$account = "proot";
$sql_check_account = mysqli_query($connect, "SELECT username FROM proot_accounts WHERE username = $account");
if(!$sql_check_account)
die(mysqli_error($connect));
Return :
Unknown column 'proot' in 'where clause'
Same with :
$sql_check_account = mysqli_query($connect, 'SELECT username FROM proot_accounts WHERE username = "'.$account.'"');
Or
$sql_check_account = mysqli_query($connect, "SELECT username FROM proot_accounts WHERE username =".$account);
What can make the variable $account perform as a column ? I don't get the problem here...
Thanks !
You need to put quotes around it.
mysqli_query($connect, "SELECT username FROM proot_accounts WHERE username = '$account'");
You should also explore prepared SQL statements in PHP. They will save a lot of these formatting headaches.
I think this is a quoting issue. This:
"SELECT username FROM proot_accounts WHERE username = $account"
will get you this string:
SELECT username FROM proot_accounts WHERE username = proot
In this case MySQL is thinking proot is a column name, because proot is not in quotes at all.
This:
'SELECT username FROM proot_accounts WHERE username = "'.$account.'"'
will get you this string:
SELECT username FROM proot_accounts WHERE username = "proot"
In this case, MySQL may still think "proot" is a column name, depending on the SQL mode. Since you are still getting the same error when you use this code, it looks like your database is set to ANSI_QUOTES mode. In this mode, text inside quotation marks will be interpreted as an column identifier, not a literal value.
Using this:
"SELECT username FROM proot_accounts WHERE username = '$account'"
will get you this string:
SELECT username FROM proot_accounts WHERE username = 'proot'
Using ' instead of " should ensure that MySQL will treat proot like a literal value instead of a column identifier regardless of the SQL mode.
Related
I have a basic login code, where the user enters a username and a password, hits 'Submit', and then a mySQL query checks in the database if the username corresponds to the password.
Here is the query, with 'pseudo' as the username typed by the user and 'mot_de_passe' as the password typed in.
$reponse = $bdd->query('SELECT * FROM user_data WHERE username = '.$_POST['pseudo'].' AND password = '.$_POST['mot_de_passe'].' ');
Without the 'AND...' part, I can check if the username exists, but then when I add the 'AND...' part, the query doesn't work, and the 'AND' is not in the same color as 'SELECT * FROM'and 'WHERE'
I have tried dots, simple quotes, quotes, but nothing changes.
Thanks in advance.
You must use " or ' about string in SQL
$reponse = $bdd->query('SELECT * FROM user_data WHERE username = "'.$_POST['pseudo'].'" AND password = "'.$_POST['mot_de_passe'].'" ');
And your code can't prevent SQL INJECTION attack.
Please use prepared statement or bind param.
Use the below code and check weather it works or not.
$reponse = $bdd->query('SELECT * FROM user_data WHERE username = ' .
$_POST['pseudo'] . ' AND password = ' . $_POST['mot_de_passe'] );
also check your password type stored in your database and try to match that
$reponse = $bdd->query('SELECT * FROM user_data WHERE password = ' .
$_POST['mot_de_passe'] );
if working then check your database keys and match your password spelling and things like that..
I have sql query
$query = "select * from users where username = '".$username."' and password = '".$password."'";
How to use mysql bind_param in this query
Trying this link and don't know how to give two conditions in where.
http://www.ultramegatech.com/2009/07/using-mysql-prepared-statements-in-php/
On a recent project I am having issues when matching a password in the database.
The query is as follows:
mysql_query("SELECT * FROM user_accounts WHERE username = '$username' AND password = '$encryptedPass'")
This outputs
SELECT * FROM user_accounts WHERE username = 'T-McFarlane' AND password = 'äê1\Y¸c'
It can find me with just the user but with the password it cannot. I have echoed out both the database password and the encrypted password provides and they are exactly identical - this is what is in the database but it cannot find the matching row.
My question is that does this password contain any special characters or would there be any other reason that this is failing?
I have tried both utf8_swedish_ci and latin1_swedish_ci for my collation setting in the database.
You need to escape special characters in the string:
$username = mysql_real_escape_string($username);
$encryptedPass = mysql_real_escape_string($encryptedPass);
mysql_query("SELECT * FROM user_accounts WHERE username = '$username' AND password = '$encryptedPass'")
However, it would be even better to switch to PDO or mysqli, and use parametrized queries.
Is there something wrong with the syntax on this MySQL query?
Thanks in advance,
John
$ttquery = sprintf("Update login SET ".$row['ttemail']." = '1' WHERE username = ".$row['username']."");
EDIT: Okay, per Pekka's request, I echoed out the actual query value, and that gave me some ideas. Now I'm using this:
$ttquery = "Update login SET ttemail = 1 WHERE username = ".$row['username']."";
and I get this error: Unknown column 'admin' in 'where clause'. "admin" is the first username that meets the condition I want to run this query for... it's not the name of a field. Any ideas on why I'm getting the error?
EDIT: Here is the MySQL echoed MySQL query if that helps:
Update login SET ttemail = 1 WHERE username = admin
You probably need single quotes around username
$ttquery = "Update login SET ".$row['ttemail']." = '1' WHERE username = '".$row['username']."'";
If you're using sprintf, you would have:
$ttquery = sprintf("Update login SET %1$s = '1' WHERE username = '%2$s'", $row['ttemail'],$row['username']);
Update login SET ttemail = 1 WHERE username = admin
In SQL, strings are surrounded by single quotes and table/column names are unquoted. You need to fix your PHP code so you generate this:
Update login SET ttemail = 1 WHERE username = 'admin'
Try to make sure you understand basic SQL before banging your head against PHP ;-)
try this
$ttquery = sprintf("Update login SET ".$row['ttemail']." = '1' WHERE username = '" . $row['username'] ."'"
i.e., username='[your value]'
This should work:
$ttquery = "Update login SET ".$row['ttemail']." = '1' WHERE username = '".$row['username']."'";
man, be careful about sql injections.
Also, why call sprintf() if you dont actually use it?
Is there anyway I can see a query once it has been run and all variables have been instantiated?
e.g. I want to see the end result (String) of
$query = $this->db->query("SELECT email, password FROM users
WHERE email = '$email' AND password = 'PASSWORD($password)'");
I would like to see the query string after PASSWORD($password) has been done.
The query string doesn't change inside MySql, but you can do something like this to see what the password will look like:
$query = $this->db->query("SELECT PASSWORD('".mysql_real_escape_string($password)."')");
You can store the string as a variable before hand.
eg)
$query = "SELECT email, password FROM users
WHERE email = '$email' AND password = 'PASSWORD($password)'";
and then output the query with var_dump($query).
$this->db->query($query);
It is better practice though to use prepared statements and feed in escaped variables.
I needed to change
'PASSWORD($password)'
to:
PASSWORD('$password')
This fixed my issue.