MYSQL query calling POST variable

Question

session_start();

$CompanyName = $_POST['CompanyName'];
$result = mysqli_query ("select CustomerID from CompanyInfo where CompanyName = '.$CompanyName.'");
$row = mysql_fetch_row($result);
$_SESSION["CustomerID"] = $row[0];

I have a feeling there is something wrong in my quoting however i cannot figure it out.

Thank you.

Please, before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **Avoid** using string interpolation to accomplish this. **Never** put `$_POST` data directly in a query. — tadman, Mar 03 '14 at 21:14
Yes, it's wrong, and you're vulnerable to [sql injection attacks](http://bobby-tables.com). The real solution to you problem is to fundamentally change how you're writing queries. You are also mixing mysqli (note the **i**) and mysql (no **i**) calls, which is also not possible. In other words, your code is utterly broken. — Marc B, Mar 03 '14 at 21:14
You are already using `mysqli`. Good! (Well, partially, as Marc B noticed) Take it one stap further and use parameter binding. Random StackOverflow example here: http://stackoverflow.com/questions/15748254/how-to-run-the-bind-param-statement-in-php — GolezTrol, Mar 03 '14 at 21:15
Did you mean to use ```mysqli_fetch_row``` instead of ```mysql_fetch_row``` in line 5 (notice the i)? — chrki, Mar 03 '14 at 21:16

score 1 · Accepted Answer · answered Mar 03 '14 at 21:52

Look like besides your quoting being all messed up and the code broken

Try this

$result = mysqli_query ($link, "select CustomerID from CompanyInfo where CompanyName = '$CompanyName'");
$row = mysqli_fetch_row($result);

mysqli_query() expects at least 2 parameters
$link being your connection string im sure is called somewhere in the code. If its not that is probably Problem #1

that should give you output from:

echo "row: " .$row[0];

Which you can pass to a session.

$_SESSION["CustomerID"] = $row[0];

score 0 · Answer 2 · answered Mar 03 '14 at 21:14

$CompanyName = $_POST['CompanyName'];
$result = mysqli_query ("select CustomerID from CompanyInfo where CompanyName ='" .$CompanyName."'");
$row = mysqli_fetch_row($result);
$_SESSION['CustomerID'] = $row[0];

score 0 · Answer 3 · answered Mar 03 '14 at 21:14

Yes there is.

$result = mysqli_query ("select CustomerID from CompanyInfo where CompanyName = '".$CompanyName."'");

Notice the extra quotations to concatenate the string, or you could've forgone the dots and just do

$result = mysqli_query ("select CustomerID from CompanyInfo where CompanyName = '$CompanyName'");

You should also use mysqli_real_escape_string to prevent SQL injections, or use PDO. The comments to your question will give you plenty of resources but I'm simply answering within the scope of your question

score -1 · Answer 4 · answered Mar 03 '14 at 21:14

-1

Try this:

mysqli_query ("select CustomerID from CompanyInfo where CompanyName = '".$CompanyName."');

need to close the double quotes.

answered Mar 03 '14 at 21:14

oxtub

199
3

You forgot double quotes at the end after the single quotation. This is an open string and will fail on parsing. – sjagr Mar 03 '14 at 21:15

MYSQL query calling POST variable

4 Answers4