How to fetch data in PHP with MySQLi?
30,643
First, you have no single quotes '
around $_POST[password]
:
$query = "SELECT * FROM teacher WHERE tremail='". $_POST['email'] ."' and trpasssword='" . $_POST['password'] . "'";
$result = mysqli_query($con, $query) or die(mysqli_error($con));
$flag = FALSE;
while ($row = mysqli_fetch_array($result, MYSQLI_BOTH)) {
$_SESSION['email'] = $row['email'];
$flag = TRUE;
}
But past that, do you even have a MySQL database connection set here? I see $con
but is that really working?
Also, check if there are errors by adding or die(mysql_error($con))
to your mysqli_query($con, $query)
line.
Also, you have a $_SESSION
value, but do you even set session_start
at the beginning of your script?
But I also recommend you use mysqli_stmt_bind_param
for your values to at least escape them if you are not going to do basic validation:
$query = "SELECT * FROM teacher WHERE tremail=? and trpasssword=?";
mysqli_stmt_bind_param($query, 'ss', $_POST['email'], $_POST['password']);
$result = mysqli_query($con, $query) or die(mysqli_error($con));
$flag = FALSE;
while ($row = mysqli_fetch_array($result, MYSQLI_BOTH)) {
$_SESSION['email'] = $row['email'];
$flag = TRUE;
}
Author by
Rahul Goel
Updated on November 26, 2022Comments
-
Rahul Goel over 1 year
I tried several times but cannot succeed in getting the right syntax—according to PHP 5.5.12 —to fetch single or multiple rows from my database.
session_start(); $con=mysqli_connect("localhost","root","","doortolearn"); if (!$con) { echo "Could not connect to DBMS"; } $query="select * from teacher where tremail='$_POST[email]' and trpasssword='$_POST[password]'"; $result=mysqli_query($con,$query); $flag=FALSE; while ($row=mysqli_fetch_array($result,MYSQLI_BOTH)) { $_SESSION['email']=$row['email']; $flag=TRUE; }
-
ɹɐqʞɐ zoɹǝɟ almost 10 yearswhy no quotes around
$_POST[password]
-
ɹɐqʞɐ zoɹǝɟ almost 10 yearsAlways print your query,then you'll know what's was the prblm
-
bansi almost 10 yearsguys, welcome to hackers heaven!!! NEVER use posted data directly to run query.
-
Admin almost 10 yearsunhashed unsalted password - tisk tisk
-
bansi almost 10 years
'$_POST[email]'
should be'{$_POST['email']}'
you missed braces. but i don't recommend using it in your query -
bansi almost 10 yearsWhen you finish the site, let me know, my password is going to be
' OR 1
-
user2864740 almost 10 yearsSee stackoverflow.com/questions/60174/… (which would also "fix" at least one of the issues)
-
Rahul Goel almost 10 yearsi m a begginer till now... Please help me out, rather than increasing my probs
-
bansi almost 10 yearscheck these links also unixwiz.net/techtips/sql-injection.html and en.wikipedia.org/wiki/SQL_injection or search google for
sql injection
you will get tons of resources at any level -
bansi almost 10 yearscheck @JakeGould's solution. that is a good place to start
-
Mawg says reinstate Monica almost 10 yearsHow do you get down from an elephant? You don't - you get down from a duck! How do you you do this with mysqli? You don't, you do it with PDO. Especially if you are just learning, learn with PDO. Also, always use parameter binding for input from the user (which includes $_GET), and use
filter_input(INPUT_GET, <field>)
, don't access $_GET directly. And don't store the password in the database, store itssha1()
hash. -
Your Common Sense almost 10 years@Mawg what does filter_input to do with thus question? What's wrong with mysqli?
-
-
dpapadopoulos about 5 yearsplease explain in detail your code if it is possible.