尝试从其中user_id = $ _SESSION ['id']的数据库表中选择时出错

Question

I've seen that there are many posts about this error, but I can't find an answer for my particular problem. I'm trying to show a table for the user, but only if is logged in, and only if the table row is added by that particular user.So, i'm trying tu use this line:

$sql = "SELECT * FROM data WHERE id_user = $_SESSION['id']";
$result = mysqli_query($connect, $sql);

And I get this error:

" syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)"

Also, i tried

$sql = "SELECT * FROM 'data' WHERE 'id_user' = '$_SESSION['id']'";

Note the ' ' around table name and variables

What to change so that the syntax is good?

Answer 1

Don't do it like that, use a prepared statement:

$sql = "SELECT * FROM data WHERE id_user = ?";
$stmt = mysqli_prepare($link, $sql);
mysqli_stmt_bind_param($stmt, "i", $_SESSION['id']);
mysqli_stmt_execute($stmt);

More info can be found here: https://secure.php.net/manual/en/mysqli.prepare.php

It takes some getting used to, and it might be a little more verbose (you could wrap that in your own class or functions), but it will be vastly safer and more portable.

Not to mention you can brag to your friends that you use prepared statements by default!

Answer 2

change your query as:

$sql = "SELECT * FROM data WHERE id_user = ". $_SESSION['id'];

This may work for you as of now, but you have to change your query as your query is open for SQL injection.

Use prepared statement to build your query.