0

I'm using PHP to try and select a single row from a table in my MySQL database. I've run the query manually inside phpMyAdmin4 and it returned the expected results. However, when I run the EXACT same query in PHP, it's returning nothing.

$query = "SELECT * FROM characters WHERE username=".$username." and charactername=".$characterName."";
if($result = $mysqli->query($query))
{
        while($row = $result->fetch_row())
        {
            echo $row[0];    
        }
        $result->close();
}
else
        echo "No results for username ".$username." for character ".$characterName.".";

And when I test this in browser I get the "No results..." echoed back. Am I doing something wrong?

This isn't a duplicate question because I'm not asking when to use certain quotes and backticks. I'm asking for help on why my query isn't working. Quotes just happened to be incorrect, but even when corrected the problem isn't solved. Below is the edited code as well as the rest of it. I have removed my server information for obvious reasons.

<?PHP
$username = $_GET['username'];
$characterName = $_GET['characterName'];

$mysqli = new mysqli("REDACTED","REDACTED","REDACTED");

if(mysqli_connect_errno())
{
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
}

$query = "SELECT * FROM `characters` WHERE `username`='".$username."' and `charactername`='".$characterName."'";

if($result = $mysqli->query($query))
{
        while($row = $result->fetch_row())
        {
            echo $row[0];    
        }

        $result->close();
}
else
        echo "No results for username ".$username." for character ".$characterName.".";

$mysqli->close();
?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
David Rosen III
  • 117
  • 2
  • 10
  • strings? `WHERE username=".$username." and charactername=".$characterName."";` - pretty sure they are. – Funk Forty Niner Feb 25 '16 at 18:33
  • How do you know that you're running the exact same query? I don't see you printing it out – Joni Feb 25 '16 at 18:34
  • yeah, you need to wrap the `SQL` variable values in single quotes. – Derek Pollard Feb 25 '16 at 18:34
  • check for errors on your query http://php.net/manual/en/mysqli.error.php – Funk Forty Niner Feb 25 '16 at 18:34
  • you're also open to an SQL injection if those variables are coming from user-input. – Funk Forty Niner Feb 25 '16 at 18:38
  • @Joni I haven't posted my full code here, but believe you me, I know for a fact they're the same query. I've tested it several times. – David Rosen III Feb 25 '16 at 18:48
  • @OliverQueen have fixed the single quotes but the problem persists. – David Rosen III Feb 25 '16 at 18:48
  • @Fred-ii- I have fixed the single quotes but the problem persists. And I'm aware of the risk of injection. – David Rosen III Feb 25 '16 at 18:48
  • @DavidRosenIII you need single quotes around the double quotes – Derek Pollard Feb 25 '16 at 18:50
  • @DavidRosenIII Hi David. Could you update your question then and with the new code you are now using, ***however,*** please don't overwrite your originally posted code, but post your new code under your old code and marked as an edit. Plus, you should also be posting any other relevant code as to where those variables are coming from, as well as the db schema and db connection used. – Funk Forty Niner Feb 25 '16 at 18:50
  • @DavidRosenIII you went and overwrote your original question. and the person who posted an answer for it, may get downvoted for it. Please rollback and mark it as an edit. thank you. – Funk Forty Niner Feb 25 '16 at 18:52
  • @Fred-ii- Okay. I hope I did it right this time. I don't want anyone receiving down votes for my mistake. – David Rosen III Feb 25 '16 at 18:54
  • Add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Feb 25 '16 at 18:54
  • @DavidRosenIII I think I know why it's failing: `$mysqli = new mysqli("REDACTED","REDACTED","REDACTED");` you didn't choose a database. If so, and your password isn't required, you still need an empty parameter for it. I.e.: `$mysqli = new mysqli("host","user", "", "db");` – Funk Forty Niner Feb 25 '16 at 18:57
  • @Fred-ii- Yep. That was exactly it. After I added the `or die(mysqli_error($mysql))` it informed me that I had no database selected. Then I noticed I deleted my `mysqli_select_db` line. x_x Thanks for the help. I put the db selection back, and it's working properly now. – David Rosen III Feb 25 '16 at 19:00
  • @DavidRosenIII I posted my answer below David. and you're welcome. – Funk Forty Niner Feb 25 '16 at 19:00

2 Answers2

1

It's failing: $mysqli = new mysqli("REDACTED","REDACTED","REDACTED"); because you didn't choose a database.

Connecting to a database using the MySQLi API requires 4 parameters:

If your password isn't required, you still need an (empty) parameter for it.

I.e.: $mysqli = new mysqli("host","user", "", "db");

Plus, as noted.

Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.

Footnotes:

As stated in the original post. Strings require to be quoted in values.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

You need to add quotes to the strings in your query: 

$query = "SELECT * 
    FROM characters 
    WHERE username='".$username."' and charactername='".$characterName."'";
Paul
  • 8,974
  • 3
  • 28
  • 48
WillardSolutions
  • 2,316
  • 4
  • 28
  • 38