Related
I am trying to select data from a MySQL table, but I get one of the following error messages:
mysql_fetch_array() expects parameter 1 to be resource, boolean given
This is my code:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
while($row = mysql_fetch_array($result)) {
echo $row['FirstName'];
}
A query may fail for various reasons in which case both the mysql_* and the mysqli extension will return false from their respective query functions/methods. You need to test for that error condition and handle it accordingly.
mysql_ extension:
NOTE The mysql_ functions are deprecated and have been removed in php version 7.
Check $result before passing it to mysql_fetch_array. You'll find that it's false because the query failed. See the [mysql_query][1] documentation for possible return values and suggestions for how to deal with them.
$username = mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '$username'");
if($result === FALSE) {
trigger_error(mysql_error(), E_USER_ERROR);
}
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
This error message is displayed when you have an error in your query which caused it to fail. It will manifest itself when using:
mysql_fetch_array/mysqli_fetch_array()
mysql_fetch_assoc()/mysqli_fetch_assoc()
mysql_num_rows()/mysqli_num_rows()
Note: This error does not appear if no rows are affected by your query. Only a query with an invalid syntax will generate this error.
Troubleshooting Steps
Make sure you have your development server configured to display all errors. You can do this by placing this at the top of your files or in your config file: error_reporting(-1);. If you have any syntax errors this will point them out to you.
Use mysql_error(). mysql_error() will report any errors MySQL encountered while performing your query.
Sample usage:
mysql_connect($host, $username, $password) or die("cannot connect");
mysql_select_db($db_name) or die("cannot select DB");
$sql = "SELECT * FROM table_name";
$result = mysql_query($sql);
if (false === $result) {
echo mysql_error();
}
Run your query from the MySQL command line or a tool like phpMyAdmin. If you have a syntax error in your query this will tell you what it is.
Make sure your quotes are correct. A missing quote around the query or a value can cause a query to fail.
Make sure you are escaping your values. Quotes in your query can cause a query to fail (and also leave you open to SQL injections). Use mysql_real_escape_string() to escape your input.
Make sure you are not mixing mysqli_* and mysql_* functions. They are not the same thing and cannot be used together. (If you're going to choose one or the other stick with mysqli_*. See below for why.)
Other tips
mysql_* functions should not be used for new code. They are no longer maintained and the community has begun the deprecation process. Instead you should learn about prepared statements and use either PDO or MySQLi. If you can't decide, this article will help to choose. If you care to learn, here is good PDO tutorial.
Error occurred here was due to the use of single quotes ('). You can put your query like this:
mysql_query("
SELECT * FROM Users
WHERE UserName
LIKE '".mysql_real_escape_string ($username)."'
");
It's using mysql_real_escape_string for prevention of SQL injection.
Though we should use MySQLi or PDO_MYSQL extension for upgraded version of PHP (PHP 5.5.0 and later), but for older versions mysql_real_escape_string will do the trick.
As scompt.com explained, the query might fail. Use this code the get the error of the query or the correct result:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("
SELECT * FROM Users
WHERE UserName LIKE '".mysql_real_escape_string($username)."'
");
if($result)
{
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
} else {
echo 'Invalid query: ' . mysql_error() . "\n";
echo 'Whole query: ' . $query;
}
See the documentation for mysql_query() for further information.
The actual error was the single quotes so that the variable $username was not parsed. But you should really use mysql_real_escape_string($username) to avoid SQL injections.
Put quotes around $username. String values, as opposed to numeric values, must be enclosed in quotes.
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '$username'");
Also, there is no point in using the LIKE condition if you're not using wildcards: if you need an exact match use = instead of LIKE.
Please check once the database selected are not because some times database is not selected
Check
mysql_select_db('database name ')or DIE('Database name is not available!');
before MySQL query
and then go to next step
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
f($result === FALSE) {
die(mysql_error());
Your code should be something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM Users WHERE UserName LIKE '$username'";
echo $query;
$result = mysql_query($query);
if($result === FALSE) {
die(mysql_error("error message for the user"));
}
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
Once done with that, you would get the query printed on the screen. Try this query on your server and see if it produces the desired results. Most of the times the error is in the query. Rest of the code is correct.
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
You define the string using single quotes and PHP does not parse single quote delimited strings. In order to obtain variable interpolation you will need to use double quotes OR string concatenation (or a combination there of). See http://php.net/manual/en/language.types.string.php for more information.
Also you should check that mysql_query returned a valid result resource, otherwise fetch_*, num_rows, etc will not work on the result as is not a result! IE:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
if( $result === FALSE ) {
trigger_error('Query failed returning error: '. mysql_error(),E_USER_ERROR);
} else {
while( $row = mysql_fetch_array($result) ) {
echo $row['username'];
}
}
http://us.php.net/manual/en/function.mysql-query.php for more information.
