1

want i want is to query my db with post variable in the query. It's not really working for me, does anyone know how to do it properly? Here is what i have so far.

$query = "SELECT column FROM `table` WHERE 'name' = '$_POST[checkname]'";
$result = mysqli_query($db, $query) or die ("no query");
$cod = mysqli_fetch($result);
echo $cod;

Any help is appreciated. Thanks guys.

Improve this question
1
  • Escaping would help with doing it properly. Better yet bound params, which Mysqli already supports. Commented Nov 14, 2013 at 23:15

3 Answers 3

Reset to default
5

Mysqli supports prepared statements, which protect against sql injection attacks. It would look like this:

/* Create a prepared statement */
$stmt = $mysqli -> prepare("SELECT column FROM table WHERE name=?");

/* Bind parameters */
$stmt -> bind_param("s", $_POST['checkname']);

/* Execute it */
$stmt -> execute();

/* Bind results */
$stmt -> bind_result($result);

/* Fetch the value */
$stmt -> fetch();

echo $result;

Check the manual for more info.

A quick rundown, in response to the comment:

  • In $stmt->prepare("..."), you're forming your query, and you hold the place of any variables you intend to use with a "?"

  • In $stmt -> bind_param(...), you're binding the variables to their corresponding question mark. The first argument is the type, the following arguments are the variables. If you were using a string and an integer, inside the parenthesis it would look like "si", $stringVar, $intVar

  • In $stmt -> bind_result(...) you are stating what you are binding the results to. If the query was for a name and age, inside the parethesis would look like $name, age

  • In $stmt->fetch(), you're fetching the result. If it was multiple rows returned, you would do something like:

    while($stmt->fetch()) { //code here }

Alternatively, you could use PDO. It would look something like this:

/* Create a prepared statement */
$stmt = $pdo->prepare("SELECT column FROM table WHERE name=:checkname");

/* Bind parameters */
$stmt->bindParam(':checkname', $_POST['checkname']);

/* Execute it */
$stmt->execute();

/* Fetch results */
$obj = $stmt->fetchObject();

echo $obj->column;

Check the manual for more info.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks man. I'm not quite up-to-date with whats happening in this, however i adapted it to mine and it works, so thanks for that! :)
No problem, any time! I updated my answer to give a brief run down of what is going on in the code. Enjoy!
0

//it is apsulutly

// work

if(isset($_POST['checkname'])) {

    $post = mysql_real_escape_string(trim($_POST['  checkname  ']));

    $query = "SELECT column FROM `table` WHERE name = '$post'";
    $result = mysqli_query($db, $query) or die ("no query");
    $cod = mysqli_fetch_all($result);
    echo implode($cod[0]);
    echo implode($cod[1]);//For particular cell
}
Improve this answer

Comments

-1

it works, just try it out like this

following your code...

if(isset($_POST['checkname']))
    {
        //to avoid SQL injections
        $post = mysql_real_escape_string(trim($_POST['checkname']));

        $query = "SELECT column FROM `table` WHERE name = '$post'";``
        $result = mysqli_query($db, $query) or die ("no query");
        $cod = mysqli_fetch($result);
        echo $cod;
    }
Improve this answer

1 Comment

That line should be $post = mysqli_real_escape_string(trim($_POST['checkname'])); As it is now it is missing the "i". Prepared statements are the better route to take, though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.