Problems with a simple recordset

[selliottsxm]

Hi,

 

I'm very new to php and to mysql and I was hoping someone would be kind enough to give me a hand.  I'm trying to write a query that returns only one record set. 

I'll paste what I have below and the error.  I'm sure that I am doing something wrong that is right in front of my face but for the life of me I can't figure it out.

 

The relevant part of the code is:

 

require_once ('../mysqli_connect.php');
$movie_id = $_GET['movie_id'];
$q = "SELECT * FROM movies WHERE movie_id = $movie_id";
$r = mysqli_query($dbc, $q);


echo
'<table cols="2" width="1100px" align="center">
<tr>
<td align="left" width="240px"><img src="img/boxcovers/small/movie_' . $r['movie_id'] .'_small.jpg"></td>
<td></td>
</tr>

 

The error I'm getting is:

 

PHP Fatal error:  Cannot use object of type mysqli_result as array

 

Help!

[selliottsxm]

Got it :

 

require_once ('../mysqli_connect.php');
$movie_id = $_GET['movie_id'];
$q = mysqli_query($dbc,"SELECT * FROM movies WHERE movie_id = $movie_id");
$r = mysqli_fetch_array($q);
 

[Ch0cu3r]

You have left yourself wide open for SQL injection attacks. 

 

You should never trust any user input. Before using any input in your query you should at least validate and sanitize it

require_once ('../mysqli_connect.php');

// make sure movie_id request param exist and that is a number 
if(isset($_GET['movie_id']) && ctype_digit($_GET['movie_id']))    // validate
{
    // cast the value of move_id to a integer
    $movie_id = intval($_GET['movie_id']);                        // sanitize

    $q = mysqli_query($dbc,"SELECT * FROM movies WHERE movie_id = $movie_id");
    $r = mysqli_fetch_array($q);
}

Or a better alternative would be to use prepared statements

[selliottsxm]

Thanks very much for the advice.  I really appreciate it!

[Ch0cu3r]

As a tip you may want to also look at the inbuilt filter library for sanitizing/validating user input