This query should work:
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '%$username%'");
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
The problem is single quotes, thus your query fails and returns FALSE and your WHILE loop can't execute. Using % allows you to match any results containing your string (such as SomeText-$username-SomeText).
This is simply an answer to your question, you should implement stuff mentioned in the other posts: error handling, use escape strings (users can type anything into the field, and you MUST make sure it is not arbitrary code), use PDO instead mysql_connect which is now depricated.
If you tried everything here, and it does not work, you might want to check your MySQL database collation. Mine was set to to a Swedish collation. Then I changed it to utf8_general_ci and everything just clicked into gear.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '%$username%'") or die(mysql_error());
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
Sometimes suppressing the query as #mysql_query(your query);
$query = "SELECT Name,Mobile,Website,Rating FROM grand_table order by 4";
while( $data = mysql_fetch_array($query))
{
echo("<tr><td>$data[0]</td><td>$data[1]</td><td>$data[2]</td><td>$data[3]</td></tr>");
}
Instead of using a WHERE query, you can use this ORDER BY query. It's far better than this for use of a query.
I have done this query and am getting no errors like parameter or boolean.
Try this, it must be work, otherwise you need to print the error to specify your problem
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * from Users WHERE UserName LIKE '$username'";
$result = mysql_query($sql,$con);
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
There might be two reasons:
Have you opened the connection to the database prior to calling mysql_query function? I don't see that in your code. Use mysql_connect before making the query. See php.net/manual/en/function.mysql-connect.php
The variable $username is used inside a single quote string, so its value will not be evaluated inside the query. The query will definitely fail.
Thirdly, the structure of query is prone to SQL injection. You may use prepared statements to avoid this security threat.
Try the following code. It may work fine.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName ='$username'");
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
Go to your config.php. I had the same problem. Verify the username and the password, and also sql select is the same name as the config.
Don't use the depricated mysql_* function (depricated in php 5.5 will be removed in php 7). and you can make this with mysqli or pdo
here is the complete select query
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT id, firstname, lastname FROM MyGuests";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
// code here
}
} else {
echo "0 results";
}
$conn->close();
?>
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '".$username."'");
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
?>
And if there is a user with a unique user name, you can use "=" for that. There is no need to like.
Your query will be:
mysql_query("SELECT * FROM Users WHERE UserName ='".$username."'");
Include a connection string variable before the MySQL query. For example, $connt in this code:
$results = mysql_query($connt, "SELECT * FROM users");
Any time you get the...
"Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given"
...it is likely because there is an issue with your query. The prepare() or query() might return FALSE (a Boolean), but this generic failure message doesn't leave you much in the way of clues. How do you find out what is wrong with your query? You ask!
First of all, make sure error reporting is turned on and visible: add these two lines to the top of your file(s) right after your opening <?php tag:
error_reporting(E_ALL);
ini_set('display_errors', 1);
If your error reporting has been set in the php.ini you won't have to worry about this. Just make sure you handle errors gracefully and never reveal the true cause of any issues to your users. Revealing the true cause to the public can be a gold engraved invitation for those wanting to harm your sites and servers. If you do not want to send errors to the browser you can always monitor your web server error logs. Log locations will vary from server to server e.g., on Ubuntu the error log is typically located at /var/log/apache2/error.log. If you're examining error logs in a Linux environment you can use tail -f /path/to/log in a console window to see errors as they occur in real-time....or as you make them.
Once you're squared away on standard error reporting adding error checking on your database connection and queries will give you much more detail about the problems going on. Have a look at this example where the column name is incorrect. First, the code which returns the generic fatal error message:
$sql = "SELECT `foo` FROM `weird_words` WHERE `definition` = ?";
$query = $mysqli->prepare($sql)); // assuming $mysqli is the connection
$query->bind_param('s', $definition);
$query->execute();
The error is generic and not very helpful to you in solving what is going on.
With a couple of more lines of code you can get very detailed information which you can use to solve the issue immediately. Check the prepare() statement for truthiness and if it is good you can proceed on to binding and executing.
$sql = "SELECT `foo` FROM `weird_words` WHERE `definition` = ?";
if($query = $mysqli->prepare($sql)) { // assuming $mysqli is the connection
$query->bind_param('s', $definition);
$query->execute();
// any additional code you need would go here.
} else {
$error = $mysqli->errno . ' ' . $mysqli->error; // 1054 Unknown column 'foo' in 'field list'
// handle error
}
If something is wrong you can spit out an error message which takes you directly to the issue. In this case, there is no foo column in the table, solving the problem is trivial.
