foreach not assigning value to variable after mysql query

Question

I'm attempting to create a PHP function that will allow me to convert a user_id to username from my MySQL database (as the assignment i'm working on requires this to be done a lot so i'd rather just call a function to quickly do this instead of repeating myself)

The issue i'm having is I can't assign the value returned from my query to a variable which is causing an undefined variable error.

The function is being called from a different .php script so I need the value to be returned. The user_id is passed along as a parameter when the function is called.

I've attempted already declaring the variable before the query and assigning the value during the foreach loop but I cannot get the values to save and return.

//Convert user_id to Username
function usernameConvert($userid)
{  
    //Connection to DB
    include '../dbconnect.php';

    $results = $pdo->prepare('SELECT username FROM users WHERE 
    user_id="$userid"');
    $results -> execute();


    foreach ($results as $row)
    {
        $username = $row["username"];
    }

    //comes back undefined
    return $username;
}

The main error i'm getting is it's an undefined variable.

Thanks in advance.

what do you see when you `print_r($results);` before the loop? — Zak, May 28 '19 at 20:56
PDOStatement Object ( [queryString] => SELECT username FROM users WHERE user_id="$userid" ) — Ross, May 28 '19 at 20:58
I'd suggest you check the values you're using for the `$userid` parameter. Seems like the ID doesn't exist, hence the `$results` are blank and `$username` never gets initialized, causing the error — Hamman Samuel, May 28 '19 at 21:11

AymDev · Accepted Answer · 2019-05-28T21:11:30.113

3

You can't directly use variables within string with single quotes ':

$foo = 'bar';
echo "hello $foo"; // hello bar
echo 'hello $foo'; // hello $foo

Which lead to your query searching for a user id equalling the string $suserid, as there is no possible result, your foreach loop runs 0 laps and $username is never defined.

But using double quotes " would make your query vulnerable to SQL injection. You are already using a prepared statement but in a wrong way.
Working solution with named parameters:

$results = $pdo->prepare('SELECT username FROM users WHERE user_id = :id');
$results->bindParam(':id', $userid, PDO::PARAM_INT);
$results->execute();

See PDOStatement::bindParam().

You also forgot to use fetch() (not fetchAll() as you're searching a username based on a primary key. As a primary key is unique, you can only get 1 row maximum. Therefore, no need for a loop):

$results->execute();

$username = $results->fetch();

return $username;

edited May 28 '19 at 21:11

answered May 28 '19 at 20:57

AymDev

6,626
4
29
52

NIce .. Good catch – Zak May 28 '19 at 20:59
That all makes so much sense and has worked perfectly! Thank you! – Ross May 28 '19 at 21:14
Thanks @Ross ! Feel free to upvote & accept it then, welcome to SO too ! – AymDev May 28 '19 at 21:15
Great job explaining PDO's prepared statement facility. One thing to note is you can call `execute([ 'id' => $userid ])` with an array directly to keep things simple. Binding can help with type coercsion. – tadman May 28 '19 at 21:26
1

I often directly use `execute([/* ... */])` as I find it handy too ;-) – AymDev May 28 '19 at 21:29

foreach not assigning value to variable after mysql query

1 Answers1