0

I have a challenge getting a query i saved into the database. On my project, i want to save mysql update query in the database, and when another action is run on a different page, i get that query and pass it through my function and it runs. However after getting it its empty. Below is what i have done so far.

//Saving the query in database

$query = array();
$query['approved'] = "UPDATE payment SET pm_status = 'Approved' WHERE id = '69'";
$query['approved2'] = "UPDATE member SET pay_date = NOW())";

//i den serialize and addslashes so it can be saved in the database

$tosave = addslashes(serialize($query));
$sql = "INSERT INTO trans (saved_query) VALUES ($tosave)";

// I den save $tosave into the database, which i checked and it was saved. On the page i want to use it, each time i get the value and unserialize, it returns as empty e.g after selecting the value to a row

$toprocess = unserialize($query['saved_query']);
echo $toprocess['approved'];

it returns an empty value, and when i run it in a query it doesn't run.

but if i echo directly without unserializing, it dispplays the values in it

echo $query['saved_query'];

Pls help incase i am missing something here. Thanks

I am not preventing an sql injection. I had dont that already. I just want to run the sql saved into the database. This is different to the answers in the prevention of mysql injection. Thanks

Ifeoluwapo Ojikutu
  • 69
  • 1
  • 1
  • 12
  • You need to learn on how to properly encode strings so that you can insert them into your database and so that those are the same when you take them out. The process to do that safely (storing data in the database) is called "preventing SQL injections" in PHP because many PHP users don't take the needed time to come that far. When you managed to store a string into the database safely and you get it out safely as well, `serialize` and `unserialize` will work, too. The additional suggestion is to base64 encode the serialized data to prevent character encoding issues on transport. – hakre Jun 08 '14 at 19:57
  • Thanks, after unserializing, the value is empty – Ifeoluwapo Ojikutu Jun 08 '14 at 20:05
  • Sorry if that was not clear by my comment: You have an SQL injection here, but one that happens by accident. You didn't notice it as an SQL injection, but technically it is one. If you prevent an SQL injection successfully, then serialize / unserialize values to work again. Apart from that, the answer to your question is: Use a properly created insert statement to enter values. – hakre Jun 08 '14 at 20:08
  • 1
    And here is another hint: Use `json_encode` and `json_decode` instead to serialize. Because when there is an error on decoding, there is an error function, something `unserialize` does not offer. See the examples for error handling at http://php.net/json_decode and http://php.net/json_last_error – hakre Jun 08 '14 at 20:09
  • thanks, json_encode and json_decode works. Really greatful – Ifeoluwapo Ojikutu Jun 08 '14 at 21:04
  • Don't forget to fix the SQL injection, you will greatly benefit from learning about and the details. – hakre Jun 08 '14 at 21:06

1 Answers1

0

There is an error in your query 

$query['approved2'] = "UPDATE member SET pay_date = NOW())";

there is an extra bracket with now() function.

Manav
  • 553
  • 7
  • 18
  • The problem is not the error in the SQL query stored as data, but how to first of all run an SQL query that preserves an exact string. – hakre Jun 08 '14 at 19:59