0

I'm creating a page to view one's profile (all informations about him that are stored in the DB - except some which I didn't select).

I have this code:

<?php
    if($_SESSION['id']) {
    echo '<h2>Hello, '.$_SESSION['usr'].'!<br>You are registered and logged in!</h2>'; 
                $result = mysql_query("SELECT id,usr,pass,email,dt,priv FROM tz_members WHERE usr = $)SESSION['usr']");
                echo "<table border='0'>
                <tr>
                <th style='width: 15px'>ID</th>
                <th style='width: 300px'>Username</th>
                <th style='width: 100px'>Privileges</th>
                <th style='width: 200px'>Join Date</th>
                </tr>";

                while($row = mysql_fetch_array($result))
                {
                echo "<tr>";
                echo "<td>" . $row['id'] . "</td>";
                echo "<td>" . $row['usr'] . "</td>";
                echo "<td>" . $row['priv'] . "</td>";
                echo "<td>" . $row['dt'] . "</td>";
                echo "</tr>";
                }
                echo "</table>"; }
    else echo '<div class="roundbox"><h2>Please, <a href="login.html">login</a> and come back later!</h2></div>';
    ?>

It seems to generate an error:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/u594115708/public_html/viewprofile.html on line 66

To be more precise, the 'line 66' it talks about is this one:

while($row = mysql_fetch_array($result))

Could you tell me what am I doing wrong ?

Cristian D
  • 645
  • 5
  • 21
  • `$)SESSION` = `$_SESSION` ? – Daniel W. Jan 21 '14 at 20:44
  • First of all, you're using the disastrously old `mysql_query` and aren't [properly escaping things](http://bobby-tables.com/php). Secondly you've got a spurious `)` in your query near `$)SESSION`. Your query has failed, you've been given an error instead of a result row, and you're ignoring it. – tadman Jan 21 '14 at 20:45
  • @Tadman, may I ask, what should I use instead of mysql_query ? – Cristian D Jan 21 '14 at 20:46
  • actually, it should be {$_SESSION['usr']} instead of $)SESSION['usr'] – Ben Jan 21 '14 at 20:55
  • The recommendation in the [PHP The Right Way](http://phptherightway.com/) guide is to use [learn PDO](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and use that instead, if not something like [Propel](http://propelorm.org/). PDO makes it a lot easier to escape your data properly and is supported in future versions of PHP. Propel will make it easier to focus on writing business logic instead of getting mired in SQL. – tadman Jan 22 '14 at 15:30

1 Answers1

0
$result = mysql_query("SELECT id,usr,pass,email,dt,priv FROM tz_members WHERE usr = $)SESSION['usr']");

  1. should be $_SESSION I guess

  2. you can't put array variables into a string like that

To avoid such syntax errors, use more than 1 line and concat variables properly, and put strings in quotes (usr = string string string wont work, you need usr = 'string string string'):

$result = mysql_query("
    SELECT
      id,usr,pass,email,dt,priv
    FROM
      tz_members
    WHERE
      usr = '" . $_SESSION['usr'] . "'
");
Daniel W.
  • 29,184
  • 13
  • 85
  • 142
  • Ah, got it, got to '" then add $_SESSION, thank you, the problem has been solved. May I ask, however, what should I use instead of mysql_query ? – Cristian D Jan 21 '14 at 20:48
  • The codeformatting on so is fortunately good enough to let see single and double quotes next to each other, you got the point :) – Daniel W. Jan 21 '14 at 20:49
  • you should use PDO or at least mysqli_query (instead of mysql_query) – Ben Jan 21 '14 at 20:57