0

I am trying to display an entry from a MySql database which is selected by GET data. 

if (isset($_GET["id"])){

        $id=$_GET["id"];
        $result = getSelectedBlog($id); 

        while($row = mysqli_fetch_array($result))
            { 
                extract($row); 
                ?>

                    <div class="headline"><?php echo $headline ?></div>
                    <div class="subtitle"><?php echo $subTitle ?></div>
                    <div class="content"><?php echo $content ?></div>
                    <?php
            }

Here is the SQL statement:

function getSelectedBlog($id){

$con = mysqli_connect('localhost', 'root', '', 'michaelWebsite') or die('could not connect');
$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "$id"';
$result = mysqli_query($con, $sql) or die('entry does not exist.:' . mysqli_error($con)); 
return $result;

}

As you can see, I am passing the get data as $id to the method that returns the result. However nothing is being returned. There are three entries at the moment, if I change $id in the SQL statement to either 1, 2 or 3 it will show the corresponding data but it just will not work with the $id variable.

The URL does end with the correct info ?id=1.

Please excuse me if it is something stupid, I have just been stuck on this for hours now!!

Improve this question
5
  • Try adding var_dump($id); inside the function to see what it is. Commented Jun 4, 2012 at 15:05
  • You've got an SQL injection hole in your code - directly using $_GET['id'] within the query. Read this before you go ANY FURTHER with this code. Commented Jun 4, 2012 at 15:06
  • You are using mysqli_* functions as if they were mysql_* functions. Try escaping the $id, your code is vulnerable to mysql injection ($id comes from $_GET, is not sanitized, and is inserted right into the query. Get your hands on a good mysql/mysqli/pdo&mysql tutorial. I recommend you go for PDO&MySQL. Good luck. Commented Jun 4, 2012 at 15:06
  • You're also using single quotes for your query string, which do NOT interpolate variables. You're trying to find a literal $id in your DB. Commented Jun 4, 2012 at 15:08
  • Don't use LIKE when you want an exact match. Use = instead. Like is slower, it's for searches with wildcards. Commented Jun 4, 2012 at 15:11

5 Answers 5

Reset to default
2

All of these answers will solve your problem, but none have mentioned or prevented SQL Injection.

In your case I recommend (assuming articleID is an integer field).

$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "' . (int)$id . '"';

I'm also curious why you are using LIKE for an id field.

Note: Since you are using MySQLi, I'd encourage you to look at prepared statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "'.$id.'"';

escape your var in simple quote

Improve this answer

2 Comments

You should also escape it from SQL Injection. In this case, you could simply cast it.
Yes use mysql_real_escape_string() or a DAO class like pdo for example
1

Try with this:

$sql = "SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE '$id'";

or with

$sql = 'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "' . $id . '"';
Improve this answer

Comments

0

You need to use double quotes in order for php to correctly expand your variables :) so change your query to 

$sql = "SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE '$id'";
Improve this answer

Comments

0

Change 

'SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE "$id"'

to

"SELECT * FROM tblArticle WHERE tblArticle.articleID LIKE '$id'"

Variables will be evaluated only if they're between double quotes "

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.