SQL Error while working on web with PhP

Question

While giving the correct login ID and Password which is there in the databse "tutorial" in table "users", it is giving me an error on the login.php which is being redirected.

Error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'user' = 'XYZ'' at line 1

where XYZ is the username given from the user.

<?php

$inputuser = $_POST["user"];
$inputpass = $_POST["pass"];

$user = "root";
$password = "";
$database = "tutorial";

$connect = mysql_connect("localhost", $user, $password); 
@mysql_select_db($database) or die("Database not found");

$query = "SELECT * FROM 'users' WHERE 'user' = '$inputuser'";
$querypass = "SELECT * FROM 'users' WHERE 'password' = '$inputpass'";


$result = mysql_query($query) or die(mysql_error());
$resultpass = mysql_query($querypass) or die( mysql_error());

$row = mysql_fetch_array($result);
$rowpass = mysql_fetch_array($resultpass);

$serveruser = $row["user"];
$serverpass = $row["password"];

if ($serveruser && $serverpass){
if(!$result){
    die("Username Name or Password is invalid");
}

echo "<br><center>Database Output</b> </center><br><br> ";
mysql_close();

echo $inputpass;
echo $serverpass;

if($inputpass == $serverpass){
    header('Location: home.php');
} else {
        echo "Sorry, bad Login";
}
} 


?>

@user3363895 Please read the last part of my answer to prevent SQL-injection. Please, please make your system safe. — Byson, Jun 03 '15 at 07:55

score 1 · Accepted Answer · edited May 23 '17 at 12:24

Abhik Chakraborty is correct.

If you want to enclose field/column or table names you have to use backticks (so ` instead of '). The backtick is the diagonal quote on the button next to the "1", above "Tab".

To enclose field values you should use quotes the way you did. Your corrected query: SELECT * FROM `users` WHERE `user` = '$inputuser';

HOWEVER, you should never, ever insert input gotten from a user directly into a query. If they type in something like a';DROP TABLE your_table_name; they can cause your database to start deleting tables, requesting records, etc.

Use correct escaping of user input: see this StackOverflow article on how to safely escape user input.

score 1 · Answer 2 · answered Jun 03 '15 at 08:05

1

Instead of single quotes you should use back ticks (`)

answered Jun 03 '15 at 08:05

Evans Murithi

3,197
1
21
26

SQL Error while working on web with PhP

2 Answers2