-1

I've got a problem with data I get from my query. Doesnt matter how many records match to the SELECT I use, it always return me 0 value.

<html>
<body>
<link rel="stylesheet" href="mystyle.css">
<meta charset="utf-8"> 
<head>
  <title>Lottery</title>
</head>
<?php
if(isset($_POST['submit'])){
$value = $_POST['Value'];  
echo "Chosen value : " .$value;  
}

?>


<div class="results">
<p>Counter: <? echo "".$value ?></p>
<p>Place: <? echo "".$value ?>: </p>
<p>Best match<? echo "".$value ?> :</p>
</div>



        <?
    $servername = "localhost";
    $username = "lottery_root";
    $password = "xyz";
    $database = "lottery";
    $conn = mysqli_connect($servername, $username, $password, $database) or die(mysqli_error($conn));



    $result = mysqli_query($conn, "Select count(*) from lottery where first='$_POST[value]' or      second='$_POST[value]'; ");
    if (!$result) echo mysqli_error($conn);

    $row = mysqli_fetch_row($result);
    print_r($row);
    ?>
    </body>
    </html>

This is what I get each time " Array ( [0] => 0 ) " If I use different SELECT, for example SELECT * FROM lottery; it prints one column.

Zealot
  • 1
  • 2
  • I guess `$_POST[value]` should be `$_POST[$value]` – Kamehameha Dec 03 '14 at 09:28
  • 1
    Is the name of the input field `value` or `Value`? It's case-sensitive. – Barmar Dec 03 '14 at 09:28
  • 1
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Dec 03 '14 at 09:28
  • 1
    @Kamehameha `$value = $_POST['Value']`. I don't think he wants to use the value of the input as the name of the input. – Barmar Dec 03 '14 at 09:29
  • @Barmar yep, you are right. Didn't read the part where he actually defined it. – Kamehameha Dec 03 '14 at 09:31
  • while assigning the variable `$value` you have used `$_POST['Value']` whereas in the query you use `$_POST[value]`. How about using the variable in the query? – Aditya Dec 03 '14 at 09:32

3 Answers3

0

$_POST['Value'] is different than $_POST['value']

Its case sensitive, you have to use exact name of input field, as you have it named in the form.

Legionar
  • 6,939
  • 2
  • 34
  • 66
0

Use a simple debug approach - Just try to print your query and see if you are getting correct values for $_POST[value] :

echo "Select count(*) from lottery where first='$_POST[value]' or second='$_POST[value]'; ";
Ashutosh Upadhyay
  • 106
  • 1
  • 8
-1

I would say you haven't escaped your characters properly. The following line should be changed:

$result = mysqli_query($conn, "Select count(*) from lottery where first='$_POST[value]' or      second='$_POST[value]'; ");

It should be:

$result = mysqli_query($conn, "Select count(*) from lottery where first='".$_POST['value']."' or      second='$_POST[value]'; ");

Escaping is done by ending the quotes, either double or single and putting a dot for concatenation in the string. To go through with the statement again a dot is needed for concatenation and opening the quotes again.

In the first statement you actually query with the text "$_POST[value]" in the second statement you retrieve the value of the variable "$_POST['value']".

Also indeed watch out for case sensitivity in your POST. You once use "Value" and the other time "value", one of both is not correct.

Gijs Kuijer
  • 80
  • 1
  • 7