Select column FROM table_name WHERE username=$_SESSION['username'] not working

Question

I am trying to take out url from the table users and insert it into url of a table images from the current user logged in. This code is not able to insert the url in the images table.

$uploaduser = $_SESSION["username"];
$selectuser = mysqli_query("SELECT * FROM users WHERE username=$uploaduser",$db1);
$row = mysqli_fetch_array($selectuser);
$pic = $row['url'];

$sql = "INSERT INTO images (image1, image_text1, uploaduser, url, date) VALUES ('$image1', '$image_text1' , '$uploaduser','$pic','$date')";

mysqli_query($db1, $sql);

Possible duplicate of [When to use single quotes, double quotes, and back ticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-back-ticks-in-mysql) — Syscall, Mar 03 '18 at 18:08
This depends whether `username` is a varchar field or `numeric` — u_mulder, Mar 03 '18 at 18:11
This could also be avoided with proper use of prepared statements. — IncredibleHat, Mar 03 '18 at 18:12
The link (`$db1`) should be the first argument of `mysqli_query()`. — Syscall, Mar 03 '18 at 18:15
@Syscall , that code worked when I did not include the 'url' column. Now, just for testing, I tried putting $pic=$_SESSION ['username'] and it worked fine. — Yash Pawse, Mar 03 '18 at 18:24
I was talking about the first query of your question (`mysqli_query($db1, "SELECT * FROM users...`) — Syscall, Mar 03 '18 at 18:26

score 2 · Accepted Answer · answered Mar 03 '18 at 18:40

2

The first argument should be the link ($db1). Then, except if username is a numeric datatype, you should wrap the value using single quotes.

Try this :

$selectuser = mysqli_query($db1, "SELECT * FROM users WHERE username='$uploaduser'");

Important: You should have a look to How can I prevent SQL injection in PHP? to secure your queries.

answered Mar 03 '18 at 18:40

Syscall

19,327
10
37
52

Thanks @Syscall, that really helped me! Great job! I had been trying this the whole day...... :) – Yash Pawse Mar 03 '18 at 18:49

score 0 · Answer 2 · answered Mar 03 '18 at 18:28

You should use prepared statements, anyway from what it looks like,

$selectuser = mysqli_query("SELECT * FROM users WHERE username=$uploaduser",$db1);

You have an error here. mysqli_query expects param 1 to be the connection variable and param 2 as query string, instead you have passed the second param as connection variable and the first param as the query string.

Also try to concatenate the variables instead of directly passing the variables into the query string.

Instead of

$sql = "INSERT INTO images (image1, image_text1, uploaduser, url, date) VALUES ('$image1', '$image_text1' , '$uploaduser','$pic','$date')";

Try

$sql = "INSERT INTO images (image1, image_text1, uploaduser, url, date) VALUES ('".$image1."', '".$image_text1."' , '".$uploaduser."','".$pic."','".$date."')";

Hope this helps.

Select column FROM table_name WHERE username=$_SESSION['username'] not working

2 Answers2