Here are my failed attempts to include a PHP variable in a MySQL expression. Replacing the variable with a 1 results in the results being printed. Any help will be appreciated.
$query = "
SELECT name FROM teams
WHERE id = '$shooterID'";
$shooters = mysql_query($query)
or die(mysql_error());
$i = 0;
while($shooter = mysql_fetch_array( $shooters )) {
echo $shooter[$i];
$i++;
}
$shooters = mysql_query("
SELECT name FROM teams
WHERE id = '$shooterID'")
or die(mysql_error());
$i = 0;
while($shooter = mysql_fetch_array( $shooters )) {
echo $shooter[$i];
$i++;
}
Thanks
Attempting to utilize the methods here have not fully solved the problem (though thanks again). Here are my revised efforts along with further context (I don’t need to sanitize the data as it is coming directly from another query.
$shooters = mysql_query("
SELECT * FROM events JOIN teams
on events.shooter = teams.id
") or die(mysql_error());
$i = 0;
while($results = mysql_fetch_array( $shooters )) {
$shooterIDs[$i] = $results[0];
$i++;
}
//var_dump($shooterIDs); == array(1) { [0]=> string(1) "1" }
$query = "
SELECT name FROM teams
WHERE id = '".$shooterID[0]."'";
$shooters = mysql_query($query)
or die(mysql_error());
while($shooter = mysql_fetch_array( $shooters )) {
echo $shooter[0];
}
Turns out my last attempt was missing a ‘s’ in the variable namee $shooterIDs[0]. Stupid error. There were probably others as well that have been already solved with all of your help. Thanks!
The query is not your problem, the output is:
This is wrong:
This is correct:
Also
Just make sure you are properly sanitizing your input if you want to include the variable like that. For instance:
That forces the number to either be a
0if it is not a number or a1if they pass inshooter_id[]=somthing, but it can never be a SQL injection string.