1

I am trying to search my database for a result, and display all the columns relating to that result. My connection to the database works fine, but I don't know how to print the result of my query.

I tried accessing it as an array, but it did not work. What I want is to be able to search the database for the username 'TEST', and to return the password, email and username (to check the username exists).

My current code is this 

$user = mysqli_query($con,"SELECT * FROM user_list where username = '$username'");
print_r($user);

$username is the username. It returns this 

(
    [current_field] => 0
    [field_count] => 4
    [lengths] => 
    [num_rows] => 2
    [type] => 0
)
Dharman
  • 30,962
  • 25
  • 85
  • 135
user2880853
  • 83
  • 2
  • 4
  • 8
  • You need to fetch the result first with `mysqli_fetch_assoc($user)`. – vaso123 Nov 05 '14 at 13:46
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Feb 16 '20 at 14:36

5 Answers5

5

Use Fetch to display the result

     $result = mysqli_query($con,"SELECT * FROM user_list where username = '" . mysqli_real_escape_string($con, $username) . "'"); 
    while($row = mysqli_fetch_array($result))
     {
        print_r($row);
     }
Cherry
  • 393
  • 1
  • 4
  • 15
2

To get the result of the mysqli_query() you need to use one of the functions, which return the rows. For example fetch_all() to get all the rows or fetch_array() to get a single row.

You can also loop on the object directly. 

$result = mysqli_query($con, 'SELECT ...');
foreach($result as $row) {
    print_r($row);
    // do something with each row
}

However, in your case you should not be using mysqli_query() at all! This leaves you vulnerable to SQL injection. You must use parameter binding, which is available with prepared statements.

For example your fixed query would look like this:

$stmt = $con->prepare('SELECT * FROM user_list where username = ?');
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
foreach ($result as $row) {
    print_r($row);
}

The difference is that my variable is not separate from the SQL, so there is no risk of injection. You should never allow any variable input directly in SQL query. Doing this properly is really not that difficult.

Dharman
  • 30,962
  • 25
  • 85
  • 135
0

You need to fetch the result first with mysqli_fetch_assoc

$userResult = mysqli_query($con,"SELECT * FROM user_list where username = '" . mysqli_real_escape_string($con, $username) . "'"); 
$user = mysqli_fetch_assoc($userResult);
print_r($user);
  • Avoid sql injections by escaping your strings.
vaso123
  • 12,347
  • 4
  • 34
  • 64
  • 1
    http://php.net/manual/en/mysqli.prepare.php use prepared statements to avoid SQL injection, don't use escapings.. – sridesmet Nov 05 '14 at 13:58
  • Why? mysqli can be used procedural and OOP. If you use it procedural, you need to escape somehow, this is why `mysqli_real_escape_string` is. – vaso123 Nov 05 '14 at 13:59
  • There is no reason to use mysqli procedural.. Escaping is easily forgotten. – sridesmet Nov 05 '14 at 14:06
-1

You have to fetch your result:

$user = mysqli_query($con,"SELECT * FROM user_list where username = '$username'");

while ($row = $user->fetch_row()) {
        print_r($row);
    }
sridesmet
  • 875
  • 9
  • 19
-1
while($row = mysql_fetch_array($user, MYSQL_ASSOC))
{
    echo "MATE :{$row['MATE']}  <br> ".
         "TEST : {$row['TEST']} <br> ".
         "--------------------------------<br>";
}
it's may work your you.
Manoj Sonagra
  • 45
  • 6