0

I am getting a Notice: Trying to get property of non-object in the line if ($resCategory->num_rows > 0). May I know what is the mistake here?

<?php
function categoryParentChildTree($parent = 'L1', $spacing = '', $category_tree_array = '') {
    global $MySQLi_CON;
    $parent = $MySQLi_CON->real_escape_string($parent);
    if (!is_array($category_tree_array))
        $category_tree_array = array();
    $sqlCategory = "SELECT * FROM users where enrolled_id = $parent ORDER BY enrolled_id ASC";
    $resCategory=$MySQLi_CON->query($sqlCategory);
    if ($resCategory->num_rows > 0) {
        while($rowCategories = $resCategory->fetch_assoc()) {
            $category_tree_array[] = array("id" => $rowCategories['enroller_id'], "name" => $spacing . $rowCategories['user_name']);
            $category_tree_array = categoryParentChildTree($rowCategories['enroller_id'], '&nbsp;&nbsp;&nbsp;&nbsp;'.$spacing . '-&nbsp;', $category_tree_array);
        }
    }
    return $category_tree_array;
}
?>
stackoverflow
  • 29
  • 1
  • 6
  • 1. what is MYSQLI_CON set to 2. I suggest using more line breaks in your code, for example separate 'ifs' from rest of the code by additional new lines – Bartłomiej Wach Aug 18 '16 at 10:36
  • You failed to check for failure and it's now causing further failures. You should not assume success with database operations. `if ($resCategory === false) { die(mysqli_error($MySQLi_CON)); }`. – HiDeo Aug 18 '16 at 10:38
  • ok, i am getting an error of Unknown column 'L1' in 'where clause'. My L1 exist, why is it showing the errors? – stackoverflow Aug 18 '16 at 10:40
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 18 '16 at 10:43

2 Answers2

0

That means that $resCategory is not an object. Result query method may be an object (that you expect) or false if the query fails.

It seems that for some reason your query fails. Check errors for more details.

For mysqli, the last error is kept in $MySQLi_CON->error;

I can see taht you have SQL syntax error, which is missing quotes around $parent string.

It should be:

$sqlCategory = "SELECT * FROM users where enrolled_id = '$parent' ORDER BY enrolled_id ASC";
Jakub Matczak
  • 14,773
  • 5
  • 47
  • 61
0

You need to wrap TEXT parameters in single quotes like this and its also a good idea to wrap table names and column names in backticks

You should also get into the habit of checking the status of all API calls like this

$sqlCategory = "SELECT * FROM `users` where `enrolled_id` = '$parent' 
                ORDER BY `enrolled_id` ASC";
$resCategory=$MySQLi_CON->query($sqlCategory);
if ( !$resCategory ) {
    echo $MySQLi_CON->error;
    exit;
}

To be safe from SQL Injection attacks you should also use prepared, parameterised queries as well

$sqlCategory = "SELECT * FROM `users` where `enrolled_id` = ? 
                 ORDER BY `enrolled_id` ASC";

$stmt = $MySQLi_CON->prepare($sqlCategory);
if ( !$stmt ) {
    echo $MySQLi_CON->error;
    exit;
}

$MySQLi_CON->bind_param('s', $parent);
$status = $MySQLi_CON->execute();

if ( !$status ) {
    echo $MySQLi_CON->error;
    exit;
}
RiggsFolly
  • 89,708
  • 20
  • 100
  • 143