If you choose, you can include this checking in a function or class and extend it by handling the errors gracefully as mentioned previously.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '".mysql_real_escape_string($username)."'")or die(mysql_error());
while($row=mysql_fetch_array($result))
{
echo $row['FirstName'];
}
?>
Try This
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysqli_query('SELECT * FROM Users WHERE UserName LIKE $username');
if($result){
while($row = mysqli_fetch_array($result))
{
echo $row['FirstName'];
}
}
First, check your connection to the database. Is it connected successfully or not?
If it's done, then after that I have written this code, and it works well:
if (isset($_GET['q1mrks']) && isset($_GET['marks']) && isset($_GET['qt1'])) {
$Q1mrks = $_GET['q1mrks'];
$marks = $_GET['marks'];
$qt1 = $_GET['qt1'];
$qtype_qry = mysql_query("
SELECT *
FROM s_questiontypes
WHERE quetype_id = '$qt1'
");
$row = mysql_fetch_assoc($qtype_qry);
$qcode = $row['quetype_code'];
$sq_qry = "
SELECT *
FROM s_question
WHERE quetype_code = '$qcode'
ORDER BY RAND() LIMIT $Q1mrks
";
$sq_qry = mysql_query("
SELECT *
FROM s_question
WHERE quetype_code = '$qcode'
LIMIT $Q1mrks
");
while ($qrow = mysql_fetch_array($sq_qry)) {
$qm = $qrow['marks'] . "<br />";
$total += $qm . "<br />";
}
echo $total . "/" . $marks;
}
Make Sure You're Not Closing Database By using db_close() Before To
Running Your Query:
If you're using multiple queries in a script even you're including other pages which contains queries or database connection, then it might be possible that at any place you use db_close() that would close your database connection so make sure you're not doing this mistake in your scripts.
If you don't have any MySQL Error appearing while checking, make sure that you properly created your database table. This happened to me. Look for any unwanted commas or quotes.
Check your connection first.
Then if you want to fetch the exact value from the database then you should write:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName =`$usernam`");
Or you want to fetch the LIKE type of value then you should write:
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '%$username%'");
You can also check wether $result is failing like so, before executing the fetch array
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
if(!$result)
{
echo "error executing query: "+mysql_error();
}else{
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
}
Usually an error occurs when your database conectivity fails, so be sure to connect your database or to include the database file.
include_once(db_connetc.php');
OR
// Create a connection
$connection = mysql_connect("localhost", "root", "") or die(mysql_error());
//Select database
mysql_select_db("db_name", $connection) or die(mysql_error());
$employee_query = "SELECT * FROM employee WHERE `id` ='".$_POST['id']."'";
$employee_data = mysql_query($employee_query);
if (mysql_num_rows($employee_data) > 0) {
while ($row = mysql_fetch_array($employee_data)){
echo $row['emp_name'];
} // end of while loop
} // end of if
Best practice is to run the query in sqlyog and then copy it into your page code.
Always store your query in a variable and then echo that variable. Then pass to mysql_query($query_variable);.
Traditionally PHP has been tolerant to bad practice and failures in code,
which makes debugging quite hard.
The problem in this specific case is that both mysqli and PDO
by default don't tell you, when a query failed and just return FALSE.
(I will not talk about the depricated mysql extention.
The support for prepared statements is reason anough to switch either to PDO or mysqli.)
But you can change the default behavior of PHP to always throw exceptions when a query fails.
For PDO: Use $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
error_reporting(E_ALL);
$pdo = new PDO("mysql:host=localhost;dbname=test", "test","");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$result = $pdo->query('select emal from users');
$data = $result->fetchAll();
This will show you the following:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column 'emal' in 'field list'' in E:\htdocs\test\mysql_errors\pdo.php on line 8
PDOException: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'emal' in 'field list' in E:\htdocs\test\mysql_errors\pdo.php on line 8
As you see, it tells you exactly, what is wrong with the query, and where to fix it in your code.
Without $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
you will get
Fatal error: Call to a member function fetchAll() on boolean in E:\htdocs\test\mysql_errors\pdo.php on line 9
For mysqli: Use mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli('localhost', 'test', '', 'test');
$result = $mysqli->query('select emal from users');
$data = $result->fetch_all();
You will get
Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'Unknown column 'emal' in 'field list'' in E:\htdocs\test\mysql_errors\mysqli.php on line 8
mysqli_sql_exception: Unknown column 'emal' in 'field list' in E:\htdocs\test\mysql_errors\mysqli.php on line 8
Without mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); you only get
Fatal error: Call to a member function fetch_all() on boolean in E:\htdocs\test\mysql_errors\mysqli.php on line 10
Of course, you could manually check the MySQL errors.
