MySQL WHERE syntax using POST variable

I am trying to write an SQL statement that fetches the value in the "userkey" field when the "username" and "userpassword" are equal. The "username" and "userpassword" are contained in variables passed using $_POST. The statement follows:
$sql = "SELECT userkey FROM tbl_name WHERE (username = ".$_POST['username'].") AND (userpassword = ".$_POST['password'].")";

Assuming the username is "John", the results of the above query is:
Unknown column 'john' in 'where clause'

Might someone correct my syntax to yield the desired results: the userkey?
Thanks.
lepirtleAsked:
Who is Participating?
 
maeltarConnect With a Mentor Commented:
Sorry about the ')'  I should have double checked before I hit Submit

$userkey will be an array...

try

$uname = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

$sql = "SELECT userkey FROM tbl_name WHERE username = '{$uname}' AND userpassword = '{$pass}'";

$result_set = mysql_query($sql) or die(mysql_error());

$userkey = mysql_fetch_array($result_set);

echo $userkey[0];

print_r($userkey);

Open in new window


I would suggest using "mysql_fetch_row"

Or if you are just wanting to see if it comes back with > 0 results..

$uname = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

$sql = "SELECT userkey FROM tbl_name WHERE username = '{$uname}' AND userpassword = '{$pass}'";

$result_set = mysql_query($sql) or die(mysql_error());

if (mysql_num_rows($result_set) > 0)
{
// code in here you have a match
}else{
// code in here for no matches
}

Open in new window

0
 
maeltarCommented:
Firstly you should always use some method of preventing SQL Injection, no matter how simple..

$uname = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

$sql = "SELECT userkey FROM tbl_name WHERE username = '{$uname}' AND userpassword = '{$pass}'");

Open in new window


try that

Regards

S
0
 
eriksmtkaCommented:
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
lepirtleAuthor Commented:
Hi Maeltar,
I appreciate, and will incorporate your Injection statements.

I tried your revised sql statement and initially received an error:
Parse error: syntax error, unexpected ')'

So I removed the last ')' but now, when I echo the $userkey I receive the word "Array'.

$uname = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

$sql = "SELECT userkey FROM tbl_name WHERE username = '{$uname}' AND userpassword = '{$pass}'";

$result_set = mysql_query($sql) or die(mysql_error());

$userkey = mysql_fetch_array($result_set);

echo $userkey;

Am I wrong in using the following to display the userkey?

 $userkey = mysql_fetch_array($result_set);
 echo $userkey;

0
 
Dave BaldwinFixer of ProblemsCommented:
Here http://www.phpeasystep.com/workshopview.php?id=6 is a script similar to one I use.  Note the addition at the bottom of the page about encrypting the password.  It is generally considered bad to store passwords in plain text in your database.
0
 
lepirtleAuthor Commented:
Thanks Malter. That did the trick!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.