/    Sign up×
Community /Pin to ProfileBookmark

Syntax error with Special Characters in Password

Copy linkTweet thisAlerts:
Oct 30.2006

Hi,

I am having trouble with validation.
When I validate a user I’m getting errors with special characters in the username and password.
The error appears in $result = mysql_query($sql)

Username is similar to this: username[b]@honeycombworldwide.com[/b]
Password is similar to this: password[b]![/b]

—-
[code=php]$password = $_POST[‘password’];
$username = $_POST[‘username’];
$sql = “SELECT * FROM it_mem WHERE Mem_Email=”.$username.” AND Mem_Password=”.$password;
$result = mysql_query($sql) or die (mysql_error());[/code]

When I echo $result with $username and $password filters, i get this error:

[code]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘@honeycombworldwide.com AND Mem_Password=password!’ at line 1[/code]

When I echo $result with just $password as a filter, i get this error:

[code]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘!’ at line 1[/code]

Any idea? Thanks for looking

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@stephan_gerlachOct 30.2006 — The problem is not special characters. the problem is that these are strings and not numbers. Your SQL is wrong

try this

[code=php]

$password = $_POST['password'];
$username = $_POST['username'];
$sql = 'SELECT * FROM it_mem WHERE Mem_Email="'.$username.'" AND Mem_Password="'.$password.'"';
$result = mysql_query($sql) or die (mysql_error());
[/code]
Copy linkTweet thisAlerts:
@stephan_gerlachOct 30.2006 — Oh another suggestion. it seems like you are not encrypting the password -> bad idea

you are not performing any validation on username and password -> bad idea

both are potential security risks
Copy linkTweet thisAlerts:
@NogDogOct 30.2006 — See Example 3 on www.php.net/mysql_real_escape_string for a way to prevent SQL injection attacks (and automatically handle the quoting where necessary).
Copy linkTweet thisAlerts:
@_varauthorOct 30.2006 — okay... well, i got that sorted, however, i found what was the real problem is I am trying to set a sessionID. this used to work on my old server, so if it's wrong I can imagine... but do I not just do this:
[code=php]
setcookie ("ID01", $accessresults["Mem_ID"]);
$_SESSION['IDO1'] = "$accessresults[Mem_ID]";[/code]
Copy linkTweet thisAlerts:
@NogDogOct 30.2006 — Better would be:
[code=php]
$_SESSION['IDO1'] = $accessresults['Mem_ID'];
[/code]
There's no need to quote the variable if that's all that's being assigned, plus your array index should be quoted when it's a string literal like that.

PS: I just noticed that you used ID01 (with a zero) for the cookie ID, but IDO1 (with a capital letterl "O") for the session value. I'm guessing the latter should also be a zero?
×

Success!

Help @_var spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...