MYSQL error 1064 in select clause - php

As I am beginner so I am facing syntax error in this query.
$SQL = "SELECT * FROM registration WHERE email = ".$email." AND password = ".$password."";


You have syntax error with the query. Try to change it to
$SQL = "SELECT * FROM registration WHERE email='".$email."' AND password='".$password."'";


Put single quote to value field like this
$SQL = "SELECT * FROM registration
WHERE email = '".$email."' AND password ='".$password."'";


you should put single quote before and after the variable.
$SQL = "SELECT * FROM registration WHERE email = '".$email."' AND password = '".$password."'";


Please try this one, you should use single quote.
$SQL = "SELECT * FROM registration WHERE email = '".$email."' AND password = '".$password."'";


$SQL = "SELECT * FROM registration WHERE email='$email' AND password='$password'";
Try this..


You are passing a string and string should be wrapped in single quotes. Try this -
$SQL = "SELECT * FROM registration WHERE email = '".$email."' AND password = '".$password."'";

Related

can i use md5 hashed values inside $this->db->escape() in codeigniter,

when i tried to use md5 hashed values inside $this->db->escape() i'm getting error like below when i tried to fetch count of results
"Call to a member function num_rows() on bool"
my code
$hashedUniqueId= md5($uniqueId);
$query = "select * from my_table where uId_hash= '".$this->db->escape($hashedUniqueId)."' AND password= '".$this->db->escape($password)."' ";
$result = $this->db->query($query);
print_r($result->num_rows());

You are making double escape as i see it. Remove the single quotes from $this->db->escape().
$query = "select * from my_table where uId_hash= ".$this->db->escape($hashedUniqueId)." AND password= ".$this->db->escape($password);
Or the better way is to set the variables in the $this->db->query($query);
This way codeigniter will escape it for you.
$hashedUniqueId= md5( $uniqueId );
$query = "select * from my_table where uId_hash= ? AND password= ?";
$result = $this->db->query( $query, array( $hashedUniqueId, $password ) );
print_r($result->num_rows());

Mysql Query not returning my results when adding variables into the query [duplicate]

This question already exists:
How to construct an SQL query correctly in a PHP script? [duplicate]
Closed 5 years ago.
If I run this with the query
"SELECT * FROM users";
It returns my result. But as soon as I run this
$username = $_POST['username'];
$password = $_POST['password'];
$login = "SELECT * FROM users WHERE name= ".$username." AND password= ".$password."";
it doesn't.
If I run it in Mysql workbench without the variables it works. If I run echo the $_POST values they come through correctly.
I am stumped as to what I'm doing wrong PLEASE!! help me.
I also ran my code through https://phpcodechecker.com/ and it cant see any errors in my code.
This is the full function.
function login($username,$password){
global $db_conn;
$conn = new mysqli($db_conn['servername'], $db_conn['username'], $db_conn['password'], $db_conn['dbname']);
$username = $_POST['username'];
$password = $_POST['password'];
$login = "SELECT * FROM users WHERE name= ".$username." AND password= ".$password."";
$login_result = $conn->query($login);
if ($login_result->num_rows > 0) {
$output = array();
while($row = $login_result->fetch_assoc()) {
$output[] = $row;
echo "".$row['name']."-".$row['password']."<br>";
}
} else {
echo "Invaild Login Details!"."<br>" ;
$conn->close();
return false;
}
}
Every time it says "Invalid Login Details!" But I know their is one result that gets returned.
What am I doing wrong?
Inserting variables into your SQL directly is a major source of SQL Injection Attacks. Use PDO for security.
https://www.php.net/manual/en/book.pdo.php#114974

change the query like this
$login = "SELECT * FROM users WHERE name= '$username' AND password= '$password'";
note: this method is prone to sql injection attacks. try prepared statements to avoid it

try with ''(single quote) for comparing name and password
"SELECT * FROM users WHERE name= '".$username."' AND password= '".$password."'";

$login = "SELECT * FROM users WHERE name = '{$username}' AND password =
'{$password}' ";

You can simply specify the variables no need to go for string append to construct query in php
Eg :
Query = "SELECT * FROM `users` where username = '$username' AND password = '$password' " ;

try following code
$login = "SELECT * FROM users WHERE name= '".$username."' AND password= '".$password."'";