But I would go crazy if I had to do that every time I made a typo -
or worse - every time I want to query the database.
Try this code it work fine
assign the post variable to the variable
$username = $_POST['uname'];
$password = $_POST['pass'];
$result = mysql_query('SELECT * FROM userData WHERE UserName LIKE $username');
if(!empty($result)){
while($row = mysql_fetch_array($result)){
echo $row['FirstName'];
}
}
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
Ok so I am having some issues with a query. I am working to learn MySQLi as well so there may be some errors. I have a table named Authentication and in it, it has these columns
||id
||UserName
||Password
When running the query I am getting my username as the column name so it gives the unknown column error. I can not seem to see what is wrong with my code. Any help is appreciated.
<?php
// Report all errors
error_reporting(E_ALL);
session_start(); // Start PHP
// Get info sent to server from login form.
$my_username = $_POST['username'];
$my_password = $_POST['password'];
// MD5 Encrypt the password.
$my_password_md5 = md5($my_password);
// Connect to DB
$db = new MySQLi('localhost', 'user', 'password!', 'database');
if ($db->connect_error) {
$error = $db->connect_error;
}
//SQL query
$sql = <<<SQL
SELECT UserName
FROM `Authentication`
WHERE `username` = $my_username HAVING `username` = $my_password_md5
SQL;
$result = $db->query($sql) or die($db->error.__LINE__);
if($result = $db->query($sql))
$rows=mysqli_fetch_assoc($result);
// Count how many rows match that information.
$count=mysqli_num_rows($result);
// Check if there are any matches.
if($count==1)
{// If so, register $my_username, $my_password and redirect to the index page.
ini_set("session.gc_maxlifetime", "18000");
session_cache_expire(18000);
$cache_expire = session_cache_expire();
$_SESSION['username'] = $my_username;
$_SESSION['id'] = $rows['id'];
header("location:http://somesitegoeshere.com");
}
// If not, redirect back to the index page and provide an error.
else {
header("location:http://somesitgoeshere.com?err=1");
}
?>
$sql = <<<SQL
SELECT UserName
FROM `Authentication`
WHERE `username` = $my_username HAVING `username` = $my_password_md5
SQL;
You forgot to quote $my_username. so your query looks like WHERE 'username' = abcdefg HAVING...
Mysql thinks you're trying to compare to a column, put your username in quotes. Also put your password in quotes so it doesnt think your password is a column.
$sql = <<<SQL
SELECT UserName
FROM `Authentication`
WHERE `username` = "$my_username" HAVING `username` = "$my_password_md5"
SQL;
i really dont know why this code isnt working.. database connection works, the timestamp is written to the database.
But i cant figure out why i get a blank page with this code here (i should see the timestamp as echo).
Anyone an idea about this ?
Thank you!
<?php
$user = "daycounter";
$password = "1234";
$database = "daycounter";
$host = "localhost";
$date = time();
// Create connection
$conn = new mysqli($host, $user, $password, $database);
// Check connection
if ($conn->connect_error) {
die("Error: " . $conn->connect_error);
}
//Insert timestamp in database
$sql = "INSERT INTO datum (datum)
VALUES ('".$date."')";
//check if that worked
if ($conn->query($sql) === TRUE) {
echo "That worked!";
}
//get timestamp from db and display it as echo
$select = "SELECT 'datum' FROM 'daycounter'";
$result = mysql_query($select);
while($row = mysql_fetch_object($result))
{
echo "$row->datum";
}
?>
You're using a mysqli DB connection, but calling mysql to do your select. You cannot mix/match the database libraries like that. If you'd had even minimal error checking, you'd have been told that there's no connection to the db:
$result = mysql_query($select) or die(mysql_error());
^^^^^^^^^^^^^^^^^^^^^
Plus, your select query has syntax errors. 'daycounter' is a string literal - you cannot select FROM a string. 'datum' would be syntactically correct, you can select a string literal from a table, but most like you want:
SELECT datum FROM daycounter
or
SELECT `datum` FROM `daycounter`
Neither of those words are a reserved word, so there's NO need to quote them, but if you're one of those people who insist on quoting ALL identifiers, then they must be quoted with backticks, not single-quotes.
