0

I am trying to pull a single value from a database and assign it to a php variable. All of the mysqli functions appear to pull an entire row, while I want one value of that row (ex. ID, name, ect).

This is what I have so far: 

 $result = mysqli_query($con, "SELECT * FROM test_table WHRE ID='" . $_GET['ID'] . "'");
  $row = $result->fetch_assoc();  
  $test= $row['ID'];
  echo $test;

When I run the above I don't get any output; $test is unassigned. What is the correct command to assign a value to my $test variable?

user3538411
  • 338
  • 4
  • 15
  • please tell me, what is the output for var_dump($row); – hakki Oct 20 '14 at 16:20
  • 1
    You have a SQL injection vulnerability. Never execute user input as code. – David Oct 20 '14 at 16:20
  • 1
    And you should add error handling to your database calls. – jeroen Oct 20 '14 at 16:20
  • php array keys are case sensitive, don't forget. do a `var_dump($row)` to see what REALLY came out of the db. – Marc B Oct 20 '14 at 16:26
  • Thanks guys for the tip about var_dump. Unfortunately I have to use user input as a part of the query, but the next step is I will use a stored procedure to sanitize the inputs. Just trying to get off the ground. Thanks again for your comments – user3538411 Oct 20 '14 at 16:56
  • @user3538411: `"Unfortunately I have to use user input as a part of the query"` - No, you don't. You have to use it as a *value* in the query. Currently you're using it as *executable code* in the query, which is the problem. Using prepared statements which have value placeholders and then supplying the value separately is how you solve this problem. – David Oct 20 '14 at 16:58

1 Answers1

-2

You forgot a E in youy WHERE clause

$result = mysqli_query($con, "SELECT * FROM test_table WHERE ID='" . $_GET['ID'] . "'");
$row = $result->fetch_assoc();  
$test= $row['ID'];
echo $test;

If your 'ID' field is a integer, quotes are not necessary.

Macbernie
  • 1,303
  • 6
  • 24
  • 48
  • I think the first mistake is that @Macbenrnie! – pollux1er Oct 20 '14 at 16:27
  • 2
    Putting SQL-injectable code in an answer that can be copied/pasted as-is may be considered somewhat irresponsible... – David Oct 20 '14 at 16:29
  • thank you macberni, it is always the simple things! I swear I stared at that code for an hour and never say it! @david, thank for the reminder, I will be sure to sanitize my inputs going forward. – user3538411 Oct 20 '14 at 16:56
  • This answer should not be used by anyone as it is insecure/unstable. – mickmackusa Jan 24 '20 at 09:37