-1

I'm passing a variable to a mysql query, $name is a variable that is getting a decrypted string. It is later passed to the SEARCH query. $name has a name in it (which i have seen via an echo).

The SEARCH query just wont take this variable. If i quote the string that is present in the SQL table, i do get an output (count as 1). I cant see where the problem is, because the same code is working in another file (its taking a variable in its query from an HTML entry though), and its embarrassing!

    $decrypted_text1 = mcrypt_ecb(MCRYPT_DES, $key_value, $encrypted_text1, MCRYPT_DECRYPT);
    $name = $decrypted_text1; 

    $username = "root";
    $password = "speaker1";
    $hostname = "localhost";

    $dbhandle = mysql_connect($hostname, $username, $password) or die("Could not connect to database");
    $selected = mysql_selectdb("login", $dbhandle);

    $query = "SELECT * FROM users WHERE Username='$name' ";

    $result = mysql_query($query, $dbhandle) or die(mysql_error());
    $count5 = mysql_num_rows($result);
mas
  • 345
  • 5
  • 18
  • it gave: string 'SELECT * FROM users WHERE Username='masab���' ' (length=46) 'masab' is what it should be compared with – mas Feb 18 '14 at 03:30
  • try with `mysql_real_escape_string()`, because your $name might have contain some special characters that breaks your query. – jogesh_pi Feb 18 '14 at 03:30
  • @user3321588: so? I don't see how your comment correlates with "The SEARCH query just wont take this variable" – zerkms Feb 18 '14 at 03:31
  • $name = mysql_real_escape_string($name); didnt work either. It gives masab\0\0\0 from echo($name). Also, $count5 didnt increment either. – mas Feb 18 '14 at 03:38
  • [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) – Phil Feb 18 '14 at 03:43
  • "wont take this variable" **HOW**? You get a query syntax error? No results? No results means you're not decoding your text properly, it wasn't stored in the DB properly to begin with, or it's being detected as "foreign" text and going through automatic character-set conversion going into or coming back out of the db. Raw binary "garbage" should be stored in `blob`-type fields, not text or varchar. – Marc B Feb 18 '14 at 03:54
  • it isnt giving a result, $name passes 3 extra characters to the query, whereas it should only be given the string only mysql_real_escape_string() doesnt remove those characters either – mas Feb 18 '14 at 03:57
  • 'masab' is stored within the database (which i see when i dump the entries). i'm guessing the function mcrypt_ecb() padded $name with 3 extra characters, which i need to remove somehow – mas Feb 18 '14 at 04:03
  • Ok, so i solved my own problem..... mysql_real_escape_string() was converting special characters to '/0's, that mysql_query(), was taking, but was resulting in improper comparisons with the DB. trim() was used to remove all special characters, so the resulting string was the required one , and the one present in the DB. – mas Feb 18 '14 at 04:14
  • 1
    you shouldn't be using mysql_query because it will be obsolete in the next update of php: http://ca1.php.net/manual/en/function.mysql-query.php Suggest moving to PDO or mysqli – wribit Feb 18 '14 at 04:27
  • yeah, you are right, i just started PHP/SQL, and i guess the tutorials i viewed were related to the deprecated versions. – mas Feb 18 '14 at 06:22

1 Answers1

-3

Delete the quotation marks around the variable
it should look like this:

$query = "SELECT * FROM users WHERE Username=$name ";
SMR
  • 6,628
  • 2
  • 35
  • 56
user3321651
  • 1
  • it gives: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\0\0\0' at line 1 – mas Feb 18 '14 at 03:40
  • it gives 'masab\0\0\0', when it should be 'masab' – mas Feb 18 '14 at 03:41
  • Does that line of mySql work in phpMyAdmin when a value is substituted in for $name? – user3321651 Feb 18 '14 at 03:44
  • This is all kinds of wrong. All SQL string literals need to be quoted – Phil Feb 18 '14 at 03:45
  • Sorry if I am wrong, I had a similar error when quoting php variables in mysql queries. Sorry to cause any trouble. – user3321651 Feb 18 '14 at 03:49