-1

I am new to PHP and MySQL, and I am having a bit of bother with the SELECT query. I am having some issues with this PHP/SQL variable:

$dbPassword = mysql_query("SELECT UserData.Password FROM UserData WHERE UserData.EmailAddress = '.$loginEmail.'");

What would be the correct way to select a value from a row where the "EmailAddress" is the same as another value in an Apache MySQL server?

All help will be appreciated.

Ryan
  • 1,096
  • 2
  • 16
  • 31
  • 4
    You need to learn basic PHP string building: http://www.php.net/manual/en/language.operators.string.php your `.` concatenation operators are INSIDE the string, which means they're not operators, they're just `.` that become part of the string. – Marc B Jul 03 '14 at 19:18
  • Ah. Now, I did learn that. Thanks for the heads up! – Ryan Jul 03 '14 at 19:21
  • 2
    Also, read [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). – DCoder Jul 03 '14 at 19:21
  • Once you fix this small bug, please don't ignore the gaping wide SQL injection vulnerability. – spencer7593 Jul 03 '14 at 19:28
  • @spencer7593 - Would you mind telling me how I would prevent SQL injection vulnerability? I already have "mysql_real_escape_string" set up on all inputs, but I haven't went into much detail with other sources. – Ryan Jul 03 '14 at 19:30
  • @Ryan: See the example in the documentation:[http://www.php.net/manual/en/function.mysql-query.php](http://www.php.net/manual/en/function.mysql-query.php) and note the use of the **`mysql_real_escape_string`** function around the variables included in the SQL text. (With the mysqli and PDO extensions, you could make use of prepared statements with bind placeholders, to reduce SQL Injection vulnerabilities. But the (deprecated) mysql extension doesn't support prepared statements, so the **`mysql_real_escape_string`** function is the best option available. – spencer7593 Jul 03 '14 at 19:33

1 Answers1

1

Note that $dbPassword would be a resultset object, not a scalar.

You'd need to "fetch" rows from the resulset.

An example is provided in the documentation http://www.php.net/manual/en/function.mysql-query.php

You also have an issue with PHP string concatenation.

If you did this in two separate steps, you could echo (or printf or vardump) the string containing your SQL statement, before you execute it.

Also note that including "unsafe" values in the SQL statement makes your code vulnerable to SQL injection. Little Bobby Tables

$sql = "SELECT UserData.Password FROM UserData WHERE UserData.EmailAddress = '"
       . mysql_real_escape_string($loginEmail) . "'";
vardump($sql);
$res = mysql_query($sql);

(The vardump isn't required; it's just there for debugging, a way for us to see the contents of the string that is about to be sent to the database. (When we're debugging a problem, it helps us determine whether the problem is in the SQL text, or whether it's a problem in the database.

We'll want to test whether the call to mysql_query actually returned a resultset, or whether it returned an error. Once we've verified it's a valid resultset object, we can fetch rows from the resultset. (There's a variety of functions to perform that operation.)

Note: The red box in the documentation that says the mysql extension is deprecated. New code should use either the mysqli or PDO extension.

spencer7593
  • 106,611
  • 15
  • 112
  • 140