mysqli query not working when variable inserted [duplicate]

Question

I need an extra pair of eyes! I have a super-simple query:

$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = 'the-test-post' LIMIT 1");
$row = $result->fetch_array();

and this gives me the post_id. However, if I insert a variable for post_uri, the result is empty. Ways I tried of which none worked:

$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = '".$post_uri."' LIMIT 1");


$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = ".$post_uri." LIMIT 1");


$result = $mysqli->query("SELECT post_id FROM blog_posts WHERE post_uri = $post_uri LIMIT 1");

I have similar query on another page working just right, so that confuses me even more. Help appreciated.

resistance to literal inlining is probably just an attempt to hint you to bind parameters: use-the-index-luke.com/sql/where-clause/… — Markus Winand
– Markus Winand, Commented Jan 16, 2011 at 9:54

Quentin · Accepted Answer · 2011-01-16 09:53:33Z

4

You are slapping a variable directly into a query. This is error prone (as you are discovering) and has a high risk that you'll fail to sufficiently sanitise it (and thus cause an SQL injection vulnerability).

Use the PDO layer and bound variables.

answered Jan 16, 2011 at 9:53

Quentin

949k136 gold badges1.3k silver badges1.4k bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

CodeVirtuoso Over a year ago

Turned out the error was caused by my syntax omission in INSERT query preceding the one I asked about here, and this omission wouldn't even have a chance of happening when approach suggested here is used. Plus it's more secure. Thanks again, really!

Nanne · Accepted Answer · 2011-01-16 09:51:54Z

2

If you put that query in a string and echo it, you can check what happens. There might be something wrong with that variable!

echo "SELECT post_id FROM blog_posts WHERE post_uri = '".$post_uri."' LIMIT 1";

And so on. I'll bet there's either nothing, or something you're not expecting in that $post_uri, because it shouldn't matter to mysql how you've build your query.

answered Jan 16, 2011 at 9:51

Nanne

64.4k16 gold badges122 silver badges166 bronze badges

1 Comment

CodeVirtuoso Over a year ago

Thanks for this neat trick, it showed me that query is perfectly fine and I'm obviously messing things somewhere else.

Randy Skretka · Accepted Answer · 2011-10-03 21:23:46Z

-1

I had a similar problem. Your syntax looks fine. Try to use a simple version of the db connection call. Below are compared the version that worked (above) to the one that failed (below).

$sqli = new mysqli('localhost', 'my_user', 'my_password', 'my_db');
$mysqli->real_connect('localhost', 'my_user', 'my_password', 'my_db')

I had use a variable in my query and had a $mysqli->real_connect db connection. That would not work. But when I switched to the new mysqli type I was surprised that the variable query did work.

I hope that works out for you.

answered Oct 3, 2011 at 21:23

Randy Skretka

3,6143 gold badges25 silver badges14 bronze badges

2 Comments

Don Scott Over a year ago

$con->options(MYSQLI_INIT_COMMAND, 'SET AUTOCOMMIT = 0') is likely your issue. The code example on Php's documentation shows that and many people copy it without realizing the implications.

Randy Skretka Over a year ago

'tis getting a little dim by now, but what you say is ringing bells. I am in fact quite certain my code relating to real_connect did come straight from the man[UAL]. And yes, it included the MYSQLI_INIT_COMMAND. The db stuff is rather touchy and trying :)

Collectives™ on Stack Overflow

mysqli query not working when variable inserted [duplicate]

3 Answers 3

1 Comment

1 Comment

2 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

1 Comment

1 Comment

2 Comments

Linked

Related