Pull info from MySQL database

Question

redgem 0 Newbie Poster

15 Years Ago

I have a database that I want query and pull an users specific details into a "$profile" variable.

the url would be:

"www.website.com/profile.php?id=12345"

Thus, I use the $_REQUEST["id"] to put the id number into a variable and then I query the database using this id number.

The code is below:

<?php
/*OPEN THE DATABASE*/ 
$con = mysql_connect("localhost","user","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
/*PULL INFO FROM URL FOR GENERATION OF PUBLIC PROFILE*/
$idnum=$_REQUEST["id"];
/*PULL INFO FROM THE DATABASE*/
[B]$pullprofile="SELECT * FROM 'accounts' WHERE (idnum = '$idnum')";
if(mysql_query($pullprofile,$con))
{
$profile[]=mysql_fetch_array($pullprofile,$con);
echo "Success loading profile!";
echo "Your id number is ".$profile['idnum'];
}
else
{
echo "Profile does not exist...";
}
[/B]
/*CLOSE THE DATABASE*/ 

mysql_close($con); 

?>

For some reason the code keeps on returning the "Profile does not exist..." results, even though I know the profile does exist...

I'm new to PHP/SQL, so what am I doing wrong...?

mysql php

4 Contributors
3 Replies
156 Views
11 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by jrdark13

diafol

15 Years Ago

I have a database that I want query and pull an users specific details into a "$profile" variable.
the url would be:
"www.website.com/profile.php?id=12345"
Thus, I use the $_REQUEST["id"] to put the id number into a variable and then I query the database using this id number.
The code is below:
<?php
/*OPEN THE DATABASE*/ 
$con = mysql_connect("localhost","user","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
/*PULL INFO FROM URL FOR GENERATION OF PUBLIC PROFILE*/
$idnum=$_REQUEST["id"];
/*PULL INFO FROM THE DATABASE*/
[B]$pullprofile="SELECT * FROM 'accounts' WHERE (idnum = '$idnum')";
if(mysql_query($pullprofile,$con))
{
$profile[]=mysql_fetch_array($pullprofile,$con);
echo "Success loading profile!";
echo "Your id number is ".$profile['idnum'];
}
else
{
echo "Profile does not exist...";
}
[/B]
/*CLOSE THE DATABASE*/ 

mysql_close($con); 

?>
For some reason the code keeps on returning the "Profile does not exist..." results, even though I know the profile does exist...
I'm new to PHP/SQL, so what am I doing wrong...?

[OPTIONAL]
1. Using a raw id like this may be a bit dangerous. You should md5 it with a 'salt' or something, to protect your data access.
2. Try to avoid $_REQUEST whenever possible. Use $_GET for url parameters and $_POST for form data (general rule of thumb).
3. You need to clean and validate the incoming data (see posts elsewhere).
[/OPTIONAL]

4. Pass the cleaned variable to the query:

$pullprofile="SELECT * FROM accounts WHERE idnum = '{$idnum}'";

Notice the change in syntax.

5. Run query and check for results:

$result = mysql_query($pullprofile,$con));
if(mysql_num_rows($result)>0){
  $profile = mysql_fetch_array($result);
  echo "Success loading profile";
  echo "Your id number is " . $profile['idnum'];
}else{
  echo "Profile does not exist...";
}

This should work. If this does not, check to see that the $_GET id really is in the DB.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Aamit -7 Posting Whiz · Answer 1 · 2009-01-22T18:48:28+00:00

Aamit -7 Posting Whiz

15 Years Ago

$idnum=$_GET['id'];

Use this..

jrdark13 0 Light Poster · Answer 2 · 2009-01-22T22:49:40+00:00

I'm not entirely sure but wouldn't if(mysql_query($pullprofile,$con)) return true only if the query was accepted not if there was a row result?. That means that your query is generating an error probably due to the fact that you are requesting literally $idnum, use {$idnum} to make sure it goes through not as static but a variable. But that will still only tell you that the code went through, I think.

I would rather use something like this:

$pullprofile = "SELECT * FROM accounts WHERE idnum = '".$idnum."'";//I like escaping
$query = mysql_query($pullprofile,$con);

if(mysql_num_rows($query) > 0)
{
	$profile[]=mysql_fetch_array($query);
	echo "Success loading profile!";
	echo "Your id number is ".$profile['idnum'];
}
else
{
	echo "Profile does not exist...";
}