$select = "SELECT 'datum' FROM 'daycounter'";
$result = mysqli_query($conn, $select);
while($row = mysqli_fetch_object($result)) {
echo "$row->datum";
}
I am trying to select data from a MySQL table, but I get one of the following error messages:
mysql_fetch_array() expects parameter 1 to be resource, boolean given
This is my code:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
while($row = mysql_fetch_array($result)) {
echo $row['FirstName'];
}
A query may fail for various reasons in which case both the mysql_* and the mysqli extension will return false from their respective query functions/methods. You need to test for that error condition and handle it accordingly.
mysql_ extension:
NOTE The mysql_ functions are deprecated and have been removed in php version 7.
Check $result before passing it to mysql_fetch_array. You'll find that it's false because the query failed. See the [mysql_query][1] documentation for possible return values and suggestions for how to deal with them.
$username = mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '$username'");
if($result === FALSE) {
trigger_error(mysql_error(), E_USER_ERROR);
}
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
This error message is displayed when you have an error in your query which caused it to fail. It will manifest itself when using:
mysql_fetch_array/mysqli_fetch_array()
mysql_fetch_assoc()/mysqli_fetch_assoc()
mysql_num_rows()/mysqli_num_rows()
Note: This error does not appear if no rows are affected by your query. Only a query with an invalid syntax will generate this error.
Troubleshooting Steps
Make sure you have your development server configured to display all errors. You can do this by placing this at the top of your files or in your config file: error_reporting(-1);. If you have any syntax errors this will point them out to you.
Use mysql_error(). mysql_error() will report any errors MySQL encountered while performing your query.
Sample usage:
mysql_connect($host, $username, $password) or die("cannot connect");
mysql_select_db($db_name) or die("cannot select DB");
$sql = "SELECT * FROM table_name";
$result = mysql_query($sql);
if (false === $result) {
echo mysql_error();
}
Run your query from the MySQL command line or a tool like phpMyAdmin. If you have a syntax error in your query this will tell you what it is.
Make sure your quotes are correct. A missing quote around the query or a value can cause a query to fail.
Make sure you are escaping your values. Quotes in your query can cause a query to fail (and also leave you open to SQL injections). Use mysql_real_escape_string() to escape your input.
Make sure you are not mixing mysqli_* and mysql_* functions. They are not the same thing and cannot be used together. (If you're going to choose one or the other stick with mysqli_*. See below for why.)
Other tips
mysql_* functions should not be used for new code. They are no longer maintained and the community has begun the deprecation process. Instead you should learn about prepared statements and use either PDO or MySQLi. If you can't decide, this article will help to choose. If you care to learn, here is good PDO tutorial.
Error occurred here was due to the use of single quotes ('). You can put your query like this:
mysql_query("
SELECT * FROM Users
WHERE UserName
LIKE '".mysql_real_escape_string ($username)."'
");
It's using mysql_real_escape_string for prevention of SQL injection.
Though we should use MySQLi or PDO_MYSQL extension for upgraded version of PHP (PHP 5.5.0 and later), but for older versions mysql_real_escape_string will do the trick.
As scompt.com explained, the query might fail. Use this code the get the error of the query or the correct result:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("
SELECT * FROM Users
WHERE UserName LIKE '".mysql_real_escape_string($username)."'
");
if($result)
{
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
} else {
echo 'Invalid query: ' . mysql_error() . "\n";
echo 'Whole query: ' . $query;
}
See the documentation for mysql_query() for further information.
The actual error was the single quotes so that the variable $username was not parsed. But you should really use mysql_real_escape_string($username) to avoid SQL injections.
Put quotes around $username. String values, as opposed to numeric values, must be enclosed in quotes.
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '$username'");
Also, there is no point in using the LIKE condition if you're not using wildcards: if you need an exact match use = instead of LIKE.
Please check once the database selected are not because some times database is not selected
Check
mysql_select_db('database name ')or DIE('Database name is not available!');
before MySQL query
and then go to next step
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
f($result === FALSE) {
die(mysql_error());
Your code should be something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM Users WHERE UserName LIKE '$username'";
echo $query;
$result = mysql_query($query);
if($result === FALSE) {
die(mysql_error("error message for the user"));
}
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
Once done with that, you would get the query printed on the screen. Try this query on your server and see if it produces the desired results. Most of the times the error is in the query. Rest of the code is correct.
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
You define the string using single quotes and PHP does not parse single quote delimited strings. In order to obtain variable interpolation you will need to use double quotes OR string concatenation (or a combination there of). See http://php.net/manual/en/language.types.string.php for more information.
Also you should check that mysql_query returned a valid result resource, otherwise fetch_*, num_rows, etc will not work on the result as is not a result! IE:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
if( $result === FALSE ) {
trigger_error('Query failed returning error: '. mysql_error(),E_USER_ERROR);
} else {
while( $row = mysql_fetch_array($result) ) {
echo $row['username'];
}
}
http://us.php.net/manual/en/function.mysql-query.php for more information.
