Returning information from MySQL using php

Question

I'm currently trying to get into php and MySQL and i'm using this little project as a learning curve, but I've hit a bump that I can't get through. I have the following code that is accessing my MySQL database and I am currently trying to echo the data out using the following search function:

<?php
ob_start();
require("config.php");
ob_end_clean();

$req=$_REQUEST['workingDate'];
$req2=$_REQUEST['location'];

mysql_connect("XXXXXXXXXXX",$username,$password);
mysql_select_db($database) or die( "Unable to select database");

if ($req!="all" && $req2!="all")  $query="SELECT * FROM TrackerTable WHERE workingDate='$req' AND location1='$req2'";
else if($req=="all" && $req2!="all" ) $query="SELECT * FROM TrackerTable WHERE location1='$req2'";
else if($req!="all" && $req2=="all" ) $query="SELECT * FROM TrackerTable WHERE make='$req'";
else if($req=="all" || $req2=="all" ) $query="SELECT * FROM TrackerTable";

$result=mysql_query($query);
$num=mysql_numrows($result);

mysql_query($result);
mysql_close();

$i=0;

for ($i; $i < $num; $i++){
        $f12=mysql_result($result,$i,"workingDate");
        $f13=mysql_result($result,$i,"location1");
echo $f12." ".$f13."<br />";
}
?>

The problem I have is that whenever I try to search the database using the following html form:

<form method="post" action="searchFunction.php"  name="input" id="searchform">
    <label class="section">Search Options</label><br />
    <input name="workingDate" type="text" id="workingDate" placeholder="Search by Date">
    <input name="location1" type="text" id="location1" placeholder="Search by Location">
    <input name="submit" type="submit" id="add" value="Find!">
</form>

I get this error thrown at me:

 Warning: mysql_query() expects parameter 1 to be string, resource given in /XXXXXX/XXXXXX/XXXXX/XXXX/XXXXX.com/XXXXXX/searchFunction.php on line 20

I have no idea what could be causing the problem as it all seems fairly in place to me. Is there an obvious mistake i'm making or is it all just completely messed up? I've been looking at it that long that I can't tell what makes sense anymore!

Any help would be greatly appreciated. Thanks guys!

Lovely [Mysql injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)... — VeeeneX, Feb 11 '15 at 15:06
@VeeeneX The guy's new at this clearly, leaving aside the injection, he's using deprecated functions. Anyway, you're passing in $result as the query to be executed. It's not a valid query, in fact the $result would be the return value from the previous query. — Andrei P., Feb 11 '15 at 15:08
See [Bobby Tables](http://bobby-tables.com/) and [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/q/60174) — mario, Feb 11 '15 at 15:08
@mario Unfortunately Bobby tables wouldn't work :( You can't run 2 queries in one statement anymore. But as always xkcd is always relevant. — Andrei P., Feb 11 '15 at 15:09
@mario thanks, i'll take a look soon, but i'm more interested in getting it working first! — Aaron Lee, Feb 11 '15 at 15:09

nicolae-stelian · Accepted Answer · 2015-02-11T15:20:56.863

1

You are sure that variable $query is defined? This because in the statement if/elseif is where you define the variable $query.

   // first define default value for your $query variable
   $query="SELECT * FROM TrackerTable";

   // then use your if/else statement
if ($req!="all" && $req2!="all") .....................

You have an error

$result=mysql_query($query);
$num=mysql_numrows($result);

mysql_query($result); // error here

mysql_close();

$result is not a string, is resource. mysql_query($result);

Check http://php.net/manual/en/function.mysql-query.php for details

edited Feb 11 '15 at 15:20

answered Feb 11 '15 at 15:09

nicolae-stelian

344
3
12

Didn't change anything I'm afraid :\ – Aaron Lee Feb 11 '15 at 15:14
You call 2 times mysql_query, one with a string (the query) and second with $result that is a resource. – nicolae-stelian Feb 11 '15 at 15:21
I've removed the error but now it's just passing a blank screen? – Aaron Lee Feb 11 '15 at 15:28
Use this for show something in the screen: while ($row = mysql_fetch_assoc($result)) { echo $row['workingDate']; echo $row['location1']; echo $row['table_field_name']; } – nicolae-stelian Feb 11 '15 at 15:30
and put mysql_close(); the last line in the script. – nicolae-stelian Feb 11 '15 at 15:38
Still show nothing at all, doesn't show anything from the database. – Aaron Lee Feb 12 '15 at 08:30
1). You need to be sure that you have somthing in database (run all your query to verify you have rows in database). 2). use var_dump for print row content: var_dump($row) – nicolae-stelian Feb 12 '15 at 11:46
check sql clause WHERE, ej: workingDate='$req' AND location1='$req2', you have spaces, print your query (echo $query) to se if the query is OK . I think that your sql query is not ok. – nicolae-stelian Feb 12 '15 at 11:52

score 1 · Answer 2 · answered Feb 11 '15 at 15:14

You're trying to run your query twice:

$result=mysql_query($query);
                    ^^^^^^--- your SQL
mysql_query($result);
            ^^^^^^^---- result handle (aka resource) from previous call

The second query call is utterly irrelevant/useless. You're passing in the wrong argument to the call, and you're not capturing the return value from the query anyways. Even if it was running properly, you're throwing away the query results.

You then close your DB connection, so when you try to call mysql_result() later on, there's no more DB connection to fetch your results from.

And on top of all this, you're vulnerable to sql injection attacks.

In short, this code is a total disaster.

Ok, is there any resource you can put me toward in terms of doing this properly? I'm now at a lose as to how to proceed with it. — Aaron Lee, Feb 11 '15 at 15:19

Returning information from MySQL using php

2 Answers2