SQL Syntax Error on line 1?

Question

So usually I know to fix syntax errors. This one got me stumped. I submitted my code and this cane up...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near """"""" at line 1

The reason this stumped me is because if you see here...

<?php
session_start();
$message="";
if(count($_POST)>0) {
$conn = mysql_connect(""");
mysql_select_db(""""",$conn);
$result = mysql_query("SELECT * FROM users WHERE 'userName='" . $_POST["userName"] . "' and password = '". $_POST["""""]."'");
if($result === FALSE) {
    die(mysql_error());
    }

$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[user_name];
} else {
$message = "Invalid Username or Password!";
}
}
if(isset($_SESSION["user_id"])) {
header("Location:user_dashboard.php");
}
?>

My syntax error is on line one, yet line one is nothing but <?php and I don't think that is a syntax error,.. I know it must be somewhere else on the code, but saying on line one is really throwing me off.

Can someone help me find the syntax error please?

Note: When you check my code """"" = private information, and is not necessary information. Also Note: when I tried to remove the ' symbol it then said

Unknown column 'password' in 'where clause'

Review [When to use single quotes, double quotes, backticks](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) - your quoting of the column `userName` is incorrect. — Michael Berkowski, Jan 07 '14 at 17:58
See [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) The `mysql_*()` API is deprecated and will eventually be removed from PHP. New code should be written with PDO or MySQLi, using prepared statements/parameterized queries in place of concatenated, escaped variables. — Michael Berkowski, Jan 07 '14 at 17:59
At a _minimum_ with this code prior to refactoring it to use prepared statements under a new API, you _must_ use `mysql_real_escape_string()` on each of those `$_POST` inputs passed to the query. — Michael Berkowski, Jan 07 '14 at 18:01
If you get an `unknown column password` error after fixing the other quoting problem, you don't have a password column in that table. Verify your table structure. — Michael Berkowski, Jan 07 '14 at 18:08
Fixed it... Silly mistake my variable is `pass` not `password`, and the removing the `'` after words made it work. — , Jan 07 '14 at 18:10
This is a perfect example of how not to do user authentication. [SQL injection vulnerability](http://bobby-tables.com/)? **Check**. Reckless use of plain-text passwords? **Check**. Using the antiquated `mysql_query` interface? **Check**. Is this a legacy app? I'd highly recommend **deleting this and starting over properly** before this blows up in the worst possible way. Code this bad could destroy someone's business or career. Please, read a [guide on how to avoid problems like this](http://phptherightway.com/) before you get into even more serious trouble. — tadman, Jan 07 '14 at 19:22

score 1 · Answer 1 · edited Jan 07 '14 at 18:24

1

Line one refers to the first line of the sql statement. In your case it refers to this code:

$result = mysql_query("SELECT * FROM users ".
    "WHERE 'userName='" . $_POST["userName"] . "' ".
    "and password = '". $_POST["""""]."'");

I believe the error is caused because of the ' before userName. Just take that away and try again.

edited Jan 07 '14 at 18:24

A.L

10,259
10
67
98

answered Jan 07 '14 at 18:02

karstenols

277
2
9

score 1 · Accepted Answer · answered Jan 21 '14 at 16:27

1

Try this

$result = mysql_query("SELECT * FROM users ". "WHERE 'userName='" . $_POST["userName"] . "' ". "and password = '". $_POST["""""]."'");

answered Jan 21 '14 at 16:27

nathanleachman

310
2
11

score 0 · Answer 3 · answered Jan 07 '14 at 18:03

0

Try this, You have added ' near userName column,

 $result = mysql_query("SELECT * FROM users WHERE userName='" . $_POST["userName"] . "' and password = '". $_POST["password"]."'");
                                       ...........^

answered Jan 07 '14 at 18:03

Krish R

22,583
7
50
59

SQL Syntax Error on line 1?

3 Answers3