0

I have the following code on 1 page that works perfectly fine: 

 $log = "UPDATE users SET loggedIn = '1' WHERE username= '$username' ";

However, upon changing that code slightly, something is going wrong escaping my characters. 

$log = "UPDATE users SET loggedIn = '0' WHERE username= '$_SESSION["username"]' ";

The issue lies within my syntax here: '$_SESSION["username"]'

Unfortunately, the $username variable is not declared in this page.
HOWEVER, $_SESSION['username'] is declared, and an echo of it returns exactly what I need.

I've been trying different variations of single quotes, double quotes, and backslashes for hours. Can someone tell me what I am doing wrong? ..

Solved by Enstage

Cody MacLeod
  • 87
  • 13
  • 1
    Avoid the problem entirely, and avoid SQL injection, by using prepared statements with query parameters. – David Jun 06 '17 at 23:33
  • Do what David said, but just for reference, your issue is because of the quotes, change your query to: `"UPDATE users SET loggedIn = '0' WHERE username= '". $_SESSION["username"]."' "` – Enstage Jun 06 '17 at 23:34
  • There is no possibility for SQL injection here as the user is not actually inputting any data, rather just clicking a logout button and logging out (correct me if I'm wrong) – Cody MacLeod Jun 07 '17 at 00:07
  • I forgot the append periods. Wow. Thank you very much. – Cody MacLeod Jun 07 '17 at 00:07
  • I tried this. The code seems to now pass, however there is something else going on that is returning failed. Updating the question – Cody MacLeod Jun 07 '17 at 00:27
  • Also, check https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – AbraCadaver Jun 07 '17 at 00:31

0 Answers0