0

I am having difficulty using column names and $_POST with mysql_query, as I am not very good at using quotes in PHP. Can someone please help me to rewrite following script? I will appreciate if I may have some tips on using variables, columns and $_POST with mysql_query.

here "slt" that is used within encrypt is also column name from the same table. 

 $result=mysql_query("SELECT * FROM root_user 
     WHERE root_name='".$_POST['userName']."' 
     AND ps_code =  '".crypt($_POST['password'],slt)."'") 
     or die("database ERROR : ".mysql_error());
Adi Inbar
  • 12,097
  • 13
  • 56
  • 69
user3501628
  • 1
  • 2
    You shouldnt use POST variables directly in your sql queries. You need to look into escaping, or prepared queries, using mysqli or PDO. see: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Phil Cross Apr 05 '14 at 16:53
  • Your query seems good to me (in syntax terms). However, without filtering userName you can get your select damaged easily. – sunshinejr Apr 05 '14 at 17:04
  • You haven't explained what you're trying to accomplish, and in which way it's not working -- what results are you getting, and how do they differ from the expected results? Include any error messages you get (copy them, don't describe them). Please read this [advice on how to ask good questions](http://stackoverflow.com/help/how-to-ask). Be sure to follow the link at the bottom to Jon Skeet's blog post [Writing the perfect question](http://msmvps.com/blogs/jon_skeet/archive/2010/08/29/writing-the-perfect-question.aspx). Pay special attention to the "Golden Rule". – Adi Inbar Apr 05 '14 at 17:15
  • Please, before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). Also, `mysql_query` should not be used in new applications. It's a deprecated interface that's being removed from future versions of PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) will help you avoid making mistakes like this. – tadman Apr 05 '14 at 17:23
  • Thanks everyone, I will check the blogs/websites that you. Even then if I am not able to resolve, I will send you the details. – user3501628 Apr 05 '14 at 19:06
  • To appreciate how PHP parses variable names within quoted strings then i suggest a read of the manual will explain completely. It is confusing to most of us the first few times we meet it. **[Variable parsing](http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing)** – Ryan Vincent Apr 05 '14 at 21:11

0 Answers0