How to fetch data in PHP with MySQLi?

php mysqli

30,643

First, you have no single quotes ' around $_POST[password]:

$query = "SELECT * FROM teacher WHERE tremail='". $_POST['email'] ."' and trpasssword='" . $_POST['password'] . "'";
$result = mysqli_query($con, $query) or die(mysqli_error($con));
$flag = FALSE;
while ($row = mysqli_fetch_array($result, MYSQLI_BOTH)) {
    $_SESSION['email'] = $row['email'];
    $flag = TRUE;
}

But past that, do you even have a MySQL database connection set here? I see $con but is that really working?

Also, check if there are errors by adding or die(mysql_error($con)) to your mysqli_query($con, $query) line.

Also, you have a $_SESSION value, but do you even set session_start at the beginning of your script?

But I also recommend you use mysqli_stmt_bind_param for your values to at least escape them if you are not going to do basic validation:

$query = "SELECT * FROM teacher WHERE tremail=? and trpasssword=?";
mysqli_stmt_bind_param($query, 'ss', $_POST['email'], $_POST['password']);
$result = mysqli_query($con, $query) or die(mysqli_error($con));
$flag = FALSE;
while ($row = mysqli_fetch_array($result, MYSQLI_BOTH)) {
    $_SESSION['email'] = $row['email'];
    $flag = TRUE;
}

30,643

Author by

Rahul Goel

Updated on November 26, 2022

Comments

Rahul Goel over 1 year
I tried several times but cannot succeed in getting the right syntax—according to PHP 5.5.12 —to fetch single or multiple rows from my database.
```
session_start();
$con=mysqli_connect("localhost","root","","doortolearn");
if (!$con) {
    echo "Could not connect to DBMS";       
}
    $query="select * from teacher where tremail='$_POST[email]' and trpasssword='$_POST[password]'";
    $result=mysqli_query($con,$query);
    $flag=FALSE;
    while ($row=mysqli_fetch_array($result,MYSQLI_BOTH)) {
        $_SESSION['email']=$row['email'];
        $flag=TRUE;
    }
```
- ɹɐqʞɐ zoɹǝɟ almost 10 years
  
  why no quotes around $_POST[password]
- ɹɐqʞɐ zoɹǝɟ almost 10 years
  
  Always print your query,then you'll know what's was the prblm
- bansi almost 10 years
  
  guys, welcome to hackers heaven!!! NEVER use posted data directly to run query.
- Admin almost 10 years
  
  unhashed unsalted password - tisk tisk
- bansi almost 10 years
  
  '$_POST[email]' should be '{$_POST['email']}' you missed braces. but i don't recommend using it in your query
- bansi almost 10 years
  
  When you finish the site, let me know, my password is going to be ' OR 1
- user2864740 almost 10 years
  
  See stackoverflow.com/questions/60174/… (which would also "fix" at least one of the issues)
- Rahul Goel almost 10 years
  
  i m a begginer till now... Please help me out, rather than increasing my probs
- bansi almost 10 years
  
  check these links also unixwiz.net/techtips/sql-injection.html and en.wikipedia.org/wiki/SQL_injection or search google for sql injection you will get tons of resources at any level
- bansi almost 10 years
  
  check @JakeGould's solution. that is a good place to start
- Mawg says reinstate Monica almost 10 years
  
  How do you get down from an elephant? You don't - you get down from a duck! How do you you do this with mysqli? You don't, you do it with PDO. Especially if you are just learning, learn with PDO. Also, always use parameter binding for input from the user (which includes $_GET), and use filter_input(INPUT_GET, <field>), don't access $_GET directly. And don't store the password in the database, store its sha1() hash.
- Your Common Sense almost 10 years
  
  @Mawg what does filter_input to do with thus question? What's wrong with mysqli?
dpapadopoulos about 5 years

please explain in detail your code if it is possible.