Re: Forms...and WHERE in mysql — PHP Programming Language

You are here: Re: Forms...and WHERE in mysql « PHP Programming Language « IT news, forums, messages

Posted by Michael Fesser on 12/29/07 00:33

..oO(jpyers@gmail.com)

>$result=mysql_query("SELECT * FROM members
>WHERE username="$_POST[username]"");
>
>Your quotes are messed up, doing what sskaje said should fix your
>problem.
>
>$result = mysql_query("SELECT * FROM members WHERE username=`
>$_POST['username']`");
>
>That should fix your problem.

Nope. It will cause a parse error because of the single-quoted array
index inside of a double-quoted string. Additionally it will cause an
SQL error because a backtick (`) is not a valid string delimiter.

Correct:

$result = mysql_query("
SELECT *
FROM members
WHERE username = '$_POST[username]'
");

or

$result = mysql_query("
SELECT *
FROM members
WHERE username = '{$_POST['username']}'
");

Of course this won't fix the SQL injection problem ...

Micha

Navigation:

Next in forum: Re: How to auto detect a remote IMAP/POP3 server given only an email address ?
Prev in forum: Re: How to auto detect a remote IMAP/POP3 server given only an email address ?
Thread view: Re: Forms...and WHERE in mysql

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация