php show variable that belongs to a username

Question

I want to show the variable "points" which belongs to a certain username,.

This is a part of my login2.php file:

if(isset($_SESSION['username'])){
    $username=$_SESSION['username'];
    $points = $mysqli->query("SELECT points FROM account_information WHERE username = '".$username."'");

}

I dont know how to show the points now. I know that the outcome of $points is not the amount of points that belongs to a username. I actually want to know how to do this and what the outcome is of the $points. How can I show the actual result of the query I am running?(which would be the amount of points stored in my database So of course if you would run this query in mysql then the outcome will be :"Amount of points", but in this situation I dont know how to show the amount of points actually.

Answer 1

OP already has accepted an answer but they both arent good imo. NDM said it, take a look into the docs it's all well written there.

I think it's also very bad practice to mix object and procedural style.

Also, the other answers don't care about security. Use prepared statements and reselect the username, because mysqli validates your $_SESSION['username'] in this case.

Take a look into this one:

<?php
// Init the database connection
$db = new mysqli("example.com", "user", "password", "database");

// Look for errors or throw an exception
if ($db->connect_errno) {
    throw new Exception($db->connect_error, $db->connect_errno);
}

// Init prepared statement
$prep = $db->stmt_init();

// Prepared statement
$prep = $db->prepare("SELECT username, points FROM account_information WHERE username = ? AND username IS NOT NULL AND username != ''");

// See if statement is ok
if (!$prep) {
    throw new Exception($db->error);
}

// Put your variables into the query
$prep->bind_param('s', $_SESSION['username']);

// Fire the query!
$prep->execute();

// This is magic, it's awesome.. try it :-))
$prep->bind_result($username, $points);

// Get the results easily
while ($prep->fetch()) {
    echo "{$username} has {$points}<br>", PHP_EOL;
}

// This is like in our house, when we leave it, we close the door
$prep->close();
$db->close();

Update:

Answering your comment, this style is better because objects are better in general than procedural functions. Better to program, better to read, easier to understand (object abstract from real life objects). bind_param validates your input. Imagine me putting in ;DROP TABLE account_information;-- into my username session. This is SQL Injection - the only safe way to prevent them is to prepare statements. Or Imagine having more than one database connection. Every mysqli object represents a different connection. This is not as clear as with procedural style. Also, error reporting using Exceptions is way more flexible because they can be catched and thrown.

If you want to know more about their returns, just read the manual: http://php.net/mysqli_query

mysqli_query / mysqli::query return values:

Returns FALSE on failure. For successful SELECT, SHOW, DESCRIBE or EXPLAIN queries mysqli_query() will return a mysqli_result object. For other successful queries mysqli_query() will return TRUE.

Answer 2

The "points" value is in, after executing AND FETCHING the sql/results.

Fetch row http://www.php.net/manual/de/mysqli-result.fetch-row.php

$sql_result = $mysqli->query("SELECT points FROM account_information WHERE username = '".$username."'");

while ($data_row = mysqli_fetch_assoc($points)) {
    print 'Your score is: '.$data_row['points'];
}

Answer 3

while ($row = mysqli_fetch_assoc($points)) {
    echo $row['points'];
}

Just put the results into an array called $row then access the parts of the array with $row['points'].