Posted by Rik Wasmus on 12/31/07 11:21

On Sat, 29 Dec 2007 01:33:01 +0100, Michael Fesser <netizen@gmx.de> wrot=
e:

> .oO(jpyers@gmail.com)
>
>> $result=3Dmysql_query("SELECT * FROM members
>> WHERE username=3D"$_POST[username]"");
>>
>> Your quotes are messed up, doing what sskaje said should fix your
>> problem.
>>
>> $result =3D mysql_query("SELECT * FROM members WHERE username=3D`
>> $_POST['username']`");
>>
>> That should fix your problem.
>
> Nope. It will cause a parse error because of the single-quoted array
> index inside of a double-quoted string. Additionally it will cause an
> SQL error because a backtick (`) is not a valid string delimiter.
>
> Correct:
>
> $result =3D mysql_query("
> SELECT *
> FROM members
> WHERE username =3D '$_POST[username]'
> ");

Which will probably give a notice the constant 'username' is not defined=
..

> or
>
> $result =3D mysql_query("
> SELECT *
> FROM members
> WHERE username =3D '{$_POST['username']}'
> ");

That's the one.

> Of course this won't fix the SQL injection problem ...

Very true. And a 'SELECT * ' should never be used in production, only fo=
r =

testing purposes. Naming the fields you should have will both ease the =

load on the server and cause a transparant failure instead of an obscure=
=

one on a table alteration.
-- =

Rik Wasmus

[Back to original message]