V Posted June 27, 2010 Share Posted June 27, 2010 I'm follwing a tutorial that uses MYSQL but I have everything set up using MYSQLI , object-oriented. I don't know how to make the code work. The code is this. Half is object oriented and the rest I can't figure out how to change $connection = dbConnect(); //connects to DB //$post_id value comes from the POSTS table $post_id = $_GET['post']; // prepare the SQL query $sql = "SELECT * FROM comments WHERE post_id='$post_id' ORDER BY com_id DESC LIMIT 9"; $result = $connection->query($sql) or die(mysqli_error($connection)); $timeline=''; while ($row = $result->fetch_assoc()) { $timeline.=formatTweet($row['com_dis'],$row['date']); } // fetch the latest tweet $lastTweet = ''; list($lastTweet) = mysqli_fetch_array(mysqli_query("SELECT com_dis FROM comments ORDER BY com_id DESC LIMIT 1")); if(!$lastTweet) $lastTweet = "You don't have any tweets yet!"; I get errors on this line list($lastTweet) = mysqli_fetch_array(mysqli_query("SELECT com_dis FROM comments ORDER BY com_id DESC LIMIT 1")); Warning: mysqli_query() expects at least 2 parameters, 1 given... Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in... I tried a bunch of variation but get parse errors. Can someone please help? Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 27, 2010 Share Posted June 27, 2010 $connection = dbConnect(); //connects to DB <-- I'm assuimg it returns MySQLi object //$post_id value comes from the POSTS table $post_id = (int)$_GET['post']; // actually seems like coming from GET table //notice I'm casting it to int (integer) as a way of protection against SQL injection // prepare the SQL query $sql = "SELECT * FROM comments WHERE post_id=$post_id ORDER BY com_id DESC LIMIT 9"; $result = $connection->query($sql) or die($connection->error); $timeline=''; while ($row = $result->fetch_assoc()) { $timeline.=formatTweet($row['com_dis'],$row['date']); } // fetch the latest tweet $sql= "SELECT com_dis FROM comments ORDER BY com_id DESC LIMIT 1"; $result = $connection->query($sql) or die($connection->error); if($row = $result->fetch_assoc()) { $lastTweet = $row['com_dis']; } else { $lastTweet = "You don't have any tweets yet!"; } Quote Link to comment Share on other sites More sharing options...
V Posted June 27, 2010 Author Share Posted June 27, 2010 Mchl you're truly a guru! Thanks!! Quote Link to comment Share on other sites More sharing options...
V Posted June 27, 2010 Author Share Posted June 27, 2010 Ooh! I didn't notice the (int) by $_GET['post'] Thanks for that, I'll use it everywhere Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 27, 2010 Share Posted June 27, 2010 Only when the value should in fact be an integer. For strings use $connection->real_escape_string() Quote Link to comment Share on other sites More sharing options...
V Posted June 27, 2010 Author Share Posted June 27, 2010 Yup I use real_escape_string() everywhere too but I'm sure parts of my script are still vulnerable to attacks. I'm planning to learn in-depth about sql prevention once everything is functional. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.