PHP MySQL query

Question

What is wrong in this code?

$sql = "SELECT * FROM blogs WHERE blog_id = $'blog_id'";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$content = $rows['blog_content'];

echo $content;

The error is : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\Program Files\xampp\htdocs\jordan_pagaduan\blog_delete_edit.php on line 3.

Answer 1

The first line should read:

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";

(move the $ to inside the single quotes)

Answer 2

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$content = $rows['blog_content'];

Answer 3

You should be using:

$sql = "SELECT * FROM blogs WHERE blog_id = '$blog_id'";

Since it is never too early to start reading about best practices, note that for public websites it is really dangerous to include any un-sanitized input into an SQL query, as you appear to be doing. You may want to read further on this topic from the following Stack Overflow posts:

• XKCD sql injection - please explain (with pictures!)
• What is SQL injection?
• Is SQL injection a risk today?
• SQL Injection Topics on Stack Overflow