3

I am pretty new to laravel and facing a problem building a query using CONCAT:

#From input
$password = $request->password;
#sql statement
UserMainTbl::where('username', '=', $username)->whereRaw('hashkey', '=', CONCAT('admin_id'.$password))

Table: UserMainTbl
Field: username, hashkey, admin_id

Got error:

Call to undefined function App\Http\Controllers\Auth\CONCAT()

------
Update:
I change my code and manage to stop the above error. But getting new error.

->where('hashkey', '=', DB::raw('concat(admin_id,"$password")'))

Column not found: 1054 Unknown column 'password123' in 'where clause' (SQL: select * from user_main_tbl where username = xxx and hashkey = concat(admin_id,password123) limit 1)

------
Update [Solve]:
My bad on this one. It is just a simple string. Here is the solution for future reference, if any. Lol:

->where('hashkey', '=', DB::raw('concat(admin_id,"'.$password.'")'))


Can someone help to point how can I do it right?
Many thanks.

Improve this question
5
  • 1
    you don't have a function CONCAT. if you mean mysql CONCAT... then that CONCAT part should be included inside the single quote. Commented Nov 4, 2016 at 2:44
  • Thanks @barudo for your respond. I've update my question as per your feedback. And got another error. How can I make the password become string not as column? Commented Nov 4, 2016 at 3:01
  • you can write it as ->where('hashkey', '=', DB::raw("concat(admin_id,'$password')")) Commented Nov 4, 2016 at 6:44
  • Thanks for your respond @jagzviruz. I tried that, it only return as $password instead of data inside it. I have updated the solution. Commented Nov 4, 2016 at 8:49
  • Warning: Do NOT do it the way described in @jagzviruz's comment. Never use a variable directly in an SQL query that way or you will likely enable injection attacks, and even something unintentional like a single quote in the $password value will cause it to fail or cause possible data loss. Use proper parameter binding. Commented May 19, 2017 at 22:12

2 Answers 2

Reset to default
1

I know you have solved the issue, but your solution can open up possibilities for SQL Injection if you don't escape the user input. One way to tackle this is by adding a binding.

UserMainTbl::where('username', '=', $username)
  ->where('hashkey', '=',DB::raw('concat(admin_id,"?")'))
  ->addBinding($password);

https://laravel.com/docs/5.3/queries#raw-expressions

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Always be careful in using RAW method in query builder since it's prone to SQL injections. I suggest to separate the concatenation of the "admin_id" and "password" and use the standard WHERE method to avoid the problem.

Improve this answer

4 Comments

Thanks @ronald. Do you mean use the whereRaw ?
Yeah, I still using the DB::raw.
@Quzaimer: that's why I suggest on doing the concatenation on a separate variable and just use it on your where clause to avoid SQL injections. :)
Noted. Thank you for your suggestion @ronald

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.