1

Here i am trying to pass the variable to php select query,but its not working. couldn't figure out what is the problem.

code:

<?php   
$cname =  $_GET['c_name'];
    include 'config.php';
    $conn = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
    if(! $conn )
    {
        die('Could not connect: ' . mysql_error());
    }
    $sql = 'SELECT * FROM co_details where co_name="$cname"';
    $result = mysqli_query($conn, $sql);
    if (mysqli_num_rows($result) > 0) 
    {
    while($row = mysqli_fetch_assoc($result)) 
    {
        echo "<br>";
        echo "Course Details <br>";
        echo $row['co_name']."<br>";
        echo $row['co_objectives']."<br>";
        echo $row['co_outline']."<br>";
        echo $row['co_prereq']."<br>";
        echo $row['co_fee']."<br>";
        echo $row['co_duration']."<br>";
    }
    mysqli_close($conn);
    }
?>

what may be the reason? Instead of variable $cname if i put the direct value then the query is executing successfully.

Improve this question
3
  • 1
    Firstly, you're mixing APIs with mysql_error() - That function does not intermix with mysqli_ functions. Use mysqli_error($conn) as per the manual php.net/manual/en/mysqli.error.php Commented Feb 20, 2015 at 4:44
  • first echo the $sql and check $cname is passed in your query or not Commented Feb 20, 2015 at 4:46
  • @Fred-ii- Thanks for noticing it. Commented Feb 20, 2015 at 4:49

3 Answers 3

Reset to default
3

Note that single quoted strings like this one you have:

$sql = 'SELECT * FROM co_details where co_name="$cname"';

That variable that you think you have there will not get interpolated. It will only work by using double quoted strings.

$sql = "SELECT * FROM co_details where co_name='$cname'";

And as @Fred has said in the comments, stick with MySQLi including your connection error:

if(! $conn )
{
    die('Could not connect: ' . mysql_error()); // mysql API doesn't belong
}

Change it to MySQLi interface:

if ($conn->connect_errno) {
    die('Could not connect: ' . $conn->connect_error);
}

And you should have used prepared statements instead as this is prone to SQL injection.

<?php   

if(!empty($_GET['c_name'])) {
    $cname =  $_GET['c_name'];  
    include 'config.php';
    $conn = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
    if ($conn->connect_errno) {
        die('Could not connect: ' . $conn->connect_error);
    }

    $sql = 'SELECT co_name, co_objectives, co_outline, co_prereq, co_fee, co_duration FROM co_details WHERE co_name = ?';
    $select = $conn->prepare($sql);
    $select->bind_param('s', $cname);
    $select->execute();
    $select->store_result();
    $select->bind_result($co_name, $co_objectives, $co_outline, $co_prereq, $co_fee, $co_duration);

    while($select->fetch()) {
        echo "<br/>
        Course Details: <br/>
        $co_name <br/>
        $co_objectives <br/>
        $co_outline <br/>
        $co_prereq <br/>
        $co_fee <br/>
        $co_duration <hr/>
        ";
    }

}

?>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@Fred-ii- yeah that'll spew an error when the connection fails
0

You can't use $cname directly in the string: try as shown below:

 $sql = "SELECT * FROM co_details where co_name='".$cname."'";

Hope, it helps!

Improve this answer

2 Comments

'.' is not needed in this query
Directly injecting php variables into your query in this case is not best practice.
0

You are using single quote don't do like that change the query like this

$sql = "SELECT * FROM co_details where co_name='$cname'";
Improve this answer

1 Comment

Directly injecting php variables into your query in this case is not best practice.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.