0

I have a very simple table that contains a list of 'victims' and the corresponding number of that type destroyed. I'm trying to make an output page of this information, using this code:

foreach( $victims as $vic )
{
   $hits = mysql_query("SELECT amount
                          FROM victims
                         WHERE victim = ".$vic );

   echo $hits;

   print "$vic: $hits <br /><hr>";
}

However, hits comes out empty. What's wrong with my SQL query?

Improve this question
1
  • 2
    Depending on the type of $vic, you more than likely have a MASSIVE SQL Injection vulnerability. Either explicitly cast it to an integer if that's what it's supposed to be ".(int) $vic);, or wrap it in quotes and escape it: '".mysql_real_escape_string($vic)."'");... Commented Aug 20, 2010 at 17:56

3 Answers 3

Reset to default
1 
foreach($victims as $vic)
{
   $hits = mysql_query('SELECT amount
                        FROM victims
                        WHERE victim = "' . mysql_real_escape_string($vic) . '"');

   if($hits && mysql_num_rows($hits)>0) {
        while($row = mysql_fetch_array($hits)) {
               echo '<p>' . $row['amount'] . ' hits</p>';
        }
   } else {
        echo '<p>' . mysql_error() . '</p>';
   }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Some error checking would be nice, as I have a feeling that there's a query error (Since mysql_query returns a resource, and printing a resource results in a number)...
This comes up with 1Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/queenofsheep.com/httpdocs/Sheep/victimlist.php on line 25 chickens: `
And that's why there needs to be error checking ;-)... There's an error in your query...
0 rows will just print out blank...it's difficult to tell what he truly wants to display in that case. Wasn't aware of that quirk with mysql_real_Escape_string though, I better look into it. I always use single quotes on my strings since they'll run faster than doubles (IE not looking for variables). Thanks for the tip!
Single quotes don't run measurably faster... It's a total micro-optimization to do that. After checking the docs, I was wrong and mres does escape double quotes. So it's not that bad (even though I still personally don't like to see double quotes in queries, but I guess that's just personal preference)...
|
0

mysql_query() doesn't return the actual result of your query, but rather a resource with which you can then access the results.

This is a typical pattern:

$result = mysql_query(...);
$row = mysql_fetch_assoc($result);
print($row['amount']);

Each call to mysql_fetch_assoc returns the next row of the result set. If you were expecting multiple rows to be returned, you can call this in a while loop:

$result = mysql_query(...);
while ($row = mysql_fetch_assoc($result)) {
    print($row['amount']);
}
Improve this answer

Comments

0

Since there's no sane error checking in any of the answers, I'll put the whole thing in here:

foreach( $victims as $vic )
{
   $sql = "SELECT amount
               FROM victims
               WHERE victim = '".mysql_real_escape_string($vic)."'";
   $result = mysql_query($sql);
   $result or die('Query Error: '.mysql_error() . ' - ' . $sql);

   $hitsarray = mysql_fetch_assoc($result);
   if ($hitsarray) {
       $hits = $hitsarray['amount'];
   } else {
       // No row was found
       $hits = 0;
   }

   echo $hits;

   print "$vic: $hits <br /><hr>";
}

Oh, and this fixes the query error that caused the issue in the first place. Note the quotes wrapping the $vic variable in the string, as well as the proper escaping of the string...

Improve this answer

2 Comments

The error checking and security issues are certainly important. I didn't include this in my answer because I found them to be outside the scope of the question: why is mysql_query() not returning what the OP was expecting? Going into other issues just seems to get away from the original question. For example, I personally prefer prepared statements for queries and wouldn't be looping around my database calls, but that doesn't directly relate to what was being asked.
Fair enough @Edward... It's still a major pet peeve of mine to see that stuff left out. Mainly because if there was error checking the original question would not exist (since they would have seen the error and understood why nothing happened)...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.