php _POST query parameter fails, but hard coded text query succeeds

Question

<?php

$servername = "localhost";
$username = "user";
$password = "password";
$database = "mydatabase";


$mypassword = "mypassword";

$receivedPassword = $_POST["pwd"];
if ($receivedPassword != $mypassword) {
    print "cedential failure";
} else {
    $unfiltered = $_POST["query"];
    //  print("unfiltered $unfiltered");

    $myquery = htmlspecialchars($unfiltered);
// Create connection
    $conn = new mysqli($servername, $username, $password, $database);
    // print("filtered: $myquery");
// Check connection
    if ($conn->connect_error) {

        die("Connection failed: " . $conn->connect_error);
    } else {
        print("conn ssuccessfull");
    }
    print('performing query: ' . $myquery);
    //$quer = (string)$myquery;
    $res = $conn->query($myquery); // or die(mysql_error());
    $enc = mb_detect_encoding($myquery);
    print("<br> encoding is: $enc <br>");
    $rows = array();
    while ($r = mysqli_fetch_assoc($res)) {
        $rows[] = $r;
        print($r);
    }
    print("ehere");
    print json_encode($rows);
    $conn->close();
}


?>

Here's an example of something I get printed back to me.

conn successfull
performing query: SELECT * FROM music_log2 WHERE (central_time > '2016-02-03 2:00:00' AND central_time < '2016-02-03 4:00:00')
encoding is: ASCII
ehere[]

Looking at the server log, I see:

2/27/2016 4:41:26 AM - www: PHP Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /path/to/my/file.php on line 43

Note that in my sample output, I don't get a result. In fact the server log indicates that $res is false after:

res = $conn->query($myquery); // or die(mysql_error());

I've tried the die option, as you can see commented out, but I get no error output, just no more prints.

When I put the exact query hard coded by changing the query line to:

$res = $conn->query("SELECT * FROM music_log2 WHERE (central_time > '2016-02-03 2:00:00' AND central_time < '2016-02-03 4:00:00')");

It works FINE. Here is some output from changing the above line:

conn successfull
performing query: SELECT * FROM music_log2 WHERE (central_time > '2016-02-03 2:00:00' AND central_time < '2016-02-03 4:00:00')
encoding is: ASCII
ArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArray[{"field_number":"6","value":"Everything Other Than Rotation","central_time":"2016-02-03 03:59:15","user_agent":"API","id":"1084793"},{"field_number":"2","value":"Title Fight","central_time":"2016-02-03 03:59:15","user_agent":"API","id":"1084794"},{"field_number":"3","value":"Hyperview","central_time":"2016-02-03 03:59:15","user_agent":"API","id":"1084795"},{"field_number":"4","value":"Chlorine","central_time":"2016-02-03 03:59:15","user_agent":"API","id":"1084796"},
...

Help. I'm super stumped. Been working on this for 2 days now.

I've also tried wrapping the query in double quotes:

$res = $conn->query('"' . $myquery . '"');

Same empty result.

Answer 1

the htmlspecialchars converts < to < and > to > which won't fly in you MySQL queries.

Answer 2

I am not to sure what your question is but i can still help in this way.

In your PHP script use the ".mysqli_connect_error()" method to see what is exatly giving you the error. Use it like this:

  if(!$connection){
    echo "Connectionn Error...".mysqli_connect_error();
}else{
    echo"Database connection Success...";
}

Call the PP script in your browser and you should echo back an error!