This query should work:
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '%$username%'");
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
The problem is single quotes, thus your query fails and returns FALSE and your WHILE loop can't execute. Using % allows you to match any results containing your string (such as SomeText-$username-SomeText).
This is simply an answer to your question, you should implement stuff mentioned in the other posts: error handling, use escape strings (users can type anything into the field, and you MUST make sure it is not arbitrary code), use PDO instead mysql_connect which is now depricated.
If you tried everything here, and it does not work, you might want to check your MySQL database collation. Mine was set to to a Swedish collation. Then I changed it to utf8_general_ci and everything just clicked into gear.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '%$username%'") or die(mysql_error());
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
Sometimes suppressing the query as #mysql_query(your query);
$query = "SELECT Name,Mobile,Website,Rating FROM grand_table order by 4";
while( $data = mysql_fetch_array($query))
{
echo("<tr><td>$data[0]</td><td>$data[1]</td><td>$data[2]</td><td>$data[3]</td></tr>");
}
Instead of using a WHERE query, you can use this ORDER BY query. It's far better than this for use of a query.
I have done this query and am getting no errors like parameter or boolean.
Try this, it must be work, otherwise you need to print the error to specify your problem
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * from Users WHERE UserName LIKE '$username'";
$result = mysql_query($sql,$con);
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
There might be two reasons:
Have you opened the connection to the database prior to calling mysql_query function? I don't see that in your code. Use mysql_connect before making the query. See php.net/manual/en/function.mysql-connect.php
The variable $username is used inside a single quote string, so its value will not be evaluated inside the query. The query will definitely fail.
Thirdly, the structure of query is prone to SQL injection. You may use prepared statements to avoid this security threat.
Try the following code. It may work fine.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName ='$username'");
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
Go to your config.php. I had the same problem. Verify the username and the password, and also sql select is the same name as the config.
Don't use the depricated mysql_* function (depricated in php 5.5 will be removed in php 7). and you can make this with mysqli or pdo
here is the complete select query
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT id, firstname, lastname FROM MyGuests";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
// code here
}
} else {
echo "0 results";
}
$conn->close();
?>
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '".$username."'");
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
?>
And if there is a user with a unique user name, you can use "=" for that. There is no need to like.
Your query will be:
mysql_query("SELECT * FROM Users WHERE UserName ='".$username."'");
Include a connection string variable before the MySQL query. For example, $connt in this code:
$results = mysql_query($connt, "SELECT * FROM users");
Any time you get the...
"Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given"
...it is likely because there is an issue with your query. The prepare() or query() might return FALSE (a Boolean), but this generic failure message doesn't leave you much in the way of clues. How do you find out what is wrong with your query? You ask!
First of all, make sure error reporting is turned on and visible: add these two lines to the top of your file(s) right after your opening <?php tag:
error_reporting(E_ALL);
ini_set('display_errors', 1);
If your error reporting has been set in the php.ini you won't have to worry about this. Just make sure you handle errors gracefully and never reveal the true cause of any issues to your users. Revealing the true cause to the public can be a gold engraved invitation for those wanting to harm your sites and servers. If you do not want to send errors to the browser you can always monitor your web server error logs. Log locations will vary from server to server e.g., on Ubuntu the error log is typically located at /var/log/apache2/error.log. If you're examining error logs in a Linux environment you can use tail -f /path/to/log in a console window to see errors as they occur in real-time....or as you make them.
Once you're squared away on standard error reporting adding error checking on your database connection and queries will give you much more detail about the problems going on. Have a look at this example where the column name is incorrect. First, the code which returns the generic fatal error message:
$sql = "SELECT `foo` FROM `weird_words` WHERE `definition` = ?";
$query = $mysqli->prepare($sql)); // assuming $mysqli is the connection
$query->bind_param('s', $definition);
$query->execute();
The error is generic and not very helpful to you in solving what is going on.
With a couple of more lines of code you can get very detailed information which you can use to solve the issue immediately. Check the prepare() statement for truthiness and if it is good you can proceed on to binding and executing.
$sql = "SELECT `foo` FROM `weird_words` WHERE `definition` = ?";
if($query = $mysqli->prepare($sql)) { // assuming $mysqli is the connection
$query->bind_param('s', $definition);
$query->execute();
// any additional code you need would go here.
} else {
$error = $mysqli->errno . ' ' . $mysqli->error; // 1054 Unknown column 'foo' in 'field list'
// handle error
}
If something is wrong you can spit out an error message which takes you directly to the issue. In this case, there is no foo column in the table, solving the problem is trivial.
