Level 122
ugh
dangerous, dangerous code.
never, ever make sql strings by concatenating with user input.
Use prepared statements with query builder or Eloquent ORM
Feb 15, 2018
4
Level 1
Get Subject name from parent query for use in subquery.
I have to get the subject name of every row for the query newsubject = " ". the query required 4 parameters and 3 have been provided by an input. The subject is to be obtained from the view row. i want to be able to obtained the rank to subject with a class of student with certain academic year and programme. how do i get $subject from the same parent query.
$getProgramme = Input::get('getProgramme'); $getYear = Input::get('getYear'); $getTerm = Input::get('getTerm'); $getLevel = Input::get('getLevel');
$getResults = DB::table('resultsView')
->leftjoin(DB::raw('((SELECT sregNumber1, scorelevel1,term_Desc1,term_Year1, newsubject,prog1,
CASE WHEN @prevRank = total_score1 THEN @curRank WHEN @prevRank := total_score1 THEN @curRank := @curRank + 1 END AS subject_ranked FROM scorebysubject q,
(SELECT @curRank :=0, @prevRank := NULL) r where prog1 ="' . $getProgramme . '" and `scorelevel1` = "' . $getLevel . '" and term_Desc1 = "' . $getTerm . '"
and term_Year1 = "' . $getYear . '" and newsubject = "'.$subject.' " ORDER BY total_score1 Desc) as t3 )'), function ($join) {
$join->on('sregNumber1', '=', 'regNumber')
->on('newsubject', '=', 'subject')
->on('term_Desc1', '=', 'termDesc')
->on('prog1', '=', 'programmes')
->on('term_Year1', '=', 'ternYear');
})
->where('programmes', $getProgramme)
->where('ternYear', $getYear)
->where('termDesc', $getTerm)
->where('level', $getLevel)
->get();
Level 1
with this you can do an SQL injection, be careful use eloquent
Level 1
Please, any help on how to deal with this issue I am stacked.
$getProgramme = Input::get('getProgramme'); $getYear = Input::get('getYear'); $getTerm = Input::get('getTerm'); $getLevel = Input::get('getLevel');
$getResults = DB::table('resultsView')
->leftjoin(DB::raw('((SELECT sregNumber1, scorelevel1,term_Desc1,term_Year1, newsubject,prog1,
CASE WHEN @prevRank = total_score1 THEN @curRank WHEN @prevRank := total_score1 THEN @curRank := @curRank + 1 END AS subject_ranked FROM scorebysubject q,
(SELECT @curRank :=0, @prevRank := NULL) r where prog1 ="' . $getProgramme . '" and `scorelevel1` = "' . $getLevel . '" and term_Desc1 = "' . $getTerm . '"
and term_Year1 = "' . $getYear . '" and newsubject = " " ORDER BY total_score1 Desc) as t3 )'), function ($join) {
$join->on('sregNumber1', '=', 'regNumber')
->on('newsubject', '=', 'subject')
->on('term_Desc1', '=', 'termDesc')
->on('prog1', '=', 'programmes')
->on('term_Year1', '=', 'ternYear');
})
->where('programmes', $getProgramme)
->where('ternYear', $getYear)
->where('termDesc', $getTerm)
->where('level', $getLevel)
->get();
This my view
@foreach ($item->groupBy('groups') as $grouped)
<tr>
<td>
<td>{{$grouped[0]->groups}}</td>
</td>
</tr>
@foreach ($grouped as $row)
<tr>
<td>{{ isset($row->subject) ? $row->subject : '' }}</td>
<td>{{ $row->exams30 }}</td>
<td>{{ $row->exams70 }}</td>
<td>{{ $row->exams100 }}</td>
<td>{{ $row->subject_ranked }}</td>
<td>{{ $row->grade }}</td>
<td>{{ $row->remarks }}</td>
@endforeach
</tr>
@endforeach
@endforeach
Level 67
Look at "bindings" here: https://laravel.com/docs/5.6/database#running-queries
use placeholders and bindings for the user supplied variables.
Please or to participate in this conversation.