1
<?php
if (!isset($_POST['submit']))
$TheName = $_POST['TheName'];


$host = "localhost";
$user = "root";
$pass = "";
$db = "onlinebookclub";


$link = mysqli_connect($host, $user, $pass, $db);
$query = "SELECT * FROM author WHERE name = $TheName";

//3.excute SQL query

$result = mysqli_query($link, $query) or die('Error querying database');
//5. Close Connection
mysqli_close($link);

//4. process the result
?>       

<html>
<head>

<hr>
<title></title>

</head>
<body>
<?php if (!empty($row)) { 
while ($row = mysqli_fetch_array($result)) {
$author_id = $row['author_id'];
$name = $row['name'];
$gender = $row['gender'];
$birth_year = $row['birth_year'];
$introduction = $row['introduction'];
 ?>

        <table>
            <tr>
                <td>Name: </td>
                <td> <?php echo $name; ?><br/></td>
            </tr>
            <tr>
                <td>Author ID: </td>
                <td><?php echo $author_id; ?><br></td>
            </tr> 
            <tr>
                <td>Gender: </td>
                <td><?php echo $gender; ?><br/></td>
            </tr>
            <tr>
                <td>Birth Year: </td>
                <td><?php echo $birth_year; ?><br></td>
            </tr>


            <tr><td><hr/></td>
                <td><hr/></td>
            </tr>
        </table>
 <?php
 } 
}else {

    echo "No records found";

}
?>


</body>

</html>

My PHP file is not retreiving the proper data. It is supposed to retrieve the relevant details from my database but all it has been showing is No records found. How can I fix this? I tried moving the close link to the end but the error is still there.

Ranen Sim
  • 29
  • 4

4 Answers4

4

You are using this line:

$query = "SELECT * FROM author WHERE name = $TheName";

You have not used quotes or escapes around this as such:

$query = "SELECT * FROM author WHERE name = '{$TheName}'";

Also as others have said, beware on injection, even using $TheName = mysqli_real_escape_string($link, $TheName); is better than nothing (Before the query).

Can O' Spam
  • 2,718
  • 4
  • 19
  • 45
  • thanks so much for your help! it worked! although there is another issue now:/ my echo isnt working and is only echoing out a blank page – Ranen Sim Jan 27 '16 at 11:13
  • @RanenSim, please add another question, link to and from this one to show and explain how it differs. That's the best way to get a good answer – Can O' Spam Jan 27 '16 at 11:13
  • @SamSwift웃 isn't the reason it's not echoing the actual question he had here? Which already has an answer? :-) -> Mine? – davejal Jan 27 '16 at 11:21
  • @davejal, the question the OP asked was why he was getting the error of *Error querying database.*, therefore an additional question would be off-topic for this question in particular. To get an answer to that is possible here, but is distraction from the original purpose, therefore I propose it is best for the OP and future readers to have it split :P – Can O' Spam Jan 27 '16 at 11:23
3

The problem lies in your query. You are missing the ' around the name variable you are looking for. It should be:

$query = "SELECT * FROM author WHERE name = '$TheName'";

As @jeroen already stated it would be better to use prepared statements to avoid SQL injections and the variables are also escaped correctly when bound to the query.

Andreas Schrammel
  • 463
  • 1
  • 6
  • 11
3

I think your problem is here.

if (!isset($_POST['submit']))
$TheName = $_POST['TheName'];

Change it to something like:

if (isset($_POST['submit']))
    {
      $TheName = $_POST['TheName'];
  1. You're missing the opening and closen brackets for this if stay consistent if you use them.
  2. You're actually checking if post is not sent, then the variable $TheName = $_POST['TheName'], this is wrong

Update:

Take note of what some others already said also:

  1. Use prepared statements to fix sql injection problems you might have as given in the answer's by others (i.e. @Sam Swift)
  2. the use of you're quotes in your sql query also in the other answers (i.e. @Sam Swift)
davejal
  • 6,009
  • 10
  • 39
  • 82
  • 2
    Great catch, never saw that... You did miss about the query not having quotes and the SQL injection weakness however... – Can O' Spam Jan 27 '16 at 10:55
  • Didn't want to add that, many others already flooded thew OP about it. If necessary and the answer fixes his problem I could add it later on. But thanks for the tip. +1 for the comment. – davejal Jan 27 '16 at 10:56
  • 1
    Also you do nt need to use brackets as long as you indent properly, an `if` statement will fall through to the next line only (or the same line if done in one line) – Can O' Spam Jan 27 '16 at 11:02
  • Right again, that's why I added to be consistent, as he uses it in the rest of his code, so he's more confident using it probably. +1 – davejal Jan 27 '16 at 11:06
2
$TheName = mysqli_real_escape_string($link, $TheName);

And, Put $TheName in single quote.

$query = "SELECT * FROM author WHERE name = '$TheName'";
Nana Partykar
  • 10,556
  • 10
  • 48
  • 77