2

I have a database table which has two columns, business and tourist.

I ask a user to select one of them from dropdown list, then use the result in a SELECT statement in MySQL. I assign this column to $cclass, then I make this statement SELECT $cclass FROM flights ....

But it always returns NULL. Why does it return NULL and how do I fix this?

My code:

$check = mysql_query("SELECT $cclass FROM flights WHERE flight_no = '$flightno'");

while ($result = mysql_fetch_assoc($check))
{
    $db_seats = $result['$cclass']; 
}
Improve this question
3
  • Can you show more code context, like, where $cclass is defined? Commented Dec 27, 2015 at 11:39
  • what would the final sql statement look like if you were to echo it out to screen? Commented Dec 27, 2015 at 11:43
  • be very careful and make sure you know that $cclass is an actual column name before doing this, otherwise you are at risk of SQL Injection Commented Dec 27, 2015 at 12:55

3 Answers 3

Reset to default
3

you should replace this line:

$db_seats = $result['$cclass'];

with this:

$db_seats = $result[$cclass];

string between 2 single quotes doesn't parsed: Strings

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I wonder how i didn't notice this ... my error is fixed .. thanks .. +1 :)
1

Have you tried doing the following:

$check = mysql_query("SELECT".$cclass." FROM flights WHERE flight_no = '$flightno'");
Improve this answer

Comments

1

First of all, this code has a serious security issue, as it is vulnerable to SQL Injection. You should be using the MySQLi extension instead, and properly filtering your input.

Try something like this:

<?php

/* Create the connection. */
$mysql = new mysqli("localhost", "username", "password", "myDB");
if ($mysql->connect_error)
{
    error_log("Connection failed: " . $mysql->connect_error);
    die("Connection failed: " . $mysql->connect_error);
}

/* Sanitize user input. */
if (!in_array($cclass, array('business', 'tourist')))
{

    error_log("Invalid input: Must be 'business' or 'tourist'");
    die("Invalid input: Must be 'business' or 'tourist'");
}

$statement = $mysql->stmt_init();
$statement->prepare("SELECT $cclass FROM flights WHERE flight_no = ?");
$statement->bind_param("s", $flightno);
if (!$statement->execute())
{
    error_log("Query failed: " . $statement->error);
    die("Query failed: " . $statement->error);
}

if ($statement->num_rows < 1)
{
    echo "No results found.";
}
else
{
    $statement->bind_result($seats);
    while ($statement->fetch())
    {
        echo "Result: $seats";

        // Continue to process the data... You can just use $seats.
    }
}

$mysql->close();

However, the reason your original example is failing, is that you're quoting $cclass:

$db_seats = $result[$cclass];

However, please do not ignore the serious security risks noted above.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.