I have the following code. I would like username to take the value of the getUserName function however I am fighting with syntax. Can anybody tell me what should be the correct one?
$query = "SELECT user FROM users_entity WHERE username = getUserName()";
You can use concatenation with the period:
$query = "SELECT user FROM users_entity WHERE username = '".mysql_real_escape_string(getUserName())."'";
Make sure to escape your data!
You can't embed the result of a function directly into a string. However you can store the contents of a variable:
$username = mysql_real_escape_string(getUserName());
$query = "SELECT user FROM users_entity WHERE username = '$username'";
Or, you could concatenate your string like this:
$query = 'SELECT user FROM users_entity WHERE username = \'' . mysql_real_escape_string(getUserName()) . '\'';
You cannot interpolate (internally string-replace) PHP function names into strings.
You probably want something more like this:
$query = sprintf("SELECT user FROM users_entity WHERE username = '%s'"
mysql_real_escape_string(getUserName())
);
$query = "SELECT user FROM users_entity WHERE username = '".getUserName()."'";
Related
when i tried to use md5 hashed values inside $this->db->escape() i'm getting error like below when i tried to fetch count of results
"Call to a member function num_rows() on bool"
my code
$hashedUniqueId= md5($uniqueId);
$query = "select * from my_table where uId_hash= '".$this->db->escape($hashedUniqueId)."' AND password= '".$this->db->escape($password)."' ";
$result = $this->db->query($query);
print_r($result->num_rows());
You are making double escape as i see it. Remove the single quotes from $this->db->escape().
$query = "select * from my_table where uId_hash= ".$this->db->escape($hashedUniqueId)." AND password= ".$this->db->escape($password);
Or the better way is to set the variables in the $this->db->query($query);
This way codeigniter will escape it for you.
$hashedUniqueId= md5( $uniqueId );
$query = "select * from my_table where uId_hash= ? AND password= ?";
$result = $this->db->query( $query, array( $hashedUniqueId, $password ) );
print_r($result->num_rows());
so I have a database table with some user information, like ID, username, etc. and I have been trying to turn a value, for example, Bob's ID into a variable $id from the table. This is what I have right now:
$db = mysqli_connect(THIS WORKS FINE AND CONTAINS SECRET INFO :));
$sql = "SELECT ID FROM users WHERE username='$prompt'";
$result = mysqli_query($db, $sql);
and I need to turn it into a variable, because I am combining everything into a sentence so it could be $username has the id of $id. Thanks
Try like this.use sprintf().The sprintf() function writes a formatted string to a variable.
$db = mysqli_connect(THIS WORKS FINE AND CONTAINS SECRET INFO :));
$sql = "SELECT ID,username FROM users WHERE username='$prompt'";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$sentence = sprintf("%s has the id of %u.",$row['username'],$row['ID']);
echo $sentence;
For more see sprintf
As I am beginner so I am facing syntax error in this query.
$SQL = "SELECT * FROM registration WHERE email = ".$email." AND password = ".$password."";
You have syntax error with the query. Try to change it to
$SQL = "SELECT * FROM registration WHERE email='".$email."' AND password='".$password."'";
Put single quote to value field like this
$SQL = "SELECT * FROM registration
WHERE email = '".$email."' AND password ='".$password."'";
you should put single quote before and after the variable.
$SQL = "SELECT * FROM registration WHERE email = '".$email."' AND password = '".$password."'";
Please try this one, you should use single quote.
$SQL = "SELECT * FROM registration WHERE email = '".$email."' AND password = '".$password."'";
$SQL = "SELECT * FROM registration WHERE email='$email' AND password='$password'";
Try this..
You are passing a string and string should be wrapped in single quotes. Try this -
$SQL = "SELECT * FROM registration WHERE email = '".$email."' AND password = '".$password."'";
I have a query on my page that uses a GET variable to pull data from my table...
If I echo my GET var the data is there so im doing something wrong with my query, instead of or die can I show an error in the browser?
