/    Sign up×
Community /Pin to ProfileBookmark

MySQL Select Statment in PHP with Variables

Copy linkTweet thisAlerts:
Mar 24.2008

Hi i am trying to create a select statement for my login form but i keep getting error messages.

the variable i am using is:

[code=php]$user = $_POST[‘user’];[/code]

and the select statment is:

[code=php]$sql = “SELECT username, password FROM users WHERE username = $user”;[/code]

Can anybody tell me where i am going wrong

Daniel ?

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@NogDogMar 24.2008 — SQL string literals need to be quoted just like PHP string literals do:
[code=php]
$sql = "SELECT username, password FROM users WHERE username = '$user'";
[/code]
Copy linkTweet thisAlerts:
@harleyflh75Mar 24.2008 — Actually i think the correct way to do this is:

[code=php]
$sql = "SELECT username, password FROM users WHERE username = '".$user."'";
[/code]
note: after the = is a single quote, double quote, period, string,period,double quote,single quote,double quote

if Im wrong please let me know.
Copy linkTweet thisAlerts:
@NogDogMar 24.2008 — Actually i think the correct way to do this is:

[code=php]
$sql = "SELECT username, password FROM users WHERE username = '".$user."'";
[/code]
note: after the = is a single quote, double quote, period, string,period,double quote,single quote,double quote

if Im wrong please let me know.[/QUOTE]
Either way will work, as the string literal being assigned to $sql is a double-quoted string, so variable interpolation will be performed. However, it might be better to use harley's suggestion so that you can also prevent SQL injection:
[code=php]
$sql = "SELECT username, password FROM users WHERE username = '" . mysql_real_escape_string($user) . "'";
[/code]
PS: Or use my favorite, the sprintf() function:
[code=php]
$sql = sprintf(
"SELECT username, password FROM users WHERE username = '%s'",
mysql_real_escape_string($user)
);
[/code]
Copy linkTweet thisAlerts:
@spinnykidauthorMar 24.2008 — Thanks Guys

It worked now all i have to do is sort out how to set cookies and add a if cookie is set then allow else goto login.php script

P.S.

Wow that was quick ?
Copy linkTweet thisAlerts:
@jamesbcox1980Dec 10.2008 — MySQL

I'm just starting out with MySQL and I have been having the same problem, and I'd like to know what solution finally worked for you. Many people have the problem of using "=" instead of "==", but my code does not have that problem. I have been setting a literal, and then using the literal in the query sting. I have tried many methods, to no avail.

[code=php]
$query = "SELECT last_name FROM customers WHERE username = $str";

$query = 'SELECT last_name FROM customers WHERE username = ' . $str;

$query = 'SELECT last_name FROM customers WHERE username = "' . $str . '"';

$query = "SELECT last_name FROM customers WHERE username = '$str'";

$query = "SELECT last_name FROM customers WHERE username = '$str'";

[/code]

My database works, returns data, and has no errors. Same for my PHP. This statement seems to ignore the variable completely, before sending it to the database. It always sends an empty value. I echoed it, to see what it was sending and it returned:

SELECT last_name FROM customers WHERE username =

I know this is a problem with concatenating with the double quoted string. How did you end up fixing this?

Thanks!
×

Success!

Help @spinnykid spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...