Home › Forums › Back End › mysqli_fetch_assoc() expects parameter 1 to be mysqli_result error › Re: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result error
> // Get the ID and Table name into variables
$id = $_GET;
$table = $_GET;
$title = $_GET;
I don’t mean to distract you, but it’s probably best to address this now:
*****
## [**NEVER DO THIS**](http://xkcd.com/327/) : )
*****
If you take user input (e.g., from `$_GET`) and put it directly into an SQL query, you run the risk of generating SQL errors that will ruin your database (*best* case) or allowing an attacker to gain control of your database and possibly compromise your entire server (*worst* case).
Instead, you need to *validate* and *sanitize* all user-submitted data.
*Validate* means “make sure it *is* what you *think it is*.”
For example, you probably expect `$_GET` to be a number – but it *could* be anything the user types in. They could type in `gibberish’ or 1=1 –`, and your query would return *all* rows.
Before putting it in the query, make sure it is a number:
if( ctype_digit( $_GET ) ){
$id = $_GET;
}
else{
/* error! ‘id’ is not a number */
}
Likewise, you probably expect `$_GET` to be the name of a database table (and probably one of a particular few). Use a whitelist:
$allowedTables = array( ‘this_table’,’that_table’ );
if( in_array( $_GET,$allowedTables ) ){
$table = $_GET;
}
else{
/* error! you’re not allowed to look at ‘table’ */
}
*Sanitize* means “make sure *data* is treated like *data*, and not like *a command*.”
Certain characters can change the meaning of your SQL query. In the example above, I used `gibberish’ or 1=1 –` – the single-quote after *gibberish* would make MySQL treat “or” as an SQL command, and not as simply the word “or.” That’s what created the danger – allowing an attacker to rewrite your query as they saw fit.
Use the appropriate escape functions to prevent this. In this case, [mysqli_real_escape_string()](http://php.net/mysqli_real_escape_string) would make sure that quote was *escaped* and treated as part of the string, not as part of the SQL query.