-1

I'm trying to find an alternate to my method of fetching all data in a function for a specific user where their session equals their username.

It was working fine until I moved hosting and now it throws errors. The following code is what I was using on my old hosting when it was working fine :

$username = 'Benza';
$query = "SELECT id, username, password, email, ip, lastonline, rank, register_time FROM users_ WHERE username = '$username'";
$result = $con->query($query);
return $result->fetch_all();

It says : Call to a member function fetch_all() on boolean.

And when I try something like : 

$username = 'Admin';
$query = "SELECT id, username, password, email, ip, lastonline, rank, 
register_time FROM users_ WHERE username = '$username'";
$result = $con->query($query);
$data = mysqli_fetch_all($result,MYSQLI_ASSOC);
return $data;

I get Warning: mysqli_fetch_all() expects parameter 1 to be mysqli_result, boolean given Warning: Invalid argument supplied for foreach()

I'm calling my foreach functions as shown below (because the above code is in a function in the same class) :

$users = $this->grabUserInfos($con);
foreach ($users as $user) {
    $username = $user[1];
    $email = $user[3];
}
Benza
  • 175
  • 1
  • 8
  • 1
    $result = $con->query($query) or die($con->error); What error do you see? – Pasha Aug 19 '17 at 15:19
  • 1
    Thats because your query has failed. Fix that – RiggsFolly Aug 19 '17 at 15:20
  • 1
    ALso your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 19 '17 at 15:22
  • Is this really the table name `users_`?? – RiggsFolly Aug 19 '17 at 15:23
  • @RiggsFolly yes why ? – Benza Aug 19 '17 at 15:24
  • Pasha, thanks man! It works now. – Benza Aug 19 '17 at 15:24
  • @RiggsFolly How could I go about doing this in a prepared statement using PDO then ? – Benza Aug 19 '17 at 15:26
  • @RiggsFolly Would this be better practise ? `$username = 'Admin'; $res = $con->query("SELECT * FROM users_ WHERE username = '$username'"); return $res;` – Benza Aug 19 '17 at 15:32
  • @Benza No, no variables in query. `$res = $con->prepare("SELECT * FROM users_ WHERE username = ?");` then bind `$username` and execute. More reading http://php.net/manual/en/mysqli.quickstart.prepared-statements.php ...or you are using PDO?? – chris85 Aug 19 '17 at 15:34
  • @chris85 Great, except OP is using PDO – RiggsFolly Aug 19 '17 at 15:38
  • @RiggsFolly Perhaps not `$data = mysqli_fetch_all($result,MYSQLI_ASSOC);` (Although since they asked about PDO it is strange) – chris85 Aug 19 '17 at 15:39
  • 1
    @chris85 :) My fault for taking the OP's comment as gospel :) :) I should have applied the Dr House rule 1 – RiggsFolly Aug 19 '17 at 15:42
  • @RiggsFolly So is this safe : https://jsfiddle.net/L6ntbtcn/ ? – Benza Aug 19 '17 at 15:59
  • Yes thats better – RiggsFolly Aug 19 '17 at 16:02

1 Answers1

0

The problem seems to be that the part where the query is executed does not work anymore:

$result = $con->query($query);

The fact that you have an boolean in $result means that something went wrong with the query function. Because of that the fetch_all and the mysqli_fetch_all() function can not work correctly.

You should take a look at that part and find out why the query fails.

Erik
  • 141
  • 5