PHP Mysqli Query execute from table data query

Question

I have sql query that saved on table.

tbl_query

SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = '$getBadgeID'

Then on PHP code:

$query = mysqli_query($con, "SELECT * FROM tbl_query");
while($data = mysqli_fetch_array($query))
{
    //SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = '$getBadgeID'
    $getQuery = $data['sql_query'];

    $qTotal = mysqli_query($con, $getQuery);
    $dTotal = mysqli_fetch_array($qTotal);

    echo $dTotal['TOTAL'];
}

When I tried to run that code, it show me result of total is 0. But if I remove this WHERE badgeid_fk = '$getBadgeID' on query data, the result is OK not 0.

How to keep execute the query even if there is an variable '$getBadgeID'

Answer 1

PHP treating this variable as a string, thats why result generating this query

SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = '$getBadgeID' // its not converting your variable with 150502

Here you can use alternate name or you can use with delimiter like:

Your current query is:

SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = '$getBadgeID'

Change your query with:

SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = ':getBadgeID'

Now, you need to use str_replace to replace delimiter with your variable like:

while($data = mysqli_fetch_array($query))
{
    $getQuery = str_replace(":getBadgeID", $getBadgeID , $data['sql_query']);    
}

Why i am using delimiter here, because your variable $getBadgeID having defined value inside your php script and its not dynamic.

In our chat conversation, @executable suggest an another solution to use prepared statement.

Edit:

As per discussion with @Bananaapple, i am adding this comment for future visitors, Prepared Statement is an another solution which is more secure, if you want to avoid SQL injection, then choose prepared statement.

Answer 2

The recommend way is to use the prepared statements to sanitize the query and protect you from SQL injection. The following comic give an example of what is SQL injection.

For answering the question we discover that in your query the variable $getBadgeID was read as text and not as variable. I recommend you to use this code which use the prepared statements :

<?php
$conn = new mysqli("HOST", "USER", "SECRET", "DATABASE");
if($stmt = $conn->prepare("SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = ?")) {
    $stmt->bind_param("s", $getBadgeID);
    $stmt->execute(); 
    $result = $stmt->get_result();
    while($row = $result->fetch_assoc()) {
        $total = $row['TOTAL'];
    }
    $stmt->close();
}
$conn->close();
var_dump($total);

If you want more debugging :

<?php
if(isset($getBadgeID) and $getBadgeID != ""){
    $conn = new mysqli("HOST", "USER", "SECRET", "DATABASE");
    if($stmt = $conn->prepare("SELECT SUM(simpanan_wajib) AS TOTAL FROM tb_simpanan WHERE badgeid_fk = ?")) {
        $stmt->bind_param("s", $getBadgeID);
        $stmt->execute(); 
        $result = $stmt->get_result();
        while($row = $result->fetch_assoc()) {
            $total = $row['TOTAL'];
        }
        $stmt->close();
    }else{
        echo "Query is wrong";
    }
    $conn->close();
    var_dump($total);
}else{
    echo 'Variable $getBadgeID is empty';
}