If you choose, you can include this checking in a function or class and extend it by handling the errors gracefully as mentioned previously.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '".mysql_real_escape_string($username)."'")or die(mysql_error());
while($row=mysql_fetch_array($result))
{
echo $row['FirstName'];
}
?>
Try This
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysqli_query('SELECT * FROM Users WHERE UserName LIKE $username');
if($result){
while($row = mysqli_fetch_array($result))
{
echo $row['FirstName'];
}
}
First, check your connection to the database. Is it connected successfully or not?
If it's done, then after that I have written this code, and it works well:
if (isset($_GET['q1mrks']) && isset($_GET['marks']) && isset($_GET['qt1'])) {
$Q1mrks = $_GET['q1mrks'];
$marks = $_GET['marks'];
$qt1 = $_GET['qt1'];
$qtype_qry = mysql_query("
SELECT *
FROM s_questiontypes
WHERE quetype_id = '$qt1'
");
$row = mysql_fetch_assoc($qtype_qry);
$qcode = $row['quetype_code'];
$sq_qry = "
SELECT *
FROM s_question
WHERE quetype_code = '$qcode'
ORDER BY RAND() LIMIT $Q1mrks
";
$sq_qry = mysql_query("
SELECT *
FROM s_question
WHERE quetype_code = '$qcode'
LIMIT $Q1mrks
");
while ($qrow = mysql_fetch_array($sq_qry)) {
$qm = $qrow['marks'] . "<br />";
$total += $qm . "<br />";
}
echo $total . "/" . $marks;
}
Make Sure You're Not Closing Database By using db_close() Before To
Running Your Query:
If you're using multiple queries in a script even you're including other pages which contains queries or database connection, then it might be possible that at any place you use db_close() that would close your database connection so make sure you're not doing this mistake in your scripts.
If you don't have any MySQL Error appearing while checking, make sure that you properly created your database table. This happened to me. Look for any unwanted commas or quotes.
Check your connection first.
Then if you want to fetch the exact value from the database then you should write:
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM Users WHERE UserName =`$usernam`");
Or you want to fetch the LIKE type of value then you should write:
$result = mysql_query("SELECT * FROM Users WHERE UserName LIKE '%$username%'");
You can also check wether $result is failing like so, before executing the fetch array
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query('SELECT * FROM Users WHERE UserName LIKE $username');
if(!$result)
{
echo "error executing query: "+mysql_error();
}else{
while($row = mysql_fetch_array($result))
{
echo $row['FirstName'];
}
}
Usually an error occurs when your database conectivity fails, so be sure to connect your database or to include the database file.
include_once(db_connetc.php');
OR
// Create a connection
$connection = mysql_connect("localhost", "root", "") or die(mysql_error());
//Select database
mysql_select_db("db_name", $connection) or die(mysql_error());
$employee_query = "SELECT * FROM employee WHERE `id` ='".$_POST['id']."'";
$employee_data = mysql_query($employee_query);
if (mysql_num_rows($employee_data) > 0) {
while ($row = mysql_fetch_array($employee_data)){
echo $row['emp_name'];
} // end of while loop
} // end of if
Best practice is to run the query in sqlyog and then copy it into your page code.
Always store your query in a variable and then echo that variable. Then pass to mysql_query($query_variable);.
Traditionally PHP has been tolerant to bad practice and failures in code,
which makes debugging quite hard.
The problem in this specific case is that both mysqli and PDO
by default don't tell you, when a query failed and just return FALSE.
(I will not talk about the depricated mysql extention.
The support for prepared statements is reason anough to switch either to PDO or mysqli.)
But you can change the default behavior of PHP to always throw exceptions when a query fails.
For PDO: Use $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
error_reporting(E_ALL);
$pdo = new PDO("mysql:host=localhost;dbname=test", "test","");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$result = $pdo->query('select emal from users');
$data = $result->fetchAll();
This will show you the following:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column 'emal' in 'field list'' in E:\htdocs\test\mysql_errors\pdo.php on line 8
PDOException: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'emal' in 'field list' in E:\htdocs\test\mysql_errors\pdo.php on line 8
As you see, it tells you exactly, what is wrong with the query, and where to fix it in your code.
Without $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
you will get
Fatal error: Call to a member function fetchAll() on boolean in E:\htdocs\test\mysql_errors\pdo.php on line 9
For mysqli: Use mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli('localhost', 'test', '', 'test');
$result = $mysqli->query('select emal from users');
$data = $result->fetch_all();
You will get
Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'Unknown column 'emal' in 'field list'' in E:\htdocs\test\mysql_errors\mysqli.php on line 8
mysqli_sql_exception: Unknown column 'emal' in 'field list' in E:\htdocs\test\mysql_errors\mysqli.php on line 8
Without mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); you only get
Fatal error: Call to a member function fetch_all() on boolean in E:\htdocs\test\mysql_errors\mysqli.php on line 10
Of course, you could manually check the MySQL errors.
