a very simple query is not working PHP

Question

i have a little problem with a very simple query , when i hard code the values in the query its working , but when i use a PHP variable nothing is retrieved , i over check a lot of things including the query , the database it worth saying that i'm getting the variable from a form by POST and also checked that i'm getting them but when i use them in a query they jst dont work :S

here's my code ..PLZ what am i doing wrong ?!!!!!!!!!!!

  <?php 

 $email = $_POST ['emailEnter'] ; 
$password = $_POST ['passwordEnter'];


$connection = mysql_connect('localhost','root','') ;

$db_selected = mysql_select_db("lab5" , $connection) ;

$query = 'select * From user where email="$email" and password="$password" ' ;
$result = mysql_query ($query , $connection);
    while($row=mysql_fetch_array($result))
    {
        echo $row['name'];
    }
mysql_close($connection);       
?>

What database access are you using? Mysqlli? PDO? As David's comic insinuates parameterized SQL solves many of these problems as well as enforcing a much higher degree of security just in its approach. — DeaconDesperado, Dec 14 '10 at 20:25
@DeaconDesperado it appears he is using the depreciated mysql_ — Cole Tobin, May 29 '12 at 03:11

score 6 · Answer 1 · answered Dec 14 '10 at 20:25

You use single quotes in the query variable. Single quotes does not substitute variables - so it looks for literal string $email not the variable email. Either use double quotes or even better use something like PDO which would do the work for you.

You should also sanitize your inputs from SQL/XSS vulnerabilities.

score 4 · Answer 2 · edited May 23 '17 at 11:47

4

The basic debugging steps are 1. adding

if (!$result) echo "Error: ".mysql_error();

to see any errors from the SQL query and 2. outputting

echo "Query: $query";

to see what the variables contain. One of these will point you to the problem.

Also, your query is vulnerable to SQL injection. You should add a

$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password );

after fetching the values from the POST array.

edited May 23 '17 at 11:47

Community

1
1

answered Dec 14 '10 at 20:23

Pekka

442,112
142
972
1,088

are you purposely not giving the real reason it's not working? just wondering, not saying it's bad :) – Viper_Sb Dec 14 '10 at 20:25
@Viper nope, I just didn't notice. @Nathan true, but I assume the OP is new to this, so I would take it step by step. It's reasonably safe for the moment with escape_string – Pekka Dec 14 '10 at 20:27

score 0 · Answer 3 · answered Sep 04 '12 at 13:39

0

mysql_fetch_assoc() for associative array. You cannot use normal array as assoc array.

while($row=mysql_fetch_assoc($result))
{
   echo $row['name'];
}

answered Sep 04 '12 at 13:39

TraviJuu

255
5
12

score 0 · Answer 4 · answered Dec 14 '10 at 20:25

0

Your error probably resides in the fact that you don’t escape your parameters.

While you are at it, use MySQLi or PDO (maybe even some prepared statements)

Someone mentioned your use of single-quotes, that’s the real error, my bad.

But my advice still stands. Having used prepared statements, you wouldn’t have fell for that mistake

answered Dec 14 '10 at 20:25

cslavoie

216
1
6

oooooooooh thanks guys , you mentioned something about the mysqli and PDO where can i start reading about those stuff , i'm a real Newbie – Iyad Al aqel Dec 14 '10 at 20:33

score 0 · Answer 5 · answered Dec 14 '10 at 20:26

0

try

$query = 'select * From user where email="' . $email . '" and password="'. $password . '" ' ;

or

$query = "select * From user where email='$email' and password='$password'" ;

answered Dec 14 '10 at 20:26

Ehsan

1,937
1
17
30

score 0 · Answer 6 · answered Dec 14 '10 at 20:26

Try this instead:

$query = "select * From user where email='" . $email . "' and password='" . $password . "';

Then immediately change that to this instead:

$query = "select * From user where email='" . mysql_real_escape_string($email) . "' and password='" . mysql_real_escape_string($password) . "';

score 0 · Answer 7 · answered Dec 14 '10 at 20:26

0

Try

$query = "SELECT * FROM user WHERE email = '".$email."' AND password = '".$password."'";

answered Dec 14 '10 at 20:26

Ross

1,425
1
19
38

Ow, im always to slow to answer these question :/ Anyway as others have said, don't forget to add mysql_real_escape_string! – Ross Dec 14 '10 at 20:28

score 0 · Answer 8 · answered Dec 14 '10 at 20:28

You've confused the single and double quotes

You have:

$query = 'select * From user where email="$email" and password="$password" ' ;

You want:

$query = "select * From user where email='$email' and password='$password' " ;

Single quotes evaluate to whats literally inside. Double quotes will parse for variables inside. Theres also a curly brace {$variable} syntax you can use.

Suggestions from other posters for using mysql_real_escape or using newer mysqli or PDO are important as well. At the very least use mysql_real_escape on parameters that come from user input.

score 0 · Answer 9 · answered Apr 11 '11 at 16:08

the problem is the way you are quoting the variables. Suppose that $email= 'some@gmail.com' and $password= 'securenot'.

what we want is the final interpreted string to be the following

select * from user where email='some@gmail.com' and password='securenot'

to achieve this we simply replace the some@gmail.com for $email and securenot for $password and get the following:

select * from user where email='$email' and password='$password'.

and then in php code ...

$query = "select * from user where email='$email' and password='$password'";

hope that is of some help

a very simple query is not working PHP

9 Answers9