PHP MySql Select statement not working... Any advice?

Question

[UPDATED] with new code "sql_real_escape_string()"
[UPDATED] if anyone wants to look at the site its at Test site
[UPDATED] with the while code showing any results via echo

Hello All,

I have looked at many posts on this matter, but simply cannot understand why the following code doesn't work:

    $username = $_POST['username'];

    // get the record of the user, by looking up username in the database.  
    $query = sprintf("SELECT UserName, Password FROM userlogin WHERE UserName='%s'", mysql_real_escape_string($username));

    $result = mysqli_query($dbc, $query) or 
        die ("Error Querying Database for: " . $query . 
        "<br />Error Details: " . mysql_error() . "<br/>" . $result);

while ($row = mysqli_fetch_assoc($result))
{
         Echo($row['UserName']);
}

The Code seems to be correct... the database is working perfectly (for input purposes) and the connection is a shared connection applied with require_once('databaseconnection.php'); that is working for the registration side of things.

like normal I'm sure this is something simple that I have overlooked but cannot for the life of me see it!

I do not get any error messages from the myssql_error() its simply blank.

any help would be much appreciated.

Regards

Answer 1

Try printing $data variable instead of printing only query. Check, whether you are able to get any error messages. If you could see any data then you should use mysql fetch function to iterate things. Try it.

Answer 2

Check the username you try to query as it might be empty. Do you really use a post-request to run that script? How do you verify that it does not work? What do you do with $data after the query?

If just nothing seems to happen it is likely your query did not match any record. Check for whitespace and case of the username you are looking for.

Mind those warnings:

• Use a prepared statement or at least sql-escape any user-input before using it in sql.
• Don't use die in serious code only for debugging.

Answer 3

This piece of code seems ok. That is, if $dbc contains an actual database connection. But the choice of naming that variable $data while the function actually returns a result object or a boolean, indicates that you may process the data wrong.

If that is not the problem, we'll definately have to see more code.

Answer 4

You might have some issue with the query. Have you Tried to echo the $query and run that directly with mysql client or workbench?

Answer 5

The $data will contain a result object. You need to iterate over it using something like mysqli_fetch_assoc($data).

Also, you can interpolate variables directly into double quoted strings - i.e. UserName='".$username."'" could be written more cleanly as UserName='$username' rather than breaking out of the string.

Also, please sanitize your input - all input is evil - using mysqli_real_escape_string() function. You've got a SQL injection exploit waiting to happen here.

Bear in mind that it's a very good idea to validate all data to be inserted into a database.

Answer 6

Very often you have problems with query itself, not implementation. Try it in phpMyAdmin first and see if there are any problems. Check server logs.

BY THE WAY: Never put variables from POST to query! That's definitely a SQL injection'