-4

I have this SQL query 

$sql_ = "SELECT score FROM users WHERE username=$row['uid']";

Every user in the table users has a score value and a username. $row['uid'] is a variable from a previous SQL statement, this query is giving me an error, how would I fix this, also how would I get that score value into a single variable?

danielsepulvedab
  • 676
  • 1
  • 11
  • 22
James Clarke
  • 13
  • 2
  • Can you post the error message you're getting? – Just Rudy Jul 14 '17 at 14:27
  • What's the error? What's the actual query being executed after that PHP variable is evaluated? Note that if you use prepared statement with query parameters then the problem likely becomes moot. With the added benefit of no longer having a SQL injection vulnerability. – David Jul 14 '17 at 14:27
  • If `username` is a character variable, you probably need to quote the variable you're using. – rd_nielsen Jul 14 '17 at 14:28
  • first you sholud check the query is correct, for chek `echo $sql`, then check the query is executed or not? – Jees K Denny Jul 14 '17 at 14:28
  • 6
    You are wide open for SQL injection. Look into prepared statements and parameter binding for [PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) or [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php), whichever you're using. **This will fix your quoting issue as well.** – aynber Jul 14 '17 at 14:29

1 Answers1

0

You need to use some SQL Injection prevention mechanism. Never use raw variables in a query like that. Have a look at PDO. You need to bind your variables and then execute the query.

But for what you need and ONLY for testing purposes check the following quoting your variable:

$sql_ = "SELECT score FROM users WHERE username = '" . $row['uid'] . "'";
Kostas Mitsarakis
  • 4,772
  • 3
  • 23
  • 37