PHP MySQL query

Question

What is wrong in this code?

$sql = "SELECT * FROM blogs WHERE blog_id = $'blog_id'";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$content = $rows['blog_content'];

echo $content;

The error is : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\Program Files\xampp\htdocs\jordan_pagaduan\blog_delete_edit.php on line 3.

Answer 1

You should be using:

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";

Since it is never too early to start reading about best practices, note that for public websites it is really dangerous to include any un-sanitized input into an SQL query, as you appear to be doing. You may want to read further on this topic from the following Stack Overflow posts:

• XKCD sql injection - please explain (with pictures!)
• What is SQL injection?
• Is SQL injection a risk today?
• SQL Injection Topics on Stack Overflow

Answer 2

The first line should read:

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";

(move the $ to inside the single quotes)

Answer 3

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$content = $rows['blog_content'];

Answer 4

You need to put the $ symbol in your quotes. Instead of this:

$sql = "SELECT * FROM blogs WHERE blog_id = $'blog_id'";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$content = $rows['blog_content'];

echo $content;

Write this:

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$content = $rows['blog_content'];

echo $content;