 2008 00:08
To: ANT_THOMAS 51 of 158
Why use two steps?

Simpler to just do this:
code:
$tableid = mysql_escape_string($_GET['id']);

?
From: Matt 4 Dec 2008 00:18
To: ANT_THOMAS 52 of 158
That will work fine.

Personally, if I'm expecting $_GET['id'] to be a number I would use PHP's is_numeric function to make sure that's what it is. If I'm expecting a string or an unknown data type then I'd use mysql_real_escape_string.

php code:
if (isset($_GET['id']) && is_numeric($_GET['id'])) {
 
    // No need to escape via mysql_escape_string as we
    // know it's numeric from the is_numeric test in the
    // if statement.
    $table_id = $_GET['id'];
 
    // sprintf can also be used to sanitise input from a user,
    // but it can make code harder to read. In this example %d
    // requires the variable to be an integer. The other types
    // are listed on the manual page.
    $query  = sprintf("SELECT * FROM nmr WHERE id >= %d LIMIT 5", $table_id);
 
    // Rest of your code goes here
 
}else {
 
    // ID is not set in the URL query or it is not a number, show an error here?
 
}


If you want to write better PHP code, turn display_errors on and set error_reporting to E_ALL (both in php.ini) and you can see what PHP really thinks of your script.
From: Monsoir (PILOTDAN) 4 Dec 2008 09:20
To: ANT_THOMAS 53 of 158
I'm still in bed so can't quite comprehend the issue, but do you just need to order them now? The query isn't interested in the missing numbers.
From: ANT_THOMAS 4 Dec 2008 16:40
To: ALL54 of 158

Problem number something:

 

I have a load of the data I want in my database in the form of an Excel spreadsheet. I've now saved it as a CSV and removed all the lines already present. I thought I could import this using PHPMyAdmin but it turns out I can't. I've read that it's possible (from the PHPMA wiki of all places) but for me it only gives me the option to import SQL based files.

 

I've upgraded PHPMA versions from 2.11.6 to 3.1.0 with no luck.

 

How and where does one enable CSV imports/uploads?

From: Peter (BOUGHTONP) 4 Dec 2008 16:49
To: ANT_THOMAS 55 of 158
Browse into the actual table you want before selecting import, then you get the CSV option appearing.
From: ANT_THOMAS 4 Dec 2008 17:57
To: Peter (BOUGHTONP) 56 of 158
Sure I tried it that way but I'll check when I get home.
From: Peter (BOUGHTONP) 4 Dec 2008 18:00
To: ANT_THOMAS 57 of 158
You have to actually browse the table - not simply view it.

It is more convoluted than it needs to be - should have the CSV option available at all levels, and just allow you to select a database/table from a list if it's not obvious where you're importing to.
From: ANT_THOMAS 4 Dec 2008 19:08
To: Peter (BOUGHTONP) 58 of 158

Thank you!

 

All imported now. All the help from all round has been appreciated. No doubt I'll be back for more.

 

Actually, why am I only able to access PHPMyAdmin on the server itself and not on any locally networked PC?

From: ANT_THOMAS 4 Dec 2008 19:10
To: Peter (BOUGHTONP) 59 of 158
Don't worry. Found it.
From: Drew (X3N0PH0N) 5 Dec 2008 02:56
To: ANT_THOMAS 60 of 158

http://www.heidisql.com/download.php

 

So infinitely much better than PHPMyAdmin. By fuck I hate PHPMyAdmin.

 

(have to allow remote connections from wherever you intend to use the app, obviously)

EDITED: 5 Dec 2008 02:57 by X3N0PH0N
From: steve 5 Dec 2008 18:02
To: Drew (X3N0PH0N) 61 of 158
Does it show text in text-fields when browsing now?

