1

I've found many similar questions regarding this but anything I try won't work.

I'm trying to run a MySQL query using the variable $epost. When I echo this variable it displays correctly, but the query returns nothing. Entering a fixed value for $epost like:

$epost='email@email.com'

Returns the correct query from the database.

$epost=mysqli_real_escape_string($conn,$_POST['email']);
  echo $epost;

$sql = "SELECT memberID FROM Member WHERE email = '$epost' limit 1";
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_assoc($result);
echo $row["memberID"];
Marhabba
  • 11
  • 2
  • 1
    you simply assume the query succeeded and returned a result. `mysqli_query($conn, $sql) or die(mysqli_error($conn))`, and then `if (mysqli_num_rows($result) == 0) { die("no result"); }`-type thing. – Marc B Jun 22 '16 at 15:21
  • 1
    try print this `$sql` and see result. – Natsathorn Jun 22 '16 at 15:23
  • Does the same query return any results in the SQL command line? – apokryfos Jun 22 '16 at 15:23
  • 1
    Maybe you have a very clever php installation that wants you to look for a tutorial on how to use binding/prepared statements? (The real reason is probably that you have a space in your string. Try echoing with some characters around the string). – Solarflare Jun 22 '16 at 15:44
  • http://stackoverflow.com/questions/6379433/mysql-prepared-statements – Martin Jun 22 '16 at 15:50
  • 1
    imo, Here is a simple rule with SQL query strings in PHP: **Never use a PHP variable directly in an SQL string**. Instead **replace it with a placeholder of '?''**. Now, that means **no 'real_escape_string'** functions in your code as they are not needed. Also, only use **`prepare`**, **`bind_params`** and **`execute`** for all queries which need variables. _Result_, **No SQL injection - ever** :) – Ryan Vincent Jun 22 '16 at 16:04

0 Answers0