Re: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result error

[__]

> // Get the ID and Table name into variables
$id = $_GET;
$table = $_GET;
$title = $_GET;

I don’t mean to distract you, but it’s probably best to address this now:

*****
## [**NEVER DO THIS**](http://xkcd.com/327/) : )
*****

If you take user input (e.g., from `$_GET`) and put it directly into an SQL query, you run the risk of generating SQL errors that will ruin your database (*best* case) or allowing an attacker to gain control of your database and possibly compromise your entire server (*worst* case).

Instead, you need to *validate* and *sanitize* all user-submitted data.

*Validate* means “make sure it *is* what you *think it is*.”

For example, you probably expect `$_GET` to be a number – but it *could* be anything the user types in. They could type in `gibberish’ or 1=1 –`, and your query would return *all* rows.

Before putting it in the query, make sure it is a number:

if( ctype_digit( $_GET ) ){
$id = $_GET;
}
else{
/* error! ‘id’ is not a number */
}

Likewise, you probably expect `$_GET` to be the name of a database table (and probably one of a particular few). Use a whitelist:

$allowedTables = array( ‘this_table’,’that_table’ );
if( in_array( $_GET,$allowedTables ) ){
$table = $_GET;
}
else{
/* error! you’re not allowed to look at ‘table’ */
}

*Sanitize* means “make sure *data* is treated like *data*, and not like *a command*.”

Certain characters can change the meaning of your SQL query. In the example above, I used `gibberish’ or 1=1 –` – the single-quote after *gibberish* would make MySQL treat “or” as an SQL command, and not as simply the word “or.” That’s what created the danger – allowing an attacker to rewrite your query as they saw fit.

Use the appropriate escape functions to prevent this. In this case, [mysqli_real_escape_string()](http://php.net/mysqli_real_escape_string) would make sure that quote was *escaped* and treated as part of the string, not as part of the SQL query.