I am pretty new to PHP and MySQL and I just can't figure this one out. I have searched all around the forum but haven't found an answer I can make sense of. I originally was using mysql_fetch_assoc() but I could only search numbers and I received errors when searching for letters as well. I hope I am on the right track here. Thank you in advance for all your help!
$con = mysqli_connect($hostname,$username,$password) or die ("<script language='javascript'>alert('Unable to connect to database')</script>");
mysqli_select_db($con, $dbname);
if (isset($_GET['part'])){
$partid = $_GET['part'];
$sql = 'SELECT *
FROM $usertable
WHERE PartNumber = $partid';
$result = mysqli_query($con, $sql);
$row = mysqli_fetch_assoc($result);
$partnumber = $partid;
$nsn = $row["NSN"];
$description = $row["Description"];
$quantity = $row["Quantity"];
$condition = $row["Conditio"];
}
This happens when your result is not a result (but a "false" instead). You should change this line
$sql = 'SELECT * FROM $usertable WHERE PartNumber = $partid';
to this:
$sql = "SELECT * FROM $usertable WHERE PartNumber = $partid";
because the " can interprete $variables while ' cannot.
Works fine with integers (numbers), for strings you need to put the $variable in single quotes, like
$sql = "SELECT * FROM $usertable WHERE PartNumber = '$partid' ";
If you want / have to work with single quotes, then php CAN NOT interprete the variables, you will have to do it like this:
$sql = 'SELECT * FROM '.$usertable.' WHERE string_column = "'.$string.'" AND integer_column = '.$number.';
What happens in your code if $usertable is not a valid table or doesn't include a column PartNumber or part is not a number.
You must escape $partid and also read the document for mysql_fetch_assoc() because it can return a boolean
Mysqli makes use of object oriented programming. Try using this approach instead:
function dbCon() {
if($mysqli = new mysqli('$hostname','$username','$password','$databasename')) return $mysqli; else return false;
}
if(!dbCon())
exit("<script language='javascript'>alert('Unable to connect to database')</script>");
else $con=dbCon();
if (isset($_GET['part'])){
$partid = $_GET['part'];
$sql = "SELECT *
FROM $usertable
WHERE PartNumber = $partid";
$result=$con->query($sql_query);
$row = $result->fetch_assoc();
$partnumber = $partid;
$nsn = $row["NSN"];
$description = $row["Description"];
$quantity = $row["Quantity"];
$condition = $row["Conditio"];
}
Let me know if you have any questions, I could not test this code so you might need to tripple check it!
mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given
This means that the first parameter you passed is a boolean (true or false).
The first parameter is $result, and it is false because there is a syntax error in the query.
" ... WHERE PartNumber = $partid';"
You should never directly include a request variable in a SQL query, else the users are able to inject SQL in your queries. (See SQL injection.)
You should escape the variable:
" ... WHERE PartNumber = '" . mysqli_escape_string($conn,$partid) . "';"
Or better, use Prepared Statements.
You are single quoting your SQL statement which is making the variables text instead of variables.
$sql = "SELECT *
FROM $usertable
WHERE PartNumber = $partid";
Source: Stackoverflow.com