CODEWITHSUNDEEP
phpmysqli
Roy D. Porter
Roy D. Porter

Reputation: 159

Echo Mysqli query with POST variable?

want i want is to query my db with post variable in the query. It's not really working for me, does anyone know how to do it properly? Here is what i have so far.

$query = "SELECT column FROM `table` WHERE 'name' = '$_POST[checkname]'";
$result = mysqli_query($db, $query) or die ("no query");
$cod = mysqli_fetch($result);
echo $cod;

Any help is appreciated. Thanks guys.

Upvotes: 1

Views: 3770

Answers (3)

Amit Karma
Amit Karma

Reputation: 1

//it is apsulutly

// work

if(isset($_POST['checkname'])) {

    $post = mysql_real_escape_string(trim($_POST['  checkname  ']));

    $query = "SELECT column FROM `table` WHERE name = '$post'";
    $result = mysqli_query($db, $query) or die ("no query");
    $cod = mysqli_fetch_all($result);
    echo implode($cod[0]);
    echo implode($cod[1]);//For particular cell
}

Upvotes: 0

Matthew Johnson
Matthew Johnson

Reputation: 5155

Mysqli supports prepared statements, which protect against sql injection attacks. It would look like this:

/* Create a prepared statement */
$stmt = $mysqli -> prepare("SELECT column FROM table WHERE name=?");

/* Bind parameters */
$stmt -> bind_param("s", $_POST['checkname']);

/* Execute it */
$stmt -> execute();

/* Bind results */
$stmt -> bind_result($result);

/* Fetch the value */
$stmt -> fetch();

echo $result;

Check the manual for more info.

A quick rundown, in response to the comment:

  • In $stmt->prepare("..."), you're forming your query, and you hold the place of any variables you intend to use with a "?"

  • In $stmt -> bind_param(...), you're binding the variables to their corresponding question mark. The first argument is the type, the following arguments are the variables. If you were using a string and an integer, inside the parenthesis it would look like "si", $stringVar, $intVar

  • In $stmt -> bind_result(...) you are stating what you are binding the results to. If the query was for a name and age, inside the parethesis would look like $name, age

  • In $stmt->fetch(), you're fetching the result. If it was multiple rows returned, you would do something like:

    while($stmt->fetch()) { //code here }

Alternatively, you could use PDO. It would look something like this:

/* Create a prepared statement */
$stmt = $pdo->prepare("SELECT column FROM table WHERE name=:checkname");

/* Bind parameters */
$stmt->bindParam(':checkname', $_POST['checkname']);

/* Execute it */
$stmt->execute();

/* Fetch results */
$obj = $stmt->fetchObject();

echo $obj->column;

Check the manual for more info.

Upvotes: 5

James John
James John

Reputation: 415

it works, just try it out like this

following your code...

if(isset($_POST['checkname']))
    {
        //to avoid SQL injections
        $post = mysql_real_escape_string(trim($_POST['checkname']));

        $query = "SELECT column FROM `table` WHERE name = '$post'";``
        $result = mysqli_query($db, $query) or die ("no query");
        $cod = mysqli_fetch($result);
        echo $cod;
    }

Upvotes: -1

Related Questions