0

I want to select the user from my database using email or username, my code is:

$sql = "SELECT * FROM `users` WHERE (`Email`='".$User."' OR `Username`='".$User."'') AND `Password`='".$Password."'";

My Code Worked

Code:

$sql = "SELECT * FROM users WHERE (Email = '$User' or Username ='$User') AND Password='$Password'";
user3133148
  • 215
  • 3
  • 10
  • 3
    Why isn't it working? What is your test data? Is it letting someone in who it shouldn't, or not letting anyone in? – andrewsi Dec 24 '13 at 18:05
  • 4
    Why, in 2013 (nearly 2014) aren't you using prepared statements? – Mark Baker Dec 24 '13 at 18:05
  • Building SQL queries by sticking strings together is very dangerous. Use prepared statements instead! Also, variable names in PHP are traditionally spelled with lowercase initial letters. – ChrisGPT was on strike Dec 24 '13 at 18:06
  • When I added correct email it worked but when I type correct username it is not working. – user3133148 Dec 24 '13 at 18:06
  • 4
    Since the entire statement is wrapped in double quotes, you can simplify it: $sql = "SELECT * FROM `users` WHERE (`Email`='$User' OR `Username`='$User'') AND `Password`='$Password.'";. Now I can see an extra ' just before the ). – Phil Perry Dec 24 '13 at 18:07
  • `='".$User."'') AND` looks like you've added too many `'`s... – Joachim Isaksson Dec 24 '13 at 18:10
  • @PhilPerry I have removed it but still not working – user3133148 Dec 24 '13 at 18:13
  • @user3133148 - can you echo out the query you're creating, and run it in the database directly? Assuming that you're running in `mysql_query`, is there anything in `mysql_error`? – andrewsi Dec 24 '13 at 18:18
  • Yeah, it just stopped working Monday. No one knows why. – Strawberry Dec 24 '13 at 18:20
  • The comment software ate the backticks as setting off code segments. I didn't intend for them to be removed. However, you did have `$User'')` instead of `$User')`. Did you fix that? What does the query have now? Are you getting any MySQL errors? Is $User defined (have a value)? And of course, your field names (Email, etc.) exactly match how the table is defined (same capitalization, etc.)? – Phil Perry Dec 24 '13 at 18:41
  • "it just stopped working"... any changes to _your_ code that you know of? Any evidence of a hack of your site? Did your host upgrade PHP and/or MySQL versions? – Phil Perry Dec 24 '13 at 18:43
  • 2
    Please redo your code to avoid [Sql Injection](http://www.securiteam.com/securityreviews/5DP0N1P76E.html) – McAden Dec 24 '13 at 18:43
  • A very good point @McAden `+1` – Funk Forty Niner Dec 24 '13 at 18:48

2 Answers2

3

Note: I would have posted this in a comment (believe me), because the comment box doesn't show backticks properly (I know there's a trick to it, but I don't know it, yet.)

Use this:

$sql = "SELECT * FROM `users` 
WHERE (`Email`='".$User."' OR `Username`='".$User."') 
AND `Password`='".$Password."'";

You had one too many quotes in '".$User."'' 

$sql = "SELECT * FROM `users` 
WHERE (`Email`='".$User."' OR `Username`='".$User."'') 
                                                ----^
AND `Password`='".$Password."'";
  • And do consider reading this article on how to prevent injection.

Footnote: And if by the slightest chance that you would be using the now-deprecated mysql_* functions, STOP and start using mysqli_* functions with prepared statements and/or PDO.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

Try this :

$sql = "SELECT * FROM `users` WHERE (`Email`='".$User."' OR `Username`='".$User."') AND `Password`='".$Password."'";

There was an extra quote after $user variable.

S.L. Barth is on codidact.com
  • 8,198
  • 71
  • 51
  • 66
Neo
  • 1