0
$playerhp = mysql_query("SELECT hp FROM member WHERE user = '".$_SESSION['username']."'");
echo "hp:".$playerhp;

this might very well be the most stupid question ever asked on this board but im trying this for hours now and cant find a solution...

what i want to do is to define the variable $playerhp as the number from my database so that i can later work on with it but in the curent state im not getting back anything (the eco was just to test what $playerhp is at the moment) all the guides i fund would now go on with something like $row and building an array but what would i need an array for when i just get a single number right?!

PS: when i add mysql_fetch_assoc or mysql_fetch_array i get the error message: mysql_fetch_array() expects parameter 1 to be resource, boolean given in so my mistake must be somwhere before that point...

user3813012
  • 1
  • 1
  • 2
    What would happen if I modify my session so that username = `%';delete from member; --` ?? http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work?lq=1 – Ed Manet Jul 07 '14 at 15:48

3 Answers3

0

You forgot to fetch result row. mysql_query function returns result resource, not row values.

You can use mysql_fetch_assoc, mysql_fetch_array or mysql_result function.

$row = mysql_fetch_assoc($playerhp);
echo $row['hp'];`

P.S.: Do not use mysql_ extension cause it is deprecated. Use PDO or Mysqli instead.

zavg
  • 9,385
  • 4
  • 43
  • 65
  • when i dothis i get this error message: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in ... – user3813012 Jul 07 '14 at 15:49
  • @user3813012 That means that your query `"SELECT hp FROM member WHERE user = '".$_SESSION['username']."'"` returns `false`, because in database there are no rows which satisfy your query. – zavg Jul 07 '14 at 15:54
  • yes i thought so but the table is there and when i give out $_SESSION['username'] via echo its the right name so it cant be that either, do i maybe have any formal errors in that line i dont see?! – user3813012 Jul 07 '14 at 15:59
  • @user3813012 I don't see any errors in syntax, so if you really have `member` table with `hp` and `user` columns, and if your database contains row where `user` column equals to your `$_SESSION['username']` value, then everything should be ok. – zavg Jul 07 '14 at 16:11
  • ok i went on advanced stupidity mode, the table was called members not member >. – user3813012 Jul 07 '14 at 16:16
  • @user3813012 I suspected that may be you have mistake in table or columns names. If it was helpful I will be glad if you upvote or accept my answer. :) – zavg Jul 07 '14 at 16:31
0

well if you are only requesting one variable you can use mysql_result

usage: 

$playerhp = mysql_result(mysql_query("SELECT hp FROM member WHERE user = '".$_SESSION['username']."' limit 1"), 0);

This should store the hp in your $playerhp variable.

Fabian de Pabian
  • 601
  • 4
  • 20
  • same error message here: mysql_result() expects parameter 1 to be resource, boolean given in ... – user3813012 Jul 07 '14 at 15:54
  • if thats the case you have an error in your mysql query, try echoing `SELECT hp FROM member WHERE user = '".$_SESSION['username']."' limit 1` and execute the outcome in your mysql client. It will give you more in depth error messages and you can debug your query. Maybe a non existing column or table name. – Fabian de Pabian Jul 08 '14 at 09:32
0

The mysql_query() function will return a resource on success. So after getting the resource you need to use php mysql_fetch_assoc(), mysql_fetch_array() etc on that resource variable for fetching row data. After that you can use them as regular variable.

So here : 

$row = mysql_query("SELECT hp FROM member WHERE user = '".$_SESSION['username']."'");
$playerhp = mysql_fetch_assoc( $row["hp"] );

But for developing new php applications do not use mysql extension because this extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.

Read more about mysqli here

Read more about PDO here

mysqli and pdo will provide more security as compared to mysql extension as well. Try to use filtered data when using it in mysql queries to prevent sql injection.

Mijoe
  • 208
  • 2
  • 9