CODEWITHSUNDEEP
phpmysqli
Ray Dunnigun
Ray Dunnigun

Reputation: 3

Can't get variable working in query on php file

<?php
      echo "
          <html>
            <body style=\"background-color:#d3ddd1\">
              <form method=\"post\" name=\"report\" >
              <p>Counselor Report</p>
              <p>Enter email address</p>
              <input type=\"email\" name=\"email\" /><br />
              <p>Select a start date</p>
              <input type=\"date\" name=\"from\" /><br />
              <p>Select an end date</p>
              <input type=\"date\" name=\"until\" /><br />
              <p>Click Below</p>
              <input type=\"submit\" value=\"run report\" />

              </form>
            </body>
           </html> ";
  function get_report() 
     {
      $e_mail = $_POST['email'];
      include ('dbconn.php');
      $sql = "SELECT a.user_email,a.ID, b.ID, b.post_title \n"
       . " FROM\n"
       . " wp_posts b\n"
       . " INNER JOIN\n"
       . " wp_users a\n"
       . " ON\n"
       . " a.user_email ='".$e_mail."' AND a.ID=b.ID\n"
       . " ORDER BY\n"
       . " post_date";
       $result = $conn->query($sql);
         var_dump($results);
 }
  get_report();
  ?>'

First time question. I can use a real email address in the query with phpmyadmin and get a proper return, I try to incorporate a variable in the php query to the db and get a return of NULL, which is not the same return. No errors reported.

Question: What syntax do I use with the variable to enable functionality with php.?

Upvotes: 0

Views: 38

Answers (1)

Darwin von Corax
Darwin von Corax

Reputation: 5246

$result = $conn->query($sql);
var_dump($results);

Check the spelling of your variable name.

Having said that, you really should be using a prepared statement for this. The syntax would be

$sql = "SELECT a.user_email, a.ID, b.ID, b.post_title
         FROM wp_posts b
         INNER JOIN wp_users a
           ON a.ID = b.ID
         WHERE a.user_email = ?
         ORDER BY post_date";
$stmt = $conn->prepare($sql);
$stmt->bind_param('s', $e_mail);  // 's' means param is a string
$stmt->execute();
$result = $stmt->get_result(); // returns a mysqli_result object

The clause WHERE a.user_email = ? includes a parameter placeholder which will be filled in later by a call to mysqli_stmt::bind_param().

In addition to helping protect against SQL injection, prepared statements automagically handle parameter type matching, quoting and escaping for you.

As is my custom, I leave error handling as an exercise for the reader.

Upvotes: 2

Related Questions