-2

I am new in Php and MYsql, I am trying to create a simple query using which contain a variable using php. however I think I am not writing the querty correctly with the variable since the result of this query is 0.

would be happy for assistance here is my code:

<?php
$phone = $_GET['phone'];
echo $phone;
    $query = "SELECT * FROM `APPUsers` WHERE `Phone` LIKE "."'".$phone."' ";
    echo $query;
    $result = mysqli_query($mysqli, $query);
    echo mysqli_num_rows($result);
?>
BaBaBA fksld
  • 55
  • 1
  • 6
  • 3
    It looks like you forgot to connect to your database – RiggsFolly Jul 12 '17 at 14:37
  • Start by [Reading the Manual](http://php.net/manual/en/book.mysqli.php) – RiggsFolly Jul 12 '17 at 14:38
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 12 '17 at 14:52
  • 2
    Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. – RiggsFolly Jul 12 '17 at 14:53
  • 1
    `LIKE` searches normally have a wild card character somewhere in them like `'%999%` but if you have a real and complete phone number you shoudl be using an `=` i.e. `WHERE \`phone\` = '$phone'"` – RiggsFolly Jul 12 '17 at 14:55

2 Answers2

1
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
$conn = new mysqli($servername, $username, $password, $dbname);
$sql = "SELECT * FROM APPUsers WHERE Phone LIKE '%$phone%'";
$result = $conn->query($sql);

Above there is a fast solution , but it is not safe , because is vulnerable to injection ...

Below let's see how to do it and why to do it in this way

It is a good practice to store sensible information in a separate file out of the document root , it means will be not accesible from the web .

So let's create a file configDB.ini for example and put in db informations

servername = something;
username = something;
password = something;
dbname = something;

Once did it we can create a script called dbconn.php and import the file with credentials , in this way there is an abstraction between credentials and connection .

in dbconn.php :

$config = parse_ini_file('../configDB.ini'); 
$conn = mysqli_connect('localhost',$config['username'],$config['password'],$config['dbname']);

We can even improve the code connecting to db only once and use the same connection all the time we need query .

function db_connect() {

    // static  will not connect more than once 
    static $conn;

    if(!isset($conn)) {
        $config = parse_ini_file('../configDB.ini'); 
        $conn = mysqli_connect('localhost',$config['username'],$config['password'],$config['dbname']);
    }
    return $conn;
}

...

 $conn = db_connect();
    $sql = "SELECT * FROM APPUsers WHERE Phone LIKE '%$phone%'";
    $result = mysqli_query($conn,$sql);

In the end let's say something about mysqli_query

Reasons why you should use MySQLi extension instead of the MySQL extension are many:

from PHP 5.5.0 mysql is deprecated and was introduced mysqli

Why choose mysqli (strenghts)

  • object oriented

  • prepared statements

  • many features

  • no injection

Frank
  • 873
  • 1
  • 7
  • 17
  • 1
    Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Jul 12 '17 at 14:52
  • 1
    While this code may answer the question, providing additional context regarding why and/or how this code answers the question improves its long-term value. A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard Jul 12 '17 at 14:54
  • Hey man i know this is vunerable code to injection and connection shoub be declared in a config file , the way how to do this is not asked in the question – Frank Jul 12 '17 at 14:58
  • Regardless of the asking you should always strive to teach a better way. – Jay Blanchard Jul 12 '17 at 14:59
-1

Do you connect to the database?

The apostrophes around APPUsers and Phone might not be the right ones, as they are not the single apostrophes but some weird squiggly ones.

Try this :

$query = "SELECT * FROM 'APPUsers' WHERE 'Phone' LIKE '".$phone."' ";
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Val Zarins
  • 23
  • 3
  • Do or do not, there is no "try". A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard Jul 12 '17 at 14:53
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Jul 12 '17 at 14:53
  • Its possible that the connection is made by Magic also – RiggsFolly 11 mins ago 1 Hi I am connectiong to the DB just wrote the problemtic lines there is something with query issue. I think it is because of the appropetis or the language from some reason getting a 25 charcter while I echo this query I get this: SELECT * FROM APPUsers WHERE Phone LIKE 'נייד' 25 – BaBaBA fksld Jul 12 '17 at 14:59