Reply to Re: Forms...and WHERE in mysql — PHP Programming Language

Posted by Michael Fesser on 12/29/07 00:33

..oO(jpyers@gmail.com)

>$result=mysql_query("SELECT * FROM members
>WHERE username="$_POST[username]"");
>
>Your quotes are messed up, doing what sskaje said should fix your
>problem.
>
>$result = mysql_query("SELECT * FROM members WHERE username=`
>$_POST['username']`");
>
>That should fix your problem.

Nope. It will cause a parse error because of the single-quoted array
index inside of a double-quoted string. Additionally it will cause an
SQL error because a backtick (`) is not a valid string delimiter.

Correct:

$result = mysql_query("
SELECT *
FROM members
WHERE username = '$_POST[username]'
");

or

$result = mysql_query("
SELECT *
FROM members
WHERE username = '{$_POST['username']}'
");

Of course this won't fix the SQL injection problem ...

Micha

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация