your MySQL server version for the right syntax to use near '@hotmail.com' at line 1

Question

i have made form by Codeigniter to reset password when i send request it return with tis error ou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@hotmail.com' at line 1.

this is my controller

function index()
{

    $this->load->model("user_model");
    $config['protocol']    = 'smtp';
    $config['smtp_host']    = 'ssl://abuqir.net';
    $config['smtp_port']    = '465';
    $config['smtp_timeout'] = '7';
    $config['smtp_user']    = 'myuser';
    $config['smtp_pass']    = 'mypass';
    $config['charset']    = 'utf-8';
    $config['newline']    = "\r\n";
    $config['mailtype'] = 'text'; // or html
    $config['validation'] = TRUE; // bool whether to validate email or not  
    $email_to  = $this->input->get('email');
    $pass_message = $this->user_model->get_pass($email_to);
    $this->email->initialize($config);

    $this->email->from('admin-team@abuqir.net', 'admin team');
    $this->email->to($email_to); 

    $this->email->subject('Reset password');
    $this->email->message($pass_message);  
    $this->email->send();

    echo $this->email->print_debugger();

    $this->load->view('email_view');
}

and this my model

public function get_pass($user_mail) {
    $user_mail = mysqli_real_escape_string($user_mail);
    $query = $this->db->query('SELECT password'
            . ' from users '
            . 'where email = '.$user_mail
            );

    return $query;

}

PLEASEEEE don't add your server password here!! This is a public site. — Jorge Campos, Oct 12 '15 at 10:39
I STRONGLY advice you to change your server password. Now that you add it here, most probably it will be hacked. — Jorge Campos, Oct 12 '15 at 10:41
First look at Google before you ask newbie questions like this. — GuyT, Oct 12 '15 at 10:44
Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Álvaro González, Oct 12 '15 at 10:44

score 0 · Answer 1 · edited Oct 13 '15 at 13:25

0

public function get_pass($user_mail) {
$user_mail = mysqli_real_escape_string($user_mail);
$query = $this->db->query('SELECT password'
        . ' from users '
        . "where email = '".$user_mail ."'"
        );

return $query;

}

You forgot to wrapper email in Query within single quotes.

NOTE: I am not sure how we build Parameter query using CodeIgnitor, please use that as this query is seriously unsafe and been a password reset query, it is probably more public code and not recommended.

edited Oct 13 '15 at 13:25

Abdulla Nilam

36,589
17
64
85

answered Oct 12 '15 at 10:43

Sumit Gupta

2,152
4
29
46

Severity: 4096 Message: Object of class CI_DB_mysqli_result could not be converted to string – sbycrims Oct 12 '15 at 10:58

Abdulla Nilam · Accepted Answer · 2015-10-12T11:18:23.113

In Model

public function get_pass($user_mail) 
{
    $user_mail = mysqli_real_escape_string($user_mail);
    $query = $this->db->query("SELECT password  from users where email = '$user_mail'");
    $result = $query->result_array();
    return $result;    
}

In Controller

function index()
{

    $email_to  = $this->input->post('email'); //check GET otr POST
    $pass_message = $this->user_model->get_pass($email_to);
    if(!empty($pass_message))
    {
        $this->load->model("user_model");
        $config['protocol']    = 'smtp';
        $config['smtp_host']    = 'ssl://abuqir.net';
        $config['smtp_port']    = '465';
        $config['smtp_timeout'] = '7';
        $config['smtp_user']    = 'myuser';
        $config['smtp_pass']    = 'mypass';
        $config['charset']    = 'utf-8';
        $config['newline']    = "\r\n";
        $config['mailtype'] = 'text'; // or html
        $config['validation'] = TRUE; // bool whether to validate email or not  

        $this->email->initialize($config);

        $this->email->from('admin-team@abuqir.net', 'admin team');
        $this->email->to($email_to); 

        $this->email->subject('Reset password');
        $this->email->message($pass_message[0]['password']);  

        if(! $this->email->send())
        {
            echo $this->email->print_debugger();
        }
        else
        {
            //Email sending failed
            $this->load->view('email_view');
        }  
    }
    else
   {
        // Successfully sent
        echo 'Invalid E-Mail Address'
   }

}

Before configure mail check email validity then do rest of code

When you use $this->input->post it will act as mysqli_real_escape_string too. For further you need to secure from XSS use boolean TRUE. ($this->input->post('some_data', TRUE);)

your MySQL server version for the right syntax to use near '@hotmail.com' at line 1

2 Answers2