How to search in a mysql database with variables

Question

Somebody can login. If he login, the entered password (decoded) will be compared with the right passwort (also decoded) But if I make

$sql = "SELECT PasswordDecode FROM Userinformations WHERE Username = ".$Username;
    foreach ($pdo->query($sql) as $row) {
        $PasswordDecode = $row["Password decode"];
    }

this error comes:

Warning: Invalid argument supplied for foreach() in ...

I don't understand. If the username is DumbUsername and I make

$sql = "SELECT PasswordDecode FROM Userinformations WHERE Username = DumbUsername";

No error happend and it works. But if I write the Username in a variable, it dowsn't work. Why?
Please answer.

`SELECT PasswordDecode FROM Userinformations WHERE Username = DumbUsername` is invalid SQL, strings need to be quoted. This also opens you to SQL injections, use parameterized queries, this will take care of the quoting as well. — chris85, Jun 12 '16 at 17:12

score 0 · Accepted Answer · answered Jun 12 '16 at 17:11

0

Change your query, use quotes arround variable

  $sql = "SELECT PasswordDecode FROM Userinformations WHERE Username = '$Username'";

answered Jun 12 '16 at 17:11

Niklesh Raut

34,013
16
75
109

How to search in a mysql database with variables

1 Answers1