1

I don't know why this query won't return a value because when I copy the "echoed" portion into phpmyadmin I do get a record returning:

echo $_GET["cname"];

// Query template
$sql =  'SELECT C.cid FROM `Contact` C WHERE C.email="'.$_GET["cname"].'"';
echo $sql;

// Prepare statement
$stmt = $conn->prepare($sql);

$stmt->execute();
$stmt->bind_result( $res_cid);

echo $res_cid;

$res_cid is apparently 0, but I don't know why because when I paste that query manually into phpmyadmin I do get a value... So why doesn't it return anything?

Burak
  • 5,252
  • 3
  • 22
  • 30
Kelbe
  • 161
  • 2
  • 9
  • can you try to remove quote near contact ? and i dont know what you plan to do but your code is totally unsecure, you'd better use bindparam with PDO – ThomasP1988 Jul 15 '15 at 21:55
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jul 15 '15 at 21:56
  • I agree with @ThomasP1988 . Putting user input directly into the query string defeats the purpose of prepared statement. – frz3993 Jul 15 '15 at 21:58
  • Guys, this is a project for one of my classes, so I am not concerned with security because once my application works then it is never used agian. – Kelbe Jul 15 '15 at 22:00
  • So you're taking a class, but not interested in learning the proper way to program? Why are you taking the class then? – Barmar Jul 15 '15 at 22:14
  • @Barmar the class doesn't technically teach anything about SQL except basics. It is an entry level class. Even though I know better way to code it is not efficient for me to spend extra time or effort coding something that will not get me extra marks or something not even graded. – Kelbe Jul 15 '15 at 22:18

1 Answers1

1

As already mentioned in the comments - you should make sure your code is secured. You better use the bindparam for that.

As for your question - after you execute your query and bind_result you should also fetch to get the actual value from the database, based on your query:

// Prepare statement
$stmt = $conn->prepare($sql);

$stmt->execute();
$stmt->bind_result( $res_cid);

// Fetch to get the actual result
$stmt->fetch();
echo $res_cid;
Dekel
  • 60,707
  • 10
  • 101
  • 129