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!');
$sql = "SELECT * FROM persons WHERE id = $userID";
You must use double quotes to use variables inside the query string.
You can also do this:
$sql = "SELECT * FROM persons WHERE id = ".$userID;
What you should do is this (to protect yourself from sql injection):
$safeuid = $conn->prepare($userID);
$sql = "SELECT * FROM persons WHERE id = ".$safeuid;
You can always debug using this at the top of your php page:
ini_set('display_errors',1);
error_reporting(E_ALL);
Have you tried $q = $conn->query($sql) or die($conn->error()); ?
Yes you can, but you should only do it for debugging. Crackers can gain a lot of insight by purposefully feeding bad input and reading the error.
I'm assuming you're using MySQLi; the command is $conn->error(). So your line would be:
$q = $conn->query($sql) or die($conn->error());
Also, what you're doing wrong is you're using single quotes to define $sql. You need to use double quotes to write $userID into the string. So what you want is:
$sql = "SELECT * FROM persons WHERE id = $userID";
or
$sql = 'SELECT * FROM persons WHERE id = ' . $userID;
You need to use double quotes to evaluate variables within the string. That is,
$sql = 'SELECT * FROM persons WHERE id = $userID';
should be
$sql = "SELECT * FROM persons WHERE id = $userID";
Rather than removing the die you should make sure the query is always valid. In other words: validate the userID parameter. $_GET can contain anything the user wants to provide - it could be an array, it could be a string, it could be a string with a malicious payload that can drop your tables. So check it is an integer. If not, return a relevant message to the user.
Not a php expert but you might try:
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!' . mysql_error());
The error should append to the end of your die message.
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING is the message. It came up from this line of code:
$query = ("SELECT *
FROM users
WHERE user_name = $_POST['user_name']
& password = $_POST['password']
& user_type = $_POST['user_type']");
Does anyone out there know the meaning of all this? If so, does anyone know how to deal with this?
Use:
$query = sprintf("SELECT u.*
FROM USERS u
WHERE u.user_name = '%s'
AND u.password = '%s'
AND u.user_type = '%s' ",
mysql_real_escape_string($_POST['user_name']),
mysql_real_escape_string($_POST['password']),
mysql_real_escape_string($_POST['user_type']) );
$result = mysql_query($query);
Reference
sprintf
You can't interpolate a $_POST like that. You need to wrap them with braces ({ and }). You also don't need to quote the key names when already in a string like that.
You should also quote those values, and swap & with AND.
You also need a ; at the end.
You also don't need to wrap it in parenthesis.
$query = "SELECT *
FROM users
WHERE user_name = '{$_POST[user_name]}'
AND password = '{$_POST[password]}'
AND user_type = '{$_POST[user_type]}'";
But...
...don't interpolate user input directly like that. Use a escaping mechanism.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);
$query = "SELECT *
FROM users
WHERE user_name = '$username'
AND password = '$password'
AND user_type = '$user_type'";
I would recommend using PDO and binding parameters instead of building the SQL yourself.
Also, it would appear you your passwords that are user inputted are being directly used to compare in the database. Use some form of one way message digest, such as bcrypt.
For interpolation of one-dimensional array values into strings, use this syntax:
"foo = $_POST[bar]"
Notice no quotes.
For interpolating nested arrays or generally using the normal syntax, use braces:
"foo = {$_POST['bar']}"
In no case though do any of this with SQL queries, you need to escape values before plugging them into queries. So, do this:
$query = sprintf('SELECT foo FROM bar WHERE baz = "%s"',
mysql_real_escape_string($_POST['baz']));
Make sure to account for SQL injection.
Try:
$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["uesr_type"]);
$query = "SELECT * FROM users WHERE user_name='$username' AND password='$password' AND
user_type='$type'";
$result = mysql_query($query);
I'd also suggesting reading the manual a bit: http://us.php.net/manual/de/language.types.string.php#language.types.string.parsing. That link will explain to you how PHP parses variables in strings.
$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["user_type"]);
mysql_query("SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_type='$type' LIMIT 1");