SELECT from Variable with PHP

Question

I want to select a value from the database with variables I get from $_GET, but it doesn't show any results. Could any one help me find what is wrong with my code?

<?php
$varPage = $_GET['subject'];
$servername = "localhost";
$username = "bayansh_user";
$password = "u)nHf,Accmo)";
$dbname = "bayansh_bmc";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
$result = mysqli_query($conn,"SELECT `date` FROM `editor` WHERE subject = '.$varPage.'");

while($row = mysqli_fetch_array($result))

?>

and I write it to a p:

<p style="font-family:B Zar; direction:rtl; font-size:165%;"> <?= $row['date'] ?> </p>

Is there anything wrong with my code?

Possible duplicate of [When to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) — Funk Forty Niner, Nov 30 '16 at 17:44
Very much so yes. Your code is vulnerable to SQL-injections, which is very bad. Start off by using prepared statements! — Jite, Nov 30 '16 at 17:44
`$result = mysqli_query($conn,"SELECT `date` FROM `editor` WHERE subject = '.$varPage.'");` should be `$result = mysqli_query($conn,"SELECT `date` FROM `editor` WHERE subject = '".$varPage."'");` — Dragos, Nov 30 '16 at 17:45
Taking the periods out of your query string should help. You only need those when you break out of the quoted string, not when you're inside it. Otherwise, mysql will see it as `where subject = '.1.'` — aynber, Nov 30 '16 at 17:47
You gotta love it when we post comments to get clarification on something and they either leave or wait on the fence for a magic answer. — Funk Forty Niner, Nov 30 '16 at 17:51
This is the second or third post I've seen today with bad concatenation. Is there a bad tutorial out there somewhere? — aynber, Nov 30 '16 at 17:58

score 0 · Answer 1 · answered Nov 30 '16 at 17:54

0

With this SQL string

"SELECT `date` FROM `editor` WHERE subject = '.$varPage.'"

It looks like you're incorrectly incorporating the concatenation operator (.). As aynber commented, these will be interpreted as literal dot characters.

Ideally, you would use a prepared statement and bind the variable before executing, but if you're going to use double quotes to include the variable in the string, you don't need the dots.

"SELECT `date` FROM `editor` WHERE subject = '$varPage'"

You would only need them if you had closed the string, like this:

"SELECT `date` FROM `editor` WHERE subject = '" . $varPage . "'"

answered Nov 30 '16 at 17:54

Don't Panic

41,125
10
61
80

I tried but it gives me Blank value (NULL) and i want to mention that the subject's value is arabic characters will it okey or it wont...... – Farhad paikan Nov 30 '16 at 18:19
Whether or not that causes problems depends on the encoding settings in your database and PHP connection. You can check [this question](http://stackoverflow.com/questions/279170/utf-8-all-the-way-through) for more in-depth guidance on that. – Don't Panic Nov 30 '16 at 18:29

Jite · Answer 2 · 2016-11-30T18:13:39.347

There are a few issues that you should be aware of with your code...
To start off, to answer the actual question (which has to do with string concatenation):

$result = mysqli_query($conn,"SELECT `date` FROM `editor` WHERE subject = '.$varPage.'");

As you can probably see on the syntax highlighting here on SO and should be able to see in any decent IDE or code editor, the ' and . signs are actually a part of your string.
When you use double quoted strings, you can add the variable without . or just concat it by ending the string, adding the dot, the variable then another dot then start string again (if you need more to it...) like so:

$query = "SELECT `date` FROM `editor` WHERE subject = '" . $varPage . "'";
// or
$query = "SELECT `date` FROM `editor` WHERE subject = '$varPage'";

The easiest way to debug this kind off stuff is to either store the query string in its own string, then just echo it out when you notice something is wrong, you would in that case hopefully notice the issue quite fast. Or by adding or die(mysqli_error()) at the end of the mysqli_query call:

$result = mysqli_query($conn, "query query...") or die(mysqli_error());

Now, this is not the biggest issue you have with the code!

You are using the mysqli API, which is a good thing, but you are using the mysqli_query function with a none-escaped get-parameter as a part of the query, this is very bad cause it leaves you open for SQL injections (which is quite bad if you prefer to keep your database safe).

Now, the mysqli api have a great thing to stop this from happening called prepared statements.
Prepared statements takes care of escaping data so that its harder to inject bad code through it (they don't save you from everything bad there is, but its a good first step to safer code).
Your query would look something like the following with prepared statements:

$stmt = mysqli_prepare($conn, "SELECT date FROM editor WHERE subject=?");
// see the ? - thats a placeholder that we will fill on the next row.
mysqli_stmt_bind_param($stmt, "s", $varPage); // if varpage is a string, i for integer.
mysqli_stmt_bind_result($stmt, $date);
while (mysqli_stmt_fetch($stmt)) {
  echo $date; 
  // $date will change for each loop and contain the date from the row in database.
}
mysqli_stmt_close($stmt);

Now, im not so used to using mysqli nor their procedural style of php, so I'd recommend checking the docs instead of using my code.

score 0 · Answer 3 · answered Nov 30 '16 at 17:58

0

For this kind of sql command you should not need the string concatenation should suffice the appropriate syntax

"SELECT `date` FROM `editor` WHERE subject = '$varPage'";

answered Nov 30 '16 at 17:58

ScaisEdge

131,976
10
91
107

SELECT from Variable with PHP

3 Answers3