0

I have a easy select query

$sql = "SELECT `testName`, `percentile`, `dateTaken`, `correct`, `total`, `timeSpent` FROM `results` WHERE `uniID` = 5 AND `userID` = $_SESSION[userid] ORDER BY  `dateTaken` ASC";

userID is set to

varchar 250

the query works fine if I am looking for a userID that is a number but when looking for a userID that is letters it returns blank. Is there a simple reason for this ?

Thanks

Benjamin Oats
  • 573
  • 1
  • 8
  • 25
  • check for errors via php and the query. String values require them to be quoted. Plus, you're leaving that open to an sql injection. Use a prepared statement. – Funk Forty Niner Nov 10 '16 at 14:54
  • 1
    Because character values need to be wrapped in quotes. If you replace your SQL injection vulnerability with a query parameter this problem becomes moot anyway. – David Nov 10 '16 at 14:55
  • 1
    @David, thanks whats the best way to do this – Benjamin Oats Nov 10 '16 at 14:56
  • 1
    @BenjaminOats: The primary term you're searching for is "prepared statement". Both the `mysqli` and `PDO` data access libraries support those and include examples of them in their documentation. In a broad sense, what you want to do is avoid using variables directly in SQL queries. Instead, you would use a "query parameter" and use the variable to "bind" that parameter as a separate call to that data access library before executing the query. – David Nov 10 '16 at 14:58
  • @David thanks ill research "prepared statement" +1 – Benjamin Oats Nov 10 '16 at 14:58
  • done and solved, thanks David – Benjamin Oats Nov 10 '16 at 15:02

0 Answers0