-2

I'm trying to create a very simple web app that checks if an element is inside the database.

If the element is located at least one time in the DB, then echo "YES", otherwise if the element doesn't exist just echo "NO".

Here's my code :

$mysql = mysqli_connect(/* can't share anything here */) or die ("ERROR CONNECTING TO THE DB");

if(isset($_POST['submit'])) {

    $theAddress = $_POST['url'];  

    $result = "SELECT * FROM data WHERE url = " . $theAddress;

    $query = mysqli_query($mysql, $result);

    if (!$query) {
        printf("Error");
    } else {
        printf("NO ERROR");
    }

The problem here is that PHP always echo "Error". Why?

Michael
  • 503
  • 8
  • 18
  • 1
    Learn to use parameters to put values in the query. You should learn this from Day 1 for a variety of reasons. One of them is to prevent syntax errors such as this. Note: The syntax error would probably be obvious if you printed out the query before running it. One more piece of advice: the string should be called something like `$sql` or `$query`. `$result` is not a sensible name for a query string. – Gordon Linoff Mar 25 '17 at 15:40
  • Try replacing `$result = "SELECT * FROM data WHERE url = " . $theAddress;` with `$result = "SELECT * FROM data WHERE url = '" . $theAddress."'";` – Lal Mar 25 '17 at 15:41
  • http://stackoverflow.com/questions/1290975/how-to-create-a-secure-mysql-prepared-statement-in-php – Suraj Rao Mar 25 '17 at 15:41
  • 2
    Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) – u_mulder Mar 25 '17 at 15:41
  • use prepared statements – Suraj Rao Mar 25 '17 at 15:41
  • $result = "SELECT * FROM data WHERE url = '" . $theAddress."'" deosnt work and doesnt change anything – Michael Mar 25 '17 at 15:46
  • Change `printf("Error")` to `printf("Error: " . mysqli_error($mysql))` so you see the reason for the error. – Barmar Mar 25 '17 at 15:50
  • what is sample address? – Suraj Rao Mar 25 '17 at 15:52

3 Answers3

0

In order to execute SQL queries successfully you need to put the string values inside quote.

So your query will be:

$result = "SELECT * FROM data WHERE url = '" . $theAddress . "'";
Hari Lamichhane
  • 520
  • 5
  • 11
0

You need quotes around the value because it's a string.

$result = "SELECT * FROM data WHERE url = '" . $theAddress . "'";

But it would be better if you learned to use prepared queries with mysqli_stmt_bind_param(), then you don't have to worry about this.

Barmar
  • 741,623
  • 53
  • 500
  • 612
0

Try with prepared statements like this:

$stmt = mysqli_stmt_init($mysql);
if (mysqli_stmt_prepare($stmt, 'SELECT * FROM data WHERE url = ?')) {
  mysqli_stmt_bind_param($stmt, "s", $theAddress);
  mysqli_stmt_execute($stmt);
  $result = mysqli_stmt_get_result($stmt);
}

Documentation:
http://us.php.net/manual/en/mysqli-stmt.prepare.php
http://us.php.net/manual/en/mysqli-stmt.get-result.php

Suraj Rao
  • 29,388
  • 11
  • 94
  • 103