up vote -2 down vote favorite

This is my code

<?php 
    $result = mysql_query("SELECT * FROM post WHERE username = ".$username." ORDER BY ID DESC ");
    while($row = mysql_fetch_array($result)){ 
    ?>
        <div class="post">
            <a href="/p/<?php echo $row['ID']; ?>" class="post-title"><?php echo $row['title']; ?> - (Rating: <?php echo $row['rank']; ?>)</a>
            <p class="post-content"><?php echo $row['description']; ?><br /><br />On <?php echo $row['date']; ?></p>
        </div>
    <?php }; ?>

But I get this error:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /*/programs/user.php on line 77

share|improve this question
check if query is correct. – Dev Oct 14 '12 at 14:01
It is, when I run a search on PHPMyAdmin and show the PHP code, this is what I get: $sql = "SELECT * FROM vb_posts WHERE username = \'joshblease\' ORDER BY ID DESC"; – Josh Luke Blease Oct 14 '12 at 14:01
use strip slashes on $username, also run query outside PHP and check if its returning something. – Dev Oct 14 '12 at 14:03

2 Answers

up vote 2 down vote accepted

I suspect that you forgot it to wrap it with single quotes

$result = mysql_query("SELECT * 
                       FROM post 
                       WHERE username = '".$username."' 
                       ORDER BY ID DESC ");

but you are still vulnerable with sql injection. Please take time to read on the article below

Best way to prevent SQL injection in PHP?

share|improve this answer
somewhat similar on this one mysql_fetch_array() expects parameter 1 to be resource, boolean given in select – JW. Oct 14 '12 at 14:06
up vote 0 down vote

mysql_query() returns a boolean FALSE if there was an error. So there was an error in your SELECT statement.

You should check if $result === FALSE before trying to do something with $result. If $result === FALSE, use mysql_error() to find out more about what went wrong.

Note that mysql_query() and other mysql_* functions are deprecated. Move to mysqli_* or PDO functions/methods instead. One great feature of PDO and mysqli_* is prepared statements. They will help you avoid SQL injection attacks.

share|improve this answer

Your Answer

 
or
required, but never shown
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.