Do you see my coding error?

[phppup]

I have a simple form that (for test purposes) has fields for first_name and last_name and then can submit.
I want to validate whether a given name is in the table.

 

//$query  = "SELECT * FROM w WHERE id>='90'  ";
//$query  = "SELECT * FROM w WHERE first_name='steve'  ";
$query  = "SELECT * FROM w WHERE first_name='$first_name'  ";

$result = mysqli_query($link, $query);    

if (mysqli_num_rows($result) == 0) {
echo "NO RECORDS<br />";  
}

if (mysqli_num_rows($result) > 0) {

while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {

echo "ID is ".$row['id']. " now<br /><br />";

}

}

I have a simple form that (for test purposes) has fields for first_name and last_name and then can submit.
I want to validate whether a given name is in the table.

Weird scenario:  When I $query by 'id' the four records in my table list.
When I query DIRECTLY by first_name='steve' I get the correct ECHO for his ID# 93
But when I query with $query  = "SELECT * FROM w WHERE first_name='$first_name'  ";
I get to one echo message for "ID is 21 now" and another for "ID is 77 now"
[Oddly, 21 + 77 = 93, which is Steve's ID]

Please help.

 

[ginerjm]

Why don't you echo the name from the record as well to help solve your dilemma?

[Barand]

19 minutes ago, phppup said:

Oddly, 21 + 77 = 93, which is Steve's ID]

What alternate universe are you in?

[dabaR]

1 hour ago, Barand said:

What alternate universe are you in?

Haha. Way to make sure you don't hurt his feelings

[dabaR]

Phppup, you don't want to let user-submitted form values make it into the database query "unescaped" like that. You're gonna leave the app open to SQL injection. Check out http://bobby-tables.com for more info.

[dabaR]

Also. Check out function var_dump. It makes debugging easier. Just var_dump the whole row.

I can't see what the error is specifically though.

[maxxd]

Print out records 21 & 77, as well as the value of $first_name. My gut's saying that you're not using the values you think you're using, either in the processing script or the database. Of course, without seeing your full code and data set, it's difficult to know for sure.

[gizmola]

Hopefully you already recognize that there is no mysterious math going on with your id's.

The answer most likely is that you have 2 rows with first name of 'steve'.  As suggested, you will gain insight by just doing a var_dump($row) inside your fetch loop until you are clear on what is happening.

As suggested, please use bind variables for your query rather than interpolating your string.  

 

Example:

$link = mysqli_connect(...);
$stmt = mysqli_prepare($link, 'SELECT id, * FROM w WHERE first_name=?');
mysqli_stmt_bind_param($stmt, 's', $first_name);

mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
    var_dump($row);
}

 

 

Trying this input should show you the dangers of string interpolation and the way they lead to sql injection exploits:

Quote

' OR 1=1 OR last_name='$first_name

 

[Psycho]

Where is $first_name defined? Do the two records being returned happen to have no first name? If so, it all makes sense to me.

[taquitosensei]

echo your query to make sure it's doing what it's supposed to. Psycho is probably right. Those two records problem don't have a first name and you're getting this. 

"select * from w WHERE first_name=''"; 

So you get those two rows. 

echo $query;