Error "Query was empty"

Question

I want to make a page that have a form with category and names, and I should retrieve the names from the databases. I've asked this question before, now I modified my code and the result says that "Query was empty". I don't know why it says like that. Here is all my page code.

<html>
<head>
<title>Assign Examiner</title>
</head>

<body>

<?php include('../include/dbconnect.php');

$names=$_POST['user'];
$exp = $_POST['expert'];

$mysql_i=mysql_query("SELECT name FROM user WHERE expert='".$exp."'");
$mysql_res = mysql_query($mysql_i) or die(mysql_error());

mysql_close();

?>

<form name="examiner" action="" method="post">

<table align="center" width="50%" border="1">

<tr>
<td>Category :</td>
    <td><select name="expertise"><option value="multimedia">Multimedia
                     <option value="security">Security & Networking
                                 <option value="mobile">Android Mobile
                                 <option value="web">Web Development
                                 </option></option</option></option>
        </select>
    </td>
</tr>
<tr>
<td>Name :</td>
    <td><select name="exam"><option value="<?php echo $mysql_i;?>">PLEASE CHOOSE</option></select></td>
</tr>
</body>
</html>

Answer 1

You are calling mysql_query() function twice, which is incorrect. The code should be more like

$mysql_i = mysql_query("SELECT name FROM user WHERE expert='".$exp."'");

$actual_data = mysql_fetch_assoc($mysql_i);

echo $actual_data['some_table_field'];

mysql_query() returns a statement handle (or boolean false - on failure). That handle is then used in the various fetch() and other related metadata functions.

Also note that you are vulnerable to SQL injection attacks. Do NOT use this code until you've learned how to avoid them.

Answer 2

The first problem is that you're using user-entered data in your query. You should look at moving to mysqli_ or PDO instead - they both help you write code that is safer. If you can't switch, then you need to sanitise the input to make sure that it doesn't do anything nasty to your code

The second problem is this:

$mysql_i=mysql_query("SELECT name FROM user WHERE expert='".$exp."'");
$mysql_res = mysql_query($mysql_i) or die(mysql_error());

You're calling mysql_query twice, and the second time, you're passing in the results of the first query. That's not going to do anything. All you need is:

$exp = mysql_real_escape_string($exp);    // sanitise your input!!!!

$sql = "SELECT name FROM user WHERE expert='".$exp."'";
$mysql_res = mysql_query($sql) or die(mysql_error());

There's also nothing in your <form> called 'expert', so $_POST['expert'] is likely to be blank - did you mean 'expertise? The same holds true for $_POST['user'].