Errors while submitting data to the server using form

I am trying to submit data through form and came across the below error:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given ..
Please find the code I have tried.
//connection end to my data server.
if(isset($_POST["submit"])) {
$user_name = $_POST['name'];
$user_email = $_POST['email'];
$user_skype = $_POST['skype'];
if($user_name==""){
echo "<script>alert('please enter your user name!')</script>";
exit();
}
if($user_email==""){
echo "<script>alert('please enter your email!')</script>";
exit();
}
if($user_skype==""){
echo "<script>alert('please enter your skype id.')</script>";
exit();
}
$check_email = "select * from binary where user_email = '$user_email' ";
$run = mysql_query($check_email);
if(mysql_num_rows($run)>0){
echo "<script>alert('Your email $user_email address already exist. please try another.')</script>";
exit();
}
$query= "insert into binary (user_name, user_email, user_skype) values('$user_name','$user_email','$user_skype')";
if(mysql_query($query)){
echo "<script>window.open('success.html','_self')</script>";
}
}
?>

binary is sql reserrve word
use backticks around it
$check_email = "select * from `binary` where user_email = '$user_email' ";
check this link for sql reserve word. http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
and learn mysqli_ function or P.D.O as mysql is deprcitaeted

Please update your query:
It should be
$check_email = "select * from `binary` where user_email = '".$user_email."' ";

it seems select query returns boolean false because
$check_email = "select * from binary where user_email = '$user_email' "
where user_email = '$user_email' can not parse value of '$user_email' because variable inside single quat does not parsed with their value
use:- where user_email = ".$user_email;
and everything should work

SELECT query trouble - user login system

I am just trying to write a simple script that verifies the username and password of a user that has attempted to login...and then starts a session. However, I am running into some trouble.
When I try to run the script below, SUCCESS does not print out. As if the username and password is incorrect, however, I know for a fact that the username and passwords entered are, in fact, correct.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM users WHERE username='.$username.' AND password='.$password.'");
while($row = mysql_fetch_array($result)){
echo 'SUCCESS';
}
When I try to run the script below however, success prints out twice (which is the number of sample users I have in my db so far), which is correct.
I am guess I have a problem with the AND mySQL query above, however, it seems correct to me... is there a problem with my first query above? if not, than what else might be the problem?
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result)){
echo 'SUCCESS';
}

You're parsing variables, not concatenating them, you don't need the ..
"SELECT * FROM users WHERE username='$username' AND password='$password'"

username is a protected keyword, try this:
$result = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password'");

Ignoring the gaping SQL injection vulnerability, you're constructing your query string incorrectly:
$result = mysql_query("SELECT * FROM users WHERE username='.$username.' AND password='.$password.'");
^ ^
You're still in "string mode" where the indicated periods are (and for the password section too), so you're embedding literal periods into your query string, instead of doing string concatenation.
Remote the periods, and you'll be better off (but still vulnerable to sql injection):
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

Try this instead:
$result = mysql_query("SELECT * FROM users WHERE username=\"$username\" AND password=\"$password\"");
Obviously, this isn't a great way of inserting data. You should look at mysqli to insert data as a minimum.

try this line instead:
$result = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."' AND `password`='".$password."'");
Notice the extra "'s I've added in. before it was looking for '.$username.'

Php function within SQL statement syntax

I have the following code. I would like username to take the value of the getUserName function however I am fighting with syntax. Can anybody tell me what should be the correct one?
$query = "SELECT user FROM users_entity WHERE username = getUserName()";

You can use concatenation with the period:
$query = "SELECT user FROM users_entity WHERE username = '".mysql_real_escape_string(getUserName())."'";
Make sure to escape your data!

You can't embed the result of a function directly into a string. However you can store the contents of a variable:
$username = mysql_real_escape_string(getUserName());
$query = "SELECT user FROM users_entity WHERE username = '$username'";
Or, you could concatenate your string like this:
$query = 'SELECT user FROM users_entity WHERE username = \'' . mysql_real_escape_string(getUserName()) . '\'';

You cannot interpolate (internally string-replace) PHP function names into strings.
You probably want something more like this:
$query = sprintf("SELECT user FROM users_entity WHERE username = '%s'"
mysql_real_escape_string(getUserName())
);

$query = "SELECT user FROM users_entity WHERE username = '".getUserName()."'";

Categories