Geek Answers Handbook

PHP MySql Select expression not working ... Any tips?

[UPDATED] with new code "sql_real_escape_string ()"
[UPDATED] if someone wants to see the site on a test site
[UPDATED] with while code showing any results via echo

Hello to all,

I looked through a lot of posts on this, but just can't figure out why the following code is not working:

$username = $_POST['username']; // get the record of the user, by looking up username in the database. $query = sprintf("SELECT UserName, Password FROM userlogin WHERE UserName='%s'", mysql_real_escape_string($username)); $result = mysqli_query($dbc, $query) or die ("Error Querying Database for: " . $query . "<br />Error Details: " . mysql_error() . "<br/>" . $result); while ($row = mysqli_fetch_assoc($result)) { Echo($row['UserName']); }

The code seems correct ... the database works fine (for input purposes), and the connection is the joint connection used with require_once ('databaseconnection.php'); which works on the registration side of things.

as usual, I am sure that this is something simple that I forgot, but I canโ€™t let life see me!

I do not get any error messages from myssql_error () just a space.

any help would be greatly appreciated.

Hello

+4
source share
6 answers

Check the username you are trying to request as it may be empty. Are you really using post request to run this script? How do you confirm that this does not work? What do you do with $ data after the request?

If nothing just happens, most likely your request does not match any record. Check the spaces and case of the username you are looking for.

Please note the following warnings:

  • Use a prepared statement or at least sql-escape any user input before using it in sql.
  • Do not use die in serious code for debugging only.
+2
source

$data will contain the result object. You need to mysqli_fetch_assoc($data) over it using something like mysqli_fetch_assoc($data) .

In addition, you can interpolate variables directly into double-quoted strings - i.e. UserName='".$username."'" Can be written more clearly as UserName='$username' , and not go out of line.

Also, please clear your input - all input is evil - using the mysqli_real_escape_string() function. You have an SQL injection exploit pending here.

Keep in mind that it is a good idea to check all the data that you need to insert into the database.

+2
source

Very often you have problems with the request itself, and not with the implementation. Try it first in phpMyAdmin and see if there are any problems. Check server logs.

BY WAY: Never put variables from POST in a request! This is definitely an SQL injection

+1
source

You may have a problem with the request. Have you tried to execute the $ query ping and run it directly using the mysql client or workbench?

+1
source

Try printing the $data variable instead of just printing the request. Check if you can receive error messages. If you could see any data, then you should use the mysql fetch function to iterate. Give it a try.

+1
source

This piece of code looks fine. That is, if $ dbc contains the actual database connection. But choosing the name of this variable $data , when the function actually returns a result object or a boolean, indicates that you may not process the data correctly.

If this is not a problem, we should definitely see more code.

+1
source

More articles:


All Articles