[RESOLVED] sql returning nil? but its not?

[POC0bob]

So, I am trying to run an SQL query to get all the columns with a certain value:

PHP Code:

$tmpid = $_GET["id"];
$mehallyw = intval($tmpid);
echo("The id of the alliance you are looking at is " . $mehallyw);
$myallyw = mysql_fetch_array(mysql_query("SELECT * FROM `alliances` WHERE 'id'= '$tmpid'"));
echo (mysql_error());
echo(" And the name of the alliance is " . $myallyw["Name"]); 


I tripple checked the table and stuff, and I have gotten data from other tables in the database so its not that.. I was hoping I may have made a typo or something? Thanks.

P.S. Yes, the id is being set in the URL bar.

[bradgrafelman]

I'm lazy, so I'll just directly quote myself from a different thread in this forum:

Here are a list of issues I see with the code snippet you posted (in no particular order):

1. Stop Using the MySQL Extension!
   
2. PHP Code:

   $memberid = $_GET['rid']; 

   What if $_GET['rid'] doesn't exist? The answer is your code will generate an E_NOTICE level error message and then continue on as if it really did receive the information it expected.
   
   Instead, consider using isset() to first check if this data exists and, if not, handling the problem gracefully.
   
3. User-supplied data should never be placed directly into a SQL query, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize the data such as by using a function like mysqli_real_escape_string() for string data (or casting for numeric data) or by using prepared statements.
   
4. You never check to see if the SQL query was successfully executed and, if not, outputting and/or logging the MySQL error message to aid in debugging. You should always verify this before you attempt to access the result set.

(In #2: pretend the "member" in "memberid" is actually "tmp", and drop the "r" from "rid".)

[POC0bob]

1. I know :c
2. i am already handling that, i know it does exist. And i print it out to double check
3. its not user supplied, an di use escape string on everything that is
4. and i do output the mysql error, unless im doing that wrong. I dunno really how to use it.

[Weedpacket]

Perhaps if you explained what the problem you're having actually is? Your subject line is useless. You should at least describe what you're supposed to get and what you are getting. You have to do this because we're not sitting in the same room as you are looking at the same computer.

And:

3. its not user supplied, an di use escape string on everything that is

It is user-supplied, and it's not escaped: you're making sure that $mehallyw is an integer, but that's irrelevant, because you're using $tmpid in the query.

[POC0bob]

The reason im using $tempid is i was seeing if the fact that i was changing it to a number was the problem. The problem is, that I am running query, which higher in the code is check to see if id exists, as it is used to determine which page is shown, and will only make it this far if it is a number, and is not nil. But when the query returns, it doesn't give me any errors, but it doesn't return anything in the table, i am using $myallyw["Name"] to get the name value, which is in the table its getting 'alliances' but the echo only shows 'And the name of the alliance is ' no name after it, however it does show '$mehallyw' (i know, im really creative with the variable names .-.) what it is supposed to, the number. And the WHERE is correct as far as i know, there is a column in the table where id does equal the number in '$mehallyw' so I am not sure that when i am using either print_r() or echo() its not printing anything.

[POC0bob]

Here is a larger snippet of the code, with a few changes.

PHP Code:

<?php 
$xw = mysql_query("SELECT * FROM `alliances` ORDER BY id");
$tmpid =  mysql_real_escape_string($_GET["id"]);
$mehallyw = intval($tmpid);
echo("The id of the alliance you are looking at is " . $mehallyw);
$myallyw = mysql_fetch_array(mysql_query("SELECT * FROM `alliances` WHERE 'id'= '$mehallyw'"));
echo (mysql_error());
echo(" And the name of the alliance is " . $myallyw["Name"]);
$xAw = mysql_num_rows($xw);
$xcw = mysql_query("SELECT * FROM `alliancemembers` WHERE 'id'='$mehallyw'");
$xAcw = mysql_num_rows($xcw);?>

    <div class="leftcolumn" style="width: 97%; height: auto; border-radius: 15px; background-color: #0000FF; padding: 15px; /* [disabled]background-image: url(../images/bg.png); */ background-repeat: inherit;">
    <?php    if($_GET['id'] == ""){ ?> <?php } ?>

      <td style="width: 11%; height: 120px; border-radius: 5px; background-color: #0094FF; color: white; float: left;">
      <center>
        <h3 class="whitetxt"><?php print_r($myallyw["Name"]); ?></h3>
      </center>
      <p><img src="/images/skins/<?php
if ($user['Skin'] == '' || $user['Skin'] == '0'){
print_r("Template.png");
}else{
print_r($je['Skin']);
}
?>" width="100" height="100" /></p>
      <h2 class="whitetxt">Overview: </h2>
      <p class="whitetxt">Owner: <?php print_r($myallyw["Owner"]); ?></p>
      <p class="whitetxt">Alliance rank: <?php print_r($myallyw["level"]); ?></p>
      <p class="whitetxt">Number of members: <?php print_r($xAcw); ?> </p>
      <p class="whitetxt"><span class="whitetxt">Description: </span>      </p>
      <p class="whitetxt">
        <label for="allydesc"></label>
        <textarea name="allydesc" cols="45" rows="5" readonly="readonly" id="allydesc" style=" width:450px; background-color:#91CDFF; height: 250px;"><?php print_r($myallyw["Desc"]); ?></textarea>
      </p>
      <p class="whitetxt">Requires approval to join: <?php if($myallyw["reqact"]==1){ echo('yes');}else{echo("no");}?>
      </p>

All the things like

PHP Code:

<p class="whitetxt">Owner: <?php print_r($myallyw["Owner"]); ?></p>

Again, it just prints the text in HTML paragraph, everything in the <?php ?> is blank..

[Weedpacket]

Well, for a start, print_r is not what you want. That's for debugging. You want either print or echo.

But more significantly, thanks to the quotes in your WHERE clause quotes, you're treating $tmpid (whatever it is) as a string and comparing it with the string 'id', not as an integer and not with the field id.

[POC0bob]

that worked! Thank you! Haha I guess I over looked that because I needed to use quotes a few times in the same code, and on a few other pages