lepirtle
asked on
MySQL WHERE syntax using POST variable
I am trying to write an SQL statement that fetches the value in the "userkey" field when the "username" and "userpassword" are equal. The "username" and "userpassword" are contained in variables passed using $_POST. The statement follows:
$sql = "SELECT userkey FROM tbl_name WHERE (username = ".$_POST['username'].") AND (userpassword = ".$_POST['password'].")";
Assuming the username is "John", the results of the above query is:
Unknown column 'john' in 'where clause'
Might someone correct my syntax to yield the desired results: the userkey?
Thanks.
$sql = "SELECT userkey FROM tbl_name WHERE (username = ".$_POST['username'].") AND (userpassword = ".$_POST['password'].")";
Assuming the username is "John", the results of the above query is:
Unknown column 'john' in 'where clause'
Might someone correct my syntax to yield the desired results: the userkey?
Thanks.
ASKER
Hi Maeltar,
I appreciate, and will incorporate your Injection statements.
I tried your revised sql statement and initially received an error:
Parse error: syntax error, unexpected ')'
So I removed the last ')' but now, when I echo the $userkey I receive the word "Array'.
$uname = mysql_real_escape_string($ _POST['use rname']);
$pass = mysql_real_escape_string($ _POST['pas sword']);
$sql = "SELECT userkey FROM tbl_name WHERE username = '{$uname}' AND userpassword = '{$pass}'";
$result_set = mysql_query($sql) or die(mysql_error());
$userkey = mysql_fetch_array($result_ set);
echo $userkey;
Am I wrong in using the following to display the userkey?
$userkey = mysql_fetch_array($result_ set);
echo $userkey;
I appreciate, and will incorporate your Injection statements.
I tried your revised sql statement and initially received an error:
Parse error: syntax error, unexpected ')'
So I removed the last ')' but now, when I echo the $userkey I receive the word "Array'.
$uname = mysql_real_escape_string($
$pass = mysql_real_escape_string($
$sql = "SELECT userkey FROM tbl_name WHERE username = '{$uname}' AND userpassword = '{$pass}'";
$result_set = mysql_query($sql) or die(mysql_error());
$userkey = mysql_fetch_array($result_
echo $userkey;
Am I wrong in using the following to display the userkey?
$userkey = mysql_fetch_array($result_
echo $userkey;
Here http://www.phpeasystep.com/workshopview.php?id=6 is a script similar to one I use. Note the addition at the bottom of the page about encrypting the password. It is generally considered bad to store passwords in plain text in your database.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Malter. That did the trick!
Open in new window
try that
Regards
S