MySQL Query Not Returning Values

Question

I am trying to get values from MySQL database where the value of the Username column is the same as the parameter being passed in. The parameter being passed in is "Griffin".

function logIntoDb($username)
{
$users = mysqli_query($GLOBALS['con'], "SELECT Id, Username FROM Users WHERE $username=Username");
while($row = mysqli_fetch_array($users))
{
echo "\"Match: " . $row['Id'] . "=" . $row['Username'] . "\"";
echo " - " . ($username==$row['Username'] ? "true" : "false");
echo "<br/>";
}
}

The above keeps returning an empty result, which causes my while loop to throw this warning.

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /home/a654/public_html/Top/Bottom/log.php on line 16

Here is the Users table:

Id|CreatedOn|Username|Info|Status|Rank|Total|

1|0000-00-00 00:00:00|Peter|123|Good|High|111.11

2|0000-00-00 00:00:00|Griffin|123|Bad|Low|000.00

Is there something that I am not seeing that prevents the Griffin row from being returned?

It should be the other way around like this... `"SELECT Id, Username FROM Users WHERE Username='$username'"` — Shankar Narayana Damodaran, Nov 30 '13 at 18:00
**By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. **Learn how to do it right before the bad habits become part of your thinking.** — Andy Lester, Nov 30 '13 at 18:01

score 3 · Answer 1 · answered Nov 30 '13 at 17:59

3

You seem to be missing the apostrophes around the username. Change this:

"SELECT Id, Username FROM Users WHERE $username=Username"

Into this:

"SELECT Id, Username FROM Users WHERE '$username'=Username"

answered Nov 30 '13 at 17:59

Mosty Mostacho

42,742
16
96
123

score 2 · Accepted Answer · answered Nov 30 '13 at 17:59

2

Your query should be "SELECT Id, Username FROM Users WHERE '$username'=Username"

You need the single quotes since it's a string and not a number.

answered Nov 30 '13 at 17:59

James

3,765
4
48
79

Let's say I had two parameter called $id and $time; the $id that is being passed will be a numeric value and the $time that is being passed will be an numeric value (representing the number of seconds). There respective values in the database are type int(11). If I was to compare the parameter with the value in the database like I did above, would I still have to use single quotes since it isn't a string? – dalawh Nov 30 '13 at 20:49
No, if both are int types, you do not need single quotes. You only have to use single quotes to encapsulate a string. – James Dec 01 '13 at 03:51
Thanks for the confirmation. – dalawh Dec 01 '13 at 17:54

score 0 · Answer 3 · answered Nov 30 '13 at 17:59

0

replace $username to '$username' provided everything else is fine

answered Nov 30 '13 at 17:59

Prashant Ghimire

4,890
3
35
46

MySQL Query Not Returning Values

3 Answers3