-2

I have the following code in my file. It reurns nothing but blank.. when I check error log file I see this:

PHP Warning:  mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in

.

 <?php
    include "dbfilepath";
    $con = mysqli_connect($server, $db_user, $db_pwd, $db_name);
    $username = $_SESSION['username'];
    $sql = "SELECT FROM users WHERE username='$username'";
    $data = mysqli_query($con, $sql);
    $row = mysqli_fetch_assoc($data);
    ?>

why is that? for me it looks all fine..

and how to secure this simple code from sql injections?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Riffaz Starr
  • 611
  • 2
  • 20
  • 37

2 Answers2

2
  $sql = "SELECT * FROM users WHERE username='$username'";

you forgot to set something to select

to secure it you need to use prepared statements for the variable $username

pr1nc3
  • 8,108
  • 3
  • 23
  • 36
0

Posting it as an answer due to less reputation.

Firstly , you have incorrect syntax for query in select because you don't identify which col name you want to select like users_name or etc . if you get all records your just write with '*'

"SELECT * FROM users...";

or other answer by the using of prepared statements IN 'PDO' you save from SQL injection because through prepared statements you query will be with secure param .

pardeep
  • 359
  • 1
  • 5
  • 7