0

Can you please guide me? I have been struggling with this for hours now.

Here is my code:

<html>
<?php
include ("connect.php");

// Retrieve data from Query String

  if( $_REQUEST["ano"] || $_REQUEST["km"] || $_REQUEST["cat"])

//print your car is model xxxx

  echo "tu coche es un ". $_REQUEST["cat"] . ".";

 //start connection to mysql db
 $con = mysqli_connect('localhost', $dbuser, $dbpass, $dbname);

 //mysql query to get average price of select model of car

$query = 'SELECT AVG(price) FROM `fl_listings` WHERE `tmp_catkey` = `'.$_REQUEST["cat"].'`';

$qry_result = mysqli_query($con, $query);

while($row = mysqli_fetch_array($qry_result))
{

      echo "<br> El rango de precios de venta es de: ".$row['AVG(price)'];

}
$promedio = $row['AVG(price)'];

?>
</html>

I have been changing the quotes to see if it works. I have not been able to get the result. Best I got was the echoed string without the $row['AVG(price)']

and in another attempt I got this warning:

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given

Mike
  • 23,542
  • 14
  • 76
  • 87
pepster
  • 41
  • 4
  • your query failed. Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. Pretty obvious though. – Funk Forty Niner May 12 '16 at 16:24
  • Not to mention your query is open to SQL injection. You should be using prepared statements with bound parameters to prevent this. Never put user input directly into your queries. – Mike May 12 '16 at 16:24
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or `$_REQUEST` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman May 12 '16 at 16:24
  • @Fred-ii- Not gonna vote to close? – Mike May 12 '16 at 16:27
  • @Mike Riggs got it ;-) – Funk Forty Niner May 12 '16 at 16:30
  • Thanks. I see the sql injection risk and will fix that. Also, I noticed the column values are in the format have text in the numbers like '44350|dollar'. The fix would be to get the values, then strip that '|dollar' text and then get the average from the array. any guidance towards doing this? – pepster May 12 '16 at 17:52

0 Answers0