如何解决此MySQL错误？

Question

I have this code for a news feed and it's combined with a code for a "load more" function. The updates table is where the updates in the newsfeed exist. The username_poster is the username of the person posting an update into which displays in the newsfeed. $last_msg_id represents the id of the last post in the newsfeed to represent what to load next.

The problem I'm having is whenever my code calls to this script, it never loads it. The script works fine when I have the

username_poster IN
(SELECT user_id FROM scuela_following WHERE follower_id = '".$_SESSION['username']."')`

out of the code, but as soon as I add it in, it stops working. Any help would be greatly appreciated.

<?php
$last_msg_id=$_GET['last_msg_id'];
$sql=mysql_query("SELECT * FROM updates_table WHERE id < '$last_msg_id' AND username_poster IN
(SELECT user_id FROM scuela_following WHERE follower_id = '".$_SESSION['username']."')
ORDER BY id DESC LIMIT 5");
$last_msg_id="";
while($row=mysql_fetch_array($sql))
{


} 
?>

Answer 1

I see that you miss the session_start(); at the very top of your script.

Answer 2

In this SQL it looks like you're looking for a "username_poster" in your subquery, when you're only selecting "user_id."

    AND username_poster IN
    (SELECT user_id
    FROM scuela_following

Alter the SQL to look for "user_id" instead of "username_poster", or return "username_poster" instead of "user_id" in the subquery.

And as mentioned above, you should really use queries with parameters to prevent SQL injection.

Answer 3

I suspect that there is a problem here:

"... WHERE follower_id = '".$_SESSION['username']."' ..."

Firstly you are not properly escaping and may have an SQL injection vulnerability. You should use mysql_real_escape_string or parameterized queries.

Secondly, it looks like you are comparing a username (eg "foobar") to an ID (eg 10042). You probably need to join with another table that relates usernames to user IDs.