0

I want to make a page that have a form with category and names, and I should retrieve the names from the databases. I've asked this question before, now I modified my code and the result says that "Query was empty". I don't know why it says like that. Here is all my page code.

<html>
<head>
<title>Assign Examiner</title>
</head>

<body>

<?php include('../include/dbconnect.php');

$names=$_POST['user'];
$exp = $_POST['expert'];

$mysql_i=mysql_query("SELECT name FROM user WHERE expert='".$exp."'");
$mysql_res = mysql_query($mysql_i) or die(mysql_error());

mysql_close();

?>

<form name="examiner" action="" method="post">

<table align="center" width="50%" border="1">

<tr>
<td>Category :</td>
    <td><select name="expertise"><option value="multimedia">Multimedia
                     <option value="security">Security & Networking
                                 <option value="mobile">Android Mobile
                                 <option value="web">Web Development
                                 </option></option</option></option>
        </select>
    </td>
</tr>
<tr>
<td>Name :</td>
    <td><select name="exam"><option value="<?php echo $mysql_i;?>">PLEASE CHOOSE</option></select></td>
</tr>
</body>
</html>
deenaiena
  • 19
  • 1
  • 4
  • 1
    You're calling `mysql_query` twice. The first time, you're assigning the results to `$mysql_i`, and the second time you're calling `mysql_query($mysql_i)` – andrewsi Sep 06 '13 at 16:47
  • That means I should just do it like this ? `$mysql_i=mysql_query("SELECT name FROM user WHERE expert='".$exp."'"); $mysql_res = mysql_query() or die(mysql_error());` – deenaiena Sep 06 '13 at 16:49
  • 1
    **Warning:** mysql extension is [deprecated](http://stackoverflow.com/questions/13944956) as of PHP 5.5.0, and will be removed in the future. Instead, the [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. Please don't use `mysql_*` to develop new code. – bansi Sep 06 '13 at 16:49
  • @bansi Deprecated? mm, then what should I do? My lecturer preferred us using MySQL instead of MySQLi cuz we are using XAMPP v1.7 , MySQLi does not compatible with it. – deenaiena Sep 06 '13 at 16:53
  • @deenaiena Use either MySQLi (with prepared statements) or PDO. I'm pretty sure that XAMPP v1.7 is compatible (it uses PHP 5.3.8+ and MySQLi was introduced in PHP 5.x). – ComFreek Sep 06 '13 at 17:06
  • try to start using PHP 5.3.x+ preferably 5.4.x and MySQL 5+ or by the time you finish school you will be looking like a dinosaur. – bansi Sep 06 '13 at 17:29
  • I never know that, but thanks for telling me, I'll try to use MySQLi :) @ComFreek – deenaiena Sep 07 '13 at 05:34
  • dinasour? haha, okey2 I'll try to understand the PHP5.4 first :) @bansi – deenaiena Sep 07 '13 at 05:35

2 Answers2

1

You are calling mysql_query() function twice, which is incorrect. The code should be more like

$mysql_i = mysql_query("SELECT name FROM user WHERE expert='".$exp."'");

$actual_data = mysql_fetch_assoc($mysql_i);

echo $actual_data['some_table_field'];

mysql_query() returns a statement handle (or boolean false - on failure). That handle is then used in the various fetch() and other related metadata functions.

Also note that you are vulnerable to SQL injection attacks. Do NOT use this code until you've learned how to avoid them.

Yang
  • 8,580
  • 8
  • 33
  • 58
Marc B
  • 356,200
  • 43
  • 426
  • 500
  • I got a warning saying like this 'Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\FYP2\admin\assign.php on line 14' , how can I solve this? – deenaiena Sep 07 '13 at 05:50
1

The first problem is that you're using user-entered data in your query. You should look at moving to mysqli_ or PDO instead - they both help you write code that is safer. If you can't switch, then you need to sanitise the input to make sure that it doesn't do anything nasty to your code

The second problem is this:

$mysql_i=mysql_query("SELECT name FROM user WHERE expert='".$exp."'");
$mysql_res = mysql_query($mysql_i) or die(mysql_error());

You're calling mysql_query twice, and the second time, you're passing in the results of the first query. That's not going to do anything. All you need is:

$exp = mysql_real_escape_string($exp);    // sanitise your input!!!!

$sql = "SELECT name FROM user WHERE expert='".$exp."'";
$mysql_res = mysql_query($sql) or die(mysql_error());

There's also nothing in your <form> called 'expert', so $_POST['expert'] is likely to be blank - did you mean 'expertise? The same holds true for $_POST['user'].

andrewsi
  • 10,807
  • 132
  • 35
  • 51
  • Yes, I mean 'expertise', sorry. I've changed my coding according to your advice. The thing is when I selected an option at the 'Category'such as 'Multimedia', the lecturer's name which the expertise is 'Multimedia' should automatically listed down under the 'PLEASE CHOOSE'. But it doesn't work yet even after I tried following your code :( – deenaiena Sep 07 '13 at 05:48