SQL php vars syntax error

Question

I need help with following part of login php script:

$name = mysqli_real_escape_string($connection, $_POST["login"]);
$password = mysqli_real_escape_string($connection, $_POST["password"]);

$sql = "SELECT FROM usersdata WHERE user_password = $password AND user_name = $name";

The server is giving me following error:

"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'FROM usersdata WHERE user_password = something AND user_name = something' at line 1".

Obviously there is a error with writing php variables in query string such as they are, but I dont know exactly how i should contecate them. Its ridiciolous how SQL queries can be sometimes so frustrating when everything else is working perfectly.

Don't use `mysqli_real_escape_string`, instead ***`bind`*** your parameters. — deceze, Oct 26 '16 at 13:24

score 0 · Accepted Answer · answered Oct 26 '16 at 13:21

0

You forgot the columns or * in the query. It should be :

$sql = "SELECT * FROM usersdata WHERE user_password = $password AND user_name = $name";

Also use prepared statements. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

answered Oct 26 '16 at 13:21

tejashsoni111

1,405
1
18
34

Right, seen it just after I posted a question and I couldn't see it whole day yesterday:). Thank you. – Darko Borojevic Oct 26 '16 at 15:21

SQL php vars syntax error

1 Answers1