How to make a loop to work for the number of rows which I got with mysqli_num_rows with php

Question

I got these variables

$sql_select_reply = "SELECT reply_content 
                    FROM replies 
                    WHERE topic_name = '" .htmlspecialchars($_GET["TopicTitle"])." ' ";

$query_select = mysqli_query($link, $sql_select_reply);
$query_num_rows_replies = mysqli_num_rows($query_select);
$query_print_reply = mysqli_query($link, $sql_select_reply) ;

And I want to make a loop which prints every row from the DB.

This is what I tried, but didn't work.

while($row_reply = mysqli_fetch_assoc($query_print_reply)) {
    $sql_print_reply = "SELECT reply_content 
                        FROM replies 
                        WHERE topic_name = '" .htmlspecialchars($_GET["TopicTitle"])." ' "; 
    $query_print_reply = mysqli_query($link, $sql_print_reply) ;
    echo $row_reply['reply_content'];
    echo "<br>";
    break;
}

Thanks in advance.

Answer 1

You get everything you seem to need from the first query.

The break will terminate the loop so just remove it.

$sql = "SELECT reply_content 
        FROM replies 
        WHERE topic_name = '" .htmlspecialchars($_GET["TopicTitle"])." ' ";

$result = mysqli_query($link, $sql);

while($row = mysqli_fetch_assoc($result)) {
    echo $row['reply_content'];
    echo "<br>";
}

Your script is wide open to SQL Injection Attack Even if you are escaping inputs, its not safe! Use prepared parameterized statements

Using a prepared parameterised query and binding variables is SQL Injection safe.

$sql = "SELECT reply_content 
        FROM replies 
        WHERE topic_name = ?";

$stmt = $link->prepare($sql);
$stmt->bind_param('s', $_GET["TopicTitle"]);

$stmt->execute();

$result = $stmt->get_result();

while($row = $result->fetch_assoc()) {
    echo $row['reply_content'];
    echo "<br>";
}