Linux Format forums

[MGE]

Howdy all,

I am having a problem figuring out how to get data out of a MySQL database for a website I'm working on, sort of.
I say sort of, because this is a test page I'm working on to model the functions first and test them, before I put them on the actual page.

Anyway, I got the other functions I was working on done: Connecting, Creating a DB, Creating Tables, and inserting rows.
However, when it comes to getting the data back out of the database, I keep hitting a problem with mysql_fetch_array.

Here is the code I have for it so far:

[M0PHP]

The error is coming up because $result isn't a MySQL resource type, so the query is probably failing and returning false. You should really test for this first: http://uk2.php.net/mysql_query.

The problem with the query I think is the username you're looking for should be enclosed with single quotes, eg:

[filth]

as MOPHP stated you need to use mysql_query() on $rez and then fetch the results using mysql_fetch_array or some other function of your desire.

Also do not ever use user submitted information in sql queries. Before using anything make sure they are validated and are as expected. For example if something should be a number ensure it is a number. Also try using something like mysql_real_escape_string() on data in the query this will aid in combating sql injection (you should still do some validation even if you do use this, no point querying a database if the data is obviously wrong).

As well as using single quotes around inputted data it is also considered a good idea to use ` around column names so your sql would end up being:-

SELECT * FROM `users` WHERE UserName = 'TEST1 '

[Hudzilla]

One other thing: rather than joining lots of strings together, you can just surround array names in braces, eg "SELECT * FROM users WHERE ID = '{$_POST["UserID"]}';" (note that the value is in quotes to avoid problems if people enter strings - just be sure you real_escape the variable if you have magic_quotes_gpc turned off!)