1

So the code below on a website I'm revising [links pulled from database now] works perfect and prints out the matching row and column to the html. There is a column for short names[name2, VARCHAR] and an auto incrementing integer column[id] to match.

function rainmaker($fname) {
    $connect = new PDO('mysql:host=localhost;dbname=weather;', '******', '***');
    $sql = $connect->query('SELECT `link` FROM `satellite`  WHERE `name2` = "'.$fname.'"');
    while ($result = $sql->fetch()){
        $urllink = $result['link'];}
        $linky = fullLinkedThumbnail($urllink,150);
        print $linky;
    }

further down....

<TD ALIGN="CENTER"><P><?php rainmaker('ato'); ?></P></TD>

Success! Image is shown on site.

However, every variation of this via ID fails (1064 error: the variable $urllink is empty) or doesn't print out the image link (site works, except that the images aren't shown).

$sql = $connect->query('SELECT `link` FROM `satellite` WHERE `id` = "'.$fname.'"');
....

<TD ALIGN="CENTER"><P><?php rainmaker('1'); ?></P></TD>

Fail!

Any idea why? Is it because the ID column is an integer?

EDIT:

I have prepared statment w/ placeholder variations of this fucntion but I simplified since I'm having a seperate issue where this function isn't accepting my global variavbles to identify the table when the select query is like like:

   function rainmaker($fname) {
 $connect = new PDO('mysql:host=localhost;dbname=weather;', '******', '***');
$psql = $connect->prepare('SELECT `link` FROM ?  WHERE `id` = ?');
$psql->execute(array($table,$fname));
while ($result = $psql->fetch()){
$urllink = $result['link'];}
$linky = fullLinkedThumbnail($urllink,150);
print $linky;}

I can't pass the table name and the sql query reports failure. Not sure why but I assume I made some syntax errors. For now, I'll just need this issue solved.

If I run select query for ID through phpadmin, it matches and prints out the row just fine so there isn't a mismatch with a null value.

udonsoup16
  • 27
  • 9
  • Try $query='SELECT `link` FROM `satellite` WHERE `name2` = "'.$fname.'"'; die($query). Then cut and paste the $query into MySQL and see if you get any results. ie... make sure the resulting query is correctly formed. – Pagerange Aug 17 '14 at 19:49
  • via phpadmin, it works fine using that sql to match and return the rows. – udonsoup16 Aug 17 '14 at 19:57
  • See here: `$urllink = $result['link'];}` - you have a stray closing brace at the end. Either that or your function indentation is rather in need of repair `:)` – halfer Aug 17 '14 at 20:06
  • I tried moving it to after the print function, no luck, even if that was the case; the name matching still works but ID doesn't. – udonsoup16 Aug 17 '14 at 20:09
  • @udonsoup16 You cannot use parameters for table names. Please see [this](http://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-name-as-parameter). – Daedalus Aug 18 '14 at 00:13
  • Thanks, that explains alot! I was wondering why it caused the code to fail. – udonsoup16 Aug 18 '14 at 01:19

1 Answers1

0

  1. Don't concatenate strings, it breaks and can be used for sql injections.
    Use prepared statements with placeholders instead.

  2. Don't try to find a thumbmail, if no rows in satellite matched a condition.

Naktibalda
  • 13,705
  • 5
  • 35
  • 51
  • 1.I did prepared statements with placeholders; removed them since I'm having a seperate issue with passub the table name via a variable to the mysql query. 2. running the same query, the rows match in myphpadmin so I'm lost as to why it fails in html. – udonsoup16 Aug 17 '14 at 20:03