1

So I am new to php and I am trying to check if a mysql table contains a variable which is set when a user does a search. If the table contains the variable (it's a string) then I want to be able to do different things depending on its existence.

I should also note that I am a novice with php development!

This is what I have so far;

$db = new mysqli('IP', 'username', 'password', 'database');

$result = $db->query("SELECT * FROM tablename WHERE ColumnName =     $searchVar");

if(empty($result)){
    //No result Found
}else{
    //Found result
}
md_5
  • 27
  • 6
  • SQL strings, like PHP strings, need to be in quotes. Aside from that issue I don't know what your question or issue is. Oh, and you need to fetch the results.. http://php.net/manual/en/mysqli-result.fetch-assoc.php – chris85 Jul 03 '15 at 00:37
  • Did you log on to mysql ? Have you got errors enabled ? – Rohit Gupta Jul 03 '15 at 00:50
  • Do you want the record(s)? Where does `$searchVar` come from, user input? – chris85 Jul 03 '15 at 00:50
  • @RohitGupta Yes I can connect to the DB and there's no errors. Error reporting is enabled currently too :) @chris85 I dont want to export the records, no. I would like to just check to see if they are infact there. The `$searchVar` comes from a users input yes. – md_5 Jul 03 '15 at 00:53
  • Please remember to mark an answer as accepted if it resolved your issue. http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – chris85 Jul 03 '15 at 02:18

2 Answers2

1

You need to place single quotes around $searchVar in the query.

$result = $db->query("SELECT * FROM tablename WHERE ColumnName = '$searchVar'");

Then, you must fetch the results of the query.

$result = $result->fetch_row();
Aaron St. Clair
  • 391
  • 1
  • 3
  • 12
  • 1
    He/she hasn't posed a question yet, how can you have an answer? – chris85 Jul 03 '15 at 00:40
  • So if I do that, should the rest of my code work? I will try that now buddy! – md_5 Jul 03 '15 at 00:41
  • OP stated that they would like to query the DB to see if a record exists. The changes I suggested should allow them to do so. – Aaron St. Clair Jul 03 '15 at 00:44
  • Where did OP state that? `So I have been trying to check if a mysql table contains a variable (something which is entered in a search)` If OP is looking for a record his/her code wont get that. – chris85 Jul 03 '15 at 00:44
  • @chris85 I am infact trying to query a database to see if a record exists. I am trying to check if the variable which is being searched for is in the table. – md_5 Jul 03 '15 at 00:49
  • This answer leaves you open to SQL injections. – chris85 Jul 03 '15 at 01:09
  • 2
    @md_5 - Just keep in mind that, someone who knows SQL can DELETE your whole table if you use these codes. :) Please read about sanitizing user inputs and sql injections. – Kishor Jul 03 '15 at 01:21
1

Okay so your current query failed because your SQL string wasn't in quotes. It also could have failed once inputted into quotes if your PHP string had a single quote in it. This is how SQL injections occur, user input should never be passed directly into a SQL query. To separate these tasks there are prepared/parameterized queries.

Here's code I think should work for you but this is untested, based off manuals.

$db = new mysqli('IP', 'username', 'password', 'database');
$stmt = $db->prepare('SELECT * FROM tablename WHERE ColumnName = ?');
$stmt->bind_param('s', $searchVar);
$stmt->execute();
if($stmt->num_rows > 0) {
    echo 'there are results';
} else {
    echo 'there are no results';
}

Link to thread on preventing injections: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
chris85
  • 23,846
  • 7
  • 34
  • 51