REMARKS
- Your using apostrophe (') on your column name, which should not and should only be used on variable/s inside the query. You can use back ticks (`) instead of apostrophe (') on your column name.
- If you're gonna select the specific column names on your query, you should not include the asterisk (*) along with them.
- Next is you don't have a fetch loop to get the results.
- You need to use apostrophe (') when having a variable/s in your condition in your query.
- Did you assign the submitted input into
$User_ID variable?
Right Code:
<?php
$con=mysqli_connect("dbhost","username","password","dbase");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT User_ID, Username, Email, Group_ID FROM table
WHERE User_ID= '$User_ID'");
while($row=mysqli_fetch_array($result)){
echo $row['User_ID'] . " " . $row['Username'] . " " . $row['Email']. " " . $row['Group_ID'];
echo "<br>";
} /* END OF WHILE LOOP */
?>
You can also use prepared statement instead to prevent further SQL injections. Here's what it would look like if you had it in prepared statement:
<?php
$con=mysqli_connect("dbhost","username","password","dbase");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
if ($stmt = $con->prepare("SELECT User_ID, Username, Email, Group_ID FROM table WHERE User_ID=?")) {
$stmt->bind_param("s", $User_ID); /* LETS ASSUME THAT THE SUBMITTED DATA IS STORED INTO $User_ID VARIABLE */
$stmt->execute();
$stmt->bind_result($userid,$username,$email,$groupid);
while ($stmt->fetch()) {
printf ("%i %s %s %i<br>", $userid,$username,$email,$groupid); /* YOU CAN REPLACE THE NECESSARY STRING FORMAT IF YOU NEED TO */
} /* END OF WHILE LOOP */
$stmt->close();
}
$con->close();
?>
