Not Getting Row From Mysqli

Question

I am using mysqli to get the row but it is not giving me row, and there is no error in query.

$query="select * from members where useremail='$user_email' and password='$password'";
$result=$db->query($query);
$row = $db->fetch_array($result);
echo $row['id'];

My query Function

function query($query){
        $result=mysqli_query($this->conn, $query);
        if(!$result){
            echo $this->err_msg = mysqli_error($this->conn);
            return false;
        }else{
            return $result;
        }
}

My fetch_array Function

function fetch_array($result){
    return mysqli_fetch_array($result);
}

How can i get Row using mysqli ?

Your code is likely vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Jun 30 '17 at 13:54
Yes but you're not using prepared statements with bound parameters. — Alex Howansky, Jun 30 '17 at 13:55
@Hamza Tafeer That doesnt mean that you can't build SQL injections. You don't use the common way from mysqli to prevent it. — René Höhle, Jun 30 '17 at 13:56

clearshot66 · Answer 1 · 2017-06-30T14:32:34.027

Change your original code to reflect bound parameters using mysqli, this is more secure and should work

$query="select * from members where useremail='$user_email' and password='$password'";
    $result=$db->query($query);
    $row = $db->fetch_array($result);
    echo $row['id'];

to bound parameters using mysqli prepared statements

$query="select id from members where useremail=? and password=?";   // Don't use select *, select each column, ? are placeholders for your bind variables
$stmt = $connection->prepare($query);
if($stmt){
  $stmt->bind_param("ss",$user_email,$password);   // Bind in your variables, s is for string, i is for integers
  $stmt->execute();  
  $stmt->bind_result($id);  // bind the result to these variables, in the order you select
  $stmt->store_result();   // Store if large result set, can throw error if server is setup to not handle more than x data
  $stmt->fetch();
  $stmt->close();
  }
echo $id;  // this would be same as $row['id'], $id now holds for example 5.

If you select multiple things, such as "SELECT id,name FROM...", then when you bind_result(..), just bind them n there. $stmt->bind_result($id,$name);

now $id and $name hold the column data for that row matching your query. If there would be multiple rows matching, instead of $stmt->fetch() you'd do

while($stmt->fetch()){    // just like while($row = $result->fetch_assoc()){}
   echo $id;
   echo $name
}

how can i get `$row['id']` and i want to store it in session, i am using mysqli not using prepared statement? I means i want a complete row and then get any thing from row? — Hamza Zafeer, Jun 30 '17 at 14:20
You would do `"SELECT id..."`, then bind_result($id). $row['id'] would now be $id. And yes you're using mysqli, prepared statements are an idea to prevent SQL injection attacks. Each iteration of the while($stmt->fetch()) provides you with the same result as if you were to do while($row = $result->fetch_assoc()). The $row['id'] would now be accessed using $id; — clearshot66, Jun 30 '17 at 14:27

Not Getting Row From Mysqli

1 Answers1