0

This is my PHP code 

<?php
$db=mysqli_connect("localhost","root","","photos");
$id = intval($_GET['ID']);
$sql="SELECT * FROM `images` WHERE ID='$id' ";
$result1=mysqli_query($db,$sql);
while($row=mysqli_fetch_array($result1)){
    echo "<p id='afoutput'>".$row['text']."</p>";
    echo $id;
}

?>
Qirel
  • 25,449
  • 7
  • 45
  • 62
Shivanshu
  • 1
  • 1
  • 4
    Possible duplicate of [PHP: "Notice: Undefined variable", "Notice: Undefined index", and "Notice: Undefined offset"](https://stackoverflow.com/questions/4261133/php-notice-undefined-variable-notice-undefined-index-and-notice-undef) – Qirel Sep 19 '17 at 07:06
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Sep 19 '17 at 07:06
  • 1
    Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…”)` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Sep 19 '17 at 07:06
  • You sure it's not `id` instead of `ID`? Also, learn how to use a prepared statement. – Qirel Sep 19 '17 at 07:06
  • Use isset() conditions before using $_GET['ID'] variable. – pspatel Sep 19 '17 at 07:08

0 Answers0