SQL Selecting Data with WHERE ". $variable ."

Question

my question is: I have an issue with my code (SELECTING data from MySql) This is my code

<?php $user_name = $_SESSION['user_name']; $user_email = $_SESSION['user_email']; echo $user_email; $con = mysqli_connect("localhost", "root", "", "minehelp"); $id_query = mysqli_query($con, "SELECT user_name FROM users_en WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_email . "';"); while ($row_id_query = mysqli_fetch_assoc($id_query)){ print($row_id_query['user_name']); } ?>

I want to select data WHERE the "user_name is $user_name"
This is login system, that means the $_SESSION'user_name'
is part of my code and i can't remake it.

Thanks for every answer,
Jakubk-0

You have not single-quoted the variables `$NickNaming,$PassWording,$Emailing`. You should be using `prepare()/execute()` however, with placeholders for these. — Michael Berkowski, Dec 03 '14 at 16:43
See first [when to use single quotes, double quotes, backticks](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) to understand what went wrong with the SQL, then more importantly, see [how can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and follow some of the examples there for using `prepare()/execute()` with placeholders in the query instead of variables to understand the best way to fix it — Michael Berkowski, Dec 03 '14 at 16:44
Uses PDO... injects user input into query anyway... *BANG HEAD HERE* — Niet the Dark Absol, Dec 03 '14 at 16:44
Read up on the subject => http://php.net/pdo.prepared-statements instead of blindly stabbing the meat, *as it were*. ;) — Funk Forty Niner, Dec 03 '14 at 16:47
*"i am working on my own registration system"* - Don't use this unless you know exactly what you're doing and getting yourself into. Here's one that uses PDO with prepared statements and PHP 5.5's `password_hash()` function http://daveismyname.com/login-and-registration-system-with-php-bp - You'll be setup in no time ;) - **Do NOT store passwords in plain text, you WILL be hacked.** — Funk Forty Niner, Dec 03 '14 at 16:49

score 1 · Answer 1 · answered Dec 03 '14 at 16:45

1

Should be looking similar to

$sql = "INSERT INTO users (NickName, PassWord, Email) 
    VALUES (:nick, :pass, :mail)";
$conn->prepare($sql);
$conn->execute(array(':nick' => $NickNaming, ':pass' => $PassWording, ':mail' => $Emailing));

answered Dec 03 '14 at 16:45

Paul

8,974
3
28
48

notnull · Answer 2 · 2014-12-03T16:55:39.077

You should use PDO::prepare

Prepares an SQL statement to be executed by the PDOStatement::execute() method.

and PDO::execute

Execute the prepared statement.

So your prepare and execute would look like this:

$sth = $conn->prepare( 'INSERT INTO users (NickName, PassWord, Email)
                        VALUES (:nick, :pass, :mail)');
$sth->execute( array(':nick' => $NickNaming, 
                     ':pass' => $PassWording, 
                     ':mail' => $Emailing));

score -1 · Accepted Answer · answered Feb 07 '15 at 14:23

-1

I tried to not use PDO :

$insert = mysqli_query($con,"INSERT INTO users (Nickname, PassWord, Email)
          VALUES ('$NickName','$PassWording','$Emailing')");

That will work

answered Feb 07 '15 at 14:23

Jakubk-0

45
8

SQL Selecting Data with WHERE ". $variable ."

3 Answers3