please help whats wrong with this code? (line 76 is the middle one)
require("dbConfig.php");
$sql = 'SELECT * FROM dbUsers WHERE username='$_SESSION["valid_user"]'';
$r = mysql_query($sql);
Asked
Active
Viewed 293 times
-1
user1818591
- 43
- 3
-
2Why do you use the `mysql` extension? It's deprecated; you should use `mysqli` or `PDO` instead! Also, consider storing the user id instead of the username in the session. – ThiefMaster Nov 13 '12 at 08:01
4 Answers
2
Please concate your string
$sql = 'SELECT * FROM dbUsers WHERE username="'.mysql_real_escape_string($_SESSION["valid_user"]).'"';
Recommendations:
1.Learn to prevent from MySQL Injections: Good Link
2.Mysql extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. More reading: PHP Manual
0
you missed . in:
$sql = 'SELECT * FROM dbUsers WHERE username='$_SESSION["valid_user"]'';
should be:
$sql = "SELECT * FROM dbUsers WHERE username='".$_SESSION["valid_user"]."'";
ariefbayu
- 21,849
- 12
- 71
- 92
-
1Ugh, I'd really use double quotes for the outer string. Escaping quotes is rather ugly. – ThiefMaster Nov 13 '12 at 08:01
0
Try this:
$sql = 'SELECT * FROM dbUsers WHERE username='.$_SESSION["valid_user"];
ThiefMaster
- 310,957
- 84
- 592
- 636
Sentencio
- 230
- 1
- 13
0
TRY THIS (you`ll prevent SQL injection if you sanitize user input):
<?php
require("dbConfig.php");
$sql = "SELECT * FROM dbUsers WHERE username='".filter_var(mysql_real_escape_string($_SESSION["valid_user"]),FILTER_SANITIZE_STRING)."'";
$r = mysql_query($sql);
?>
EDIT: Added mysql_real_escape_string() for escaping input string, however even this is not 100% efficient against SQL injection, as discussed here.
Bud Damyanov
- 30,171
- 6
- 44
- 52
-
That's a **horrible suggestion**. You **MUST** use `mysql_real_escape_string()` to properly escape a string for using in a MySQL query. – ThiefMaster Nov 13 '12 at 08:20