0

I am getting a mysqli_fetch_array() error when trying to execute an sql statement in one of my php forms. What it is doing is searching the database for the users email and returning a result. I can execute the SQL statement through dbforge and it works, however will not run when it is initiated via the web application..

Code:

<?php

// Start session
session_start();

// Include required functions file
require_once('includes/functions.inc.php');
require_once('includes/config.inc.php');

if (isset($_POST['email'])){
$email   =   $_POST['email'];
} else $email ="";
var_dump($email);
// Connect to database

$mysqli = @new mysqli(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($mysqli, "SELECT 
  checkin.user, 
  SUM(checkin.points) AS point_total, 
  satellite_members.f_name, 
  satellite_members.l_name, 
  satellite_members.email 

  FROM checkin 

  INNER JOIN satellite_members 

  ON satellite_members.email = checkin.user
  WHERE checkin.user = $email");


?>

HTML elements here:

    <form action="" method="post">
                    <div class="form-group">
                        <label for="Email Address">Email Address</label>
                        <input type="email" class="form-control" id="email" name="email" style="width:60%; display:inline;" required>
                    </div>
                    <button type="submit" class="btn btn-default">Submit</button>
                </form>




                <div class="table-responsive" style="width:100%; ">
                   <table class="table table-condensed table-bordered" >
                       <tr class="bg-cotu">
                           <th style="width:45%;" class="text-center">Member name</th>
                           <th style="width:20%;" class="text-center">Point Total</th>
                       </tr>


<?php
while($row = mysqli_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['f_name']." ".$row['l_name'] . "</td>";
echo "<td>" . $row['point_total'] . "</td>";
echo "</tr>";
}
?>
 </table>
                </div>
Improve this question
5
  • 2
    you mix the mysql_* and the mysqli_* API. Use only mysqli. Commented Aug 18, 2014 at 20:21
  • ^--< Yeah.... exactly. This isn't gin & tonic, although some like to mix those ;) Commented Aug 18, 2014 at 20:24
  • Doesn't make a difference. Took it out and doesn't pose a solution Commented Aug 18, 2014 at 20:25
  • Took it out and then what? This mysql_real_escape_string($_POST['email']) should be mysqli_real_escape_string($mysqli,$_POST['email']) and quoting $email - Use error reporting which would've signaled those errors. Commented Aug 18, 2014 at 20:26
  • When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation to accomplish this because you will create severe SQL injection bugs. Do not manually escape and inject strings. Commented Aug 18, 2014 at 20:36

2 Answers 2

Reset to default
1

You haven't quoted your $email value. The real_escape function does NOT do that for you.

WHERE checkin.user = '$email'");
                     ^------^---- you still need these

If you'd bothered to put in any kind of error handling on your query, you'd have been informed of this:

$result = mysqli_query($mysqli, $query) or die(mysqli_error());
                                       ^^^^^^^^^^^^^^^^^^^^^^^

Never ever assume a query will always succeed. Even if your SQL is syntactically perfect there's literally an infinite number of OTHER reasons for it to fail. Always assume failure, check for it, and treat success as a pleasant surprise.

It's like "I don't need to wear my seatbelt. I don't drive into trees so I'll be fine". I'm sure that'll be a comforting thought for your relatives after your corpse is scraped off the hood of the drunk's driver's car.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

"I'm sure that'll be a comforting thought for your relatives after your corpse is scraped off the hood of the drunk's driver's car." - The body count around here are real; not virtual.
Switching to placeholder values would make quoting irrelevant.
0

Try this:

$result = mysqli_query($mysqli, "SELECT 
  checkin.user, 
  SUM(checkin.points) AS point_total, 
  satellite_members.f_name, 
  satellite_members.l_name, 
  satellite_members.email 

  FROM checkin 

  INNER JOIN satellite_members 

  ON satellite_members.email = checkin.user
  WHERE checkin.user = '$email'") or die(mysqli_error());

And this needs to be

 while($row = mysqli_fetch_array($result))
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.