But I would go crazy if I had to do that every time I made a typo -
or worse - every time I want to query the database.
Try this code it work fine
assign the post variable to the variable
$username = $_POST['uname'];
$password = $_POST['pass'];
$result = mysql_query('SELECT * FROM userData WHERE UserName LIKE $username');
if(!empty($result)){
while($row = mysql_fetch_array($result)){
echo $row['FirstName'];
}
}
I'm kinda new to PHP and only using it for the backend of my Android App.
I've got three strings that I'm sending to the PHP from my Android App. I want to query a table called 'users' and find the userid of the username that was sent from my Android App and then inset the data into a seperate table called 'msg'.
I've tried for my life and I cannot get it to work, plus I haven't even finished.
thanks and helping me would be pretty amazing, as I'm new to PHP and can't finish off the rest of the code.
PHP:
<?php
$username = $_POST['username'];
$msg = $_POST['msg'];
$frienduser = $_POST ['frienduser'];
/*mysql data below */
$dbc = mysql_connect('localhost', 'removemypasswords', 'again');
if(!dbc) {
die("Something went wrong! Try again...");
}
/* select database */
$db_select = mysql_select_db("andagain, $dbc");
if (!db_select){
die("Can't connect :" .mysql_error);
}
$query = mysql_query("SELECT FROM users WHERE usernames ='$usernames'");
$query1 = mysql_query(INSERT INTO `gtanews1_zips54`.`msg` (
`id` ,
`friendid` ,
`msg`
)
VALUES (
'$query', '$frienduser', 'msg'
);
echo ($msg);
?>
how about putting quotes around $query1 like
$query1 = mysql_query("INSERT INTO gtanews1_zips54.msg (`id` ,`friendid` ,`msg`)
VALUES ('$query', '$frienduser', 'msg')");
Should be
$query = mysql_query("SELECT * FROM users WHERE usernames ='$username'");
$result = mysql_fetch_array($query);
$query1 = mysql_query("INSERT INTO gtanews1_zips54.msg (id,friendid,msg) VALUES ('" . $result['yourField'] . "', '$frienduser','$msg')");
your mysql select db code is wrong. you need to have the quotes before the comma
mysql_select_db("andagain", $dbc);
also place quotes at the end of your query
$query = mysql_query("SELECT FROM users WHERE usernames ='$usernames'"); $query1 = mysql_query(INSERT INTO `gtanews1_zips54`.`msg` ( `id` , `friendid` , `msg` ) VALUES ( '$query', '$frienduser', 'msg' )");
There's a lot going wrong here:
<?php
$username = $_POST['username'];
$msg = $_POST['msg'];
$frienduser = $_POST ['frienduser'];
/*mysql data below */
$dbc = mysql_connect('localhost', 'removemypasswords', 'again');
if(!$dbc) { //- You forgot the dollar $ sign on $dbc
die("Something went wrong! Try again...");
}
/* select database */
$db_select = mysql_select_db("andagain", $dbc); //- You had the entire thing quoted, quotes are just around "andagain"
if (!db_select){
die("Can't connect :" .mysql_error()); //- You forgot the parentheses after mysql_error
}
$query = mysql_query("SELECT FROM users WHERE usernames ='$usernames'");
//- You need to actually get the results out of the query object
$row = mysql_fetch_assoc($query);
if (!$row) {
die('User not found');
}
$user_id = $row['id']; //- Or whatever the column is called
$query1 = mysql_query("INSERT INTO `gtanews1_zips54`.`msg` (
`id` ,
`friendid` ,
`msg`
)
VALUES (
'$user_id', '$frienduser', 'msg'
"); //- You forgot to put quotes around this query
echo ($msg);
?>
And that's just to start, there may be other problems depending on your database schema / data transfer format.
Also, you're wide open to SQL injection.
your code have many errors .
$db_select = mysql_select_db (andagain, $dbc);
$query = mysql_query('SELECT FROM users WHERE usernames ="$usernames"');
since Stackoverflow is not a community for fixing codes bugs ..so i am leaving this job for you .
below are some points which can help you to fix all errors ?
Variable-substitution cann't be dont with single quotes (') . double quotes allow variable substitution .
to escape quotes inside quotes , we use \
parameter cannot be encapsulated with double quotes .