-1

Well, in my user profile page i'm trying to get user record from db by following mysql query. but it's not working :

Mysql Query (Not Working) :

$sql =  mysql_query("select fname, email, find from users where email = '$username'");

but it's working fine:

Mysql Query (Working) :

$sql =  mysql_query("select fname, email, find from users where email = '%$username%'");

why ?

Ok, if you said % is ok then I've another problem that is I've to update the user profile page so that i'm using following mysql query :

UPDATE users SET fname = '$uname', find = '$find' WHERE email LIKE '%$username%'

BUT after run this query it's update all the db table rows.

What should i do know ? what is the correct mysql_query?

Alex
  • 97
  • 1
  • 2
  • 9
  • You are obsolete to sql injection.Dont use mysql_* functions.Use pdo or mysqli_*. Also never trust on user inputs.check what is in `$username`. – 웃웃웃웃웃 Dec 20 '13 at 08:27
  • What is the value of `$username`, and what is in the actual table? – Barmar Dec 20 '13 at 08:28
  • @웃웃웃웃웃 It's a email address. – Alex Dec 20 '13 at 08:29
  • @Barmar value of $username is email address and the actual table name is user "users" – Alex Dec 20 '13 at 08:30
  • check wether any space is comming with that variable.Use `trim()` or necessary functions if needed – 웃웃웃웃웃 Dec 20 '13 at 08:30
  • 1
    @Alex Of course it's an email address, I'm not stupid. But obviously it's not the same email address as in the database. What is the actual value of it. – Barmar Dec 20 '13 at 08:31
  • The reason LIKE works and = does not is because $username does not match any email in your user table exactly, an email in there contains $username. – Gavin Dec 20 '13 at 08:34
  • I didn't ask what the name of the table is, I asked what is _in_ the table? What email is being returned when you get the successful query with `LIKE`? – Barmar Dec 20 '13 at 08:34
  • Run the query in phpMyAdmin using `=` and if it works then you know it's a problem with `$username` – rybo111 Dec 20 '13 at 08:39
  • @Alex Imagine if I post this: `uname=foo&find=bar&username=' OR 1 = 1--`. Suddenly all your users have their first name set to `foo`. – h2ooooooo Dec 20 '13 at 11:15

2 Answers2

0

Change from : 

$sql =  mysql_query("select fname, email, find from users where email = '$username'");

to 

$sql =  mysql_query("select fname, email, find from users where email = ".$username);
msturdy
  • 10,479
  • 11
  • 41
  • 52
Kizito Ikapel
  • 69
  • 1
  • 6
  • You'll need quotes around the `$username`, not taking into account the huge sql injection problems you should be avoiding (and could be by using parameterised queries: http://stackoverflow.com/questions/1299182/prepared-parameterized-query-with-pdo) – msturdy Dec 20 '13 at 11:13
0

this is also a right sql by used only for when we fetch the data

$sql =  mysql_query("select fname, email, find from users where email = '%$username%'");

Like(% %) $username= 'manish' when you search like email '%$username%'" then it will return all where email have "manish" string

like

manish@yahoo.com manishpatel@yahoo.com yahoo@manish.com``

but when you update any data with the condition then is a sensitive so use sql like Rigt SQL for Working when we update the data

 UPDATE users SET fname = '$uname', find = '$find' WHERE email = '".$username."'
Manish Patel
  • 1,877
  • 1
  • 14
  • 15