0

I am trying to get values from MySQL database where the value of the Username column is the same as the parameter being passed in. The parameter being passed in is "Griffin".

function logIntoDb($username)
{
$users = mysqli_query($GLOBALS['con'], "SELECT Id, Username FROM Users WHERE $username=Username");
while($row = mysqli_fetch_array($users))
{
echo "\"Match: " . $row['Id'] . "=" . $row['Username'] . "\"";
echo " - " . ($username==$row['Username'] ? "true" : "false");
echo "<br/>";
}
}

The above keeps returning an empty result, which causes my while loop to throw this warning.

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /home/a654/public_html/Top/Bottom/log.php on line 16

Here is the Users table:

Id|CreatedOn|Username|Info|Status|Rank|Total|

1|0000-00-00 00:00:00|Peter|123|Good|High|111.11

2|0000-00-00 00:00:00|Griffin|123|Bad|Low|000.00

Is there something that I am not seeing that prevents the Griffin row from being returned?

Improve this question
2
  • It should be the other way around like this... "SELECT Id, Username FROM Users WHERE Username='$username'" Commented Nov 30, 2013 at 18:00
  • By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks. Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. bobby-tables.com/php has examples to get you started, and this question has many examples in detail. Learn how to do it right before the bad habits become part of your thinking. Commented Nov 30, 2013 at 18:01

3 Answers 3

Reset to default
3

You seem to be missing the apostrophes around the username. Change this:

"SELECT Id, Username FROM Users WHERE $username=Username"

Into this:

"SELECT Id, Username FROM Users WHERE '$username'=Username"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Your query should be "SELECT Id, Username FROM Users WHERE '$username'=Username"

You need the single quotes since it's a string and not a number.

Improve this answer

3 Comments

Let's say I had two parameter called $id and $time; the $id that is being passed will be a numeric value and the $time that is being passed will be an numeric value (representing the number of seconds). There respective values in the database are type int(11). If I was to compare the parameter with the value in the database like I did above, would I still have to use single quotes since it isn't a string?
No, if both are int types, you do not need single quotes. You only have to use single quotes to encapsulate a string.
Thanks for the confirmation.
0

replace $username to '$username' provided everything else is fine

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.