Mysql empty query

Question

So I have 4 columns in my table. The first two are display name and username. The reason why I dont echo the username is that it is a md5 string, to be more secure. So i'm trying to fetch the display name associated with the username that is logged in (the $_COOKIE["USERNAME"]), but the $displayuser returns an empty query. Also I'm not sure about WHERE username = {$c_user}, the part with {$c_user}. Any solutions?

if(isset($_COOKIE['USERNAME']))
{
$c_user = $_COOKIE["USERNAME"];
$con = mysqli_connect("localhost","root","","accounts");
$result = mysqli_query($con,"SELECT 'display name' FROM 'account_info' WHERE username = {$c_user}");
$displayuser = mysqli_query($con,$result);
echo $displayuser;
}

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Apr 27 '14 at 10:21

score 0 · Answer 1 · answered Apr 27 '14 at 10:24

The return value of mysqli_query is not a string. It is a mysqli_result object or (if the query failed) FALSE.

You need to test to see if it is FALSE or not (and examine the error if it is (I'm pretty sure that using single quotes around column names will throw an error, if you quote them they should be quoted with backticks)), then you can test to see if you have any results before looping over them and getting each row of data.

score 0 · Accepted Answer · answered Apr 27 '14 at 10:49

'display name' can't be the right column name since there can't be spaces in columns.

and Quentin is right. applied to your example you need to do it like this:

//see if there is any result
if($result = mysqli_query($con, result))
{
    while($fields = mysqli_fetch_field($result))
    {
        echo $fields->display_name;
    }

}

Mysql empty query

2 Answers2