PHP SQL database query error

Question

im having trouble with a seemingly correct query for mysql database. The Query in question is:

"SELECT * FROM Users WHERE Email =".$email.";". The Query itself is executing fine but the $result that is returned back is false (if i replace "Email =".$email."" with "Id = 1" it works and returns a value).

  if($emailCheck = TRUE){
               echo "<script type='text/javascript'>alert('Email check true.');</script>";
               $sql = "SELECT * FROM Users WHERE Email =".$email.";";
               echo $sql;
               $result = $conn->query($sql);
               if ($result){
                  $row = mysqli_fetch_array($result) ;
                  echo "<script type='text/javascript'>alert('".(string)$row['FirstName']."');</script>"; 
               } else { echo "<script type='text/javascript'>alert('bad result');</script>";}
           }

Some info:

$emailCheck = TRUE is working fine.
When using "Id = 1" instead of "Email =".$email."" everything works
echo $sql; returns "SELECT * FROM Users WHERE Email =zxzx@hotmail.com;"

any help why $result is returned false when using "Email =".$email.""?

string literals in mysql need to be quoted, ie. `WHERE Email ='zxzx@hotmail.com'`. This would be a good time to read up on sql injection, and how to prevent it using prepared statements - [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Sean, Feb 11 '16 at 04:56

score 0 · Answer 1 · answered Feb 11 '16 at 04:56

This is because if you are using id then it is integer so no need to put it in quotes('') But if you use email then it is string so you need to write it in quotes('') as follow

$sql = "SELECT * FROM Users WHERE Email ='" . $email . "'";

PHP SQL database query error

1 Answers1