0

Working on getting a page to build off of an array that is returned from a DB to post a story, not sure what it is not working. The page URL looks like this: https://ohcrap.ninja/games/ps4/article.php?id=1

Here is the code that should be generating the content:

        <?php

        $id = $_GET['id'];
        $query = mysqli_query($con,'SELECT * FROM `PS4` WHERE `id` =' .$id) or die(mysqli_error($con));
        while ($row = mysqli_fetch_array($query));
        // Echo page content
                echo "<div class='col s12 m12 l12'>";
                echo "<div class='card small grey darken-3'>";
                echo "<div class='card-stacked'>";
                echo "<div class='card-content'>";
                echo "$id";
                echo "<span class='card-title'>" . $row['title'] . "</span>";
                echo "<hr color='black'>";
                echo "<P>By:<i> " . $row['author'] . "</i></P>";
                echo "<P>Published: " . $row['published'] . "</P>"; 
                echo "<br>";
                echo "<P class='truncate'>" . $row['story'] . "</P>";
                echo "</div>";
                echo "</div>";
                echo "</div>";
                echo "</div>";
    ?>
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Rob Hood
  • 49
  • 1
  • 5
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 17 '17 at 21:47
  • Thanks for the heads up, I will take a look into it. I appreciate that! – Rob Hood May 17 '17 at 21:50

1 Answers1

1

Your while loop is not doing anything useful, because you're immediately ending it with that ;.

while ($row = mysqli_fetch_array($query)) {
    // all those echoes
}
rickdenhaan
  • 10,857
  • 28
  • 37
  • Thanks that got it, I am not sure why I did not catch that one. I will accept the answer once it lets me! – Rob Hood May 17 '17 at 21:50
  • I think it's also worth explicitly noting that the braces are required to do all those echoes even after the stray semicolon is removed, rather than just looping `echo "
    ";`
     – Don't Panic May 17 '17 at 22:04