MySQLFront did, and was wonderful, but obviously defunct (and not working with newer versions of MySQL). I haven't upgraded my Heidi for a while now.
From: Drew (X3N0PH0N) 6 Dec 2008 02:32
To: steve 62 of 158
No :((

Actually, it might do now, I have an old version.
From: steve 6 Dec 2008 18:41
To: Drew (X3N0PH0N) 63 of 158
A bug thread said they were working on it as the MySQLFront way was "too unstable". I'd rather have the option for unstability :C
From: ANT_THOMAS12 Dec 2008 13:37
To: ALL64 of 158

Well, the database is all going well and I'm finding it extremely useful.

 

Managed to get the fid thing semi working by mounting the network folder as my N:\ drive and found that I can stick a few lines in the Firefox prefs file to give expections to certain sites for local access.

 

Since it's only going to be used on 4 computers at uni, and the only 4 with this local access, then it's no hassle to sort Firefox for these 4 computers. It is, I think, 4 clicks to open each fid but that's better than the usual 11 or more, especially when the network is often a bit sluggish.

 

My supervisor was also suitably impressed and would like to use it for everyone in our groups data since it's a far easier way to keep things collated. Definitely was worth doing it then.

 


Right, down to the important part. I have a problem(ish). When pulling a row from the database I use the "id" to determine the row. Is it possible to use any other unique field to determine which one I want? For example the "code" (eg: AT025). In MySQL (PHPMA) Do I need to make the field a Primary or Unique or Indexed field or something?

 

I'd like to pull the record using the address bar like I do with the "id" field.

 

(http://domain/full.php?id=5)

 

eg: http://domain/full.php?code=AT025

 

Coding that is fine, but it doesn't pull the record out. I'm assuming it's because it's not indexed?!

EDITED: 12 Dec 2008 13:39 by ANT_THOMAS
From: Ally12 Dec 2008 13:41
To: ANT_THOMAS 65 of 158
quote:
Right, down to the important part. I have a problem(ish). When pulling a row from the database I use the "id" to determine the row. Is it possible to use any other unique field to determine which one I want? For example the "code" (eg: AT025)


It should be simple, just change the WHERE clause in SQL statement to say WHERE code = rather than WHERE id =... unless I'm mis-reading you.
From: ANT_THOMAS12 Dec 2008 17:24
To: Ally 66 of 158

It seems you are reading me right because I'd already tried that but it didn't work. Don't know the error as I'm on the bus but I'll post when I get home.

 

Also
Matt: Thanks for whatever change you made to the lite mode because this here text entry box is now the right size in Iris!

From: ANT_THOMAS12 Dec 2008 19:09
To: ALL67 of 158
I got this error:

code:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\wamp\www\fullc.php on line 29


I changed :

PHP code:
$tableid = $_GET['id'];

to
PHP code:
$tablecode = $_GET['code'];

and
PHP code:
$query  = "SELECT * FROM nmr WHERE id=$tableid";

to
PHP code:
$query  = "SELECT * FROM nmr WHERE code=$tablecode";
From: Peter (BOUGHTONP)12 Dec 2008 19:10
To: ANT_THOMAS 68 of 158
quote:
Is it possible to use any other unique field to determine which one I want?

Yes.

quote:
Do I need to make the field a Primary or Unique or Indexed field or something?

No, but correctly indexing tables improves performances.

I can't remember your database structure (if you shared it), but you would make id your Primary key, and code could be either Indexed or Unique Indexed.
(Afaik, Unique is a constraint that prevents you INSERTing non-distinct code values, but doesn't affect SELECTing.)

Depending on other queries, you may benefit from adding other indexes/indices also - missing or incorrect indexes is a common cause of slow performance in database [web] apps.



quote:
Coding that is fine, but it doesn't pull the record out. I'm assuming it's because it's not indexed?


Nope - just to be clear - indexes affect how queries run, but not what they return. (Analogy: The index in the back of a book doesn't change what a book contains, but can speed up your searching for something.)

If you're doing the parameterized queries that Matt suggested before, you will need to use %s for this instead of %d, as the latter means decimal integer and your code looks to be a string.