Mysql Query not returning my results when adding variables into the query

Question

If I run this with the query

"SELECT * FROM users";

It returns my result. But as soon as I run this

$username = $_POST['username'];
$password = $_POST['password'];

$login = "SELECT * FROM users WHERE name= ".$username." AND password= ".$password."";

it doesn't.

If I run it in Mysql workbench without the variables it works. If I run echo the $_POST values they come through correctly. I am stumped as to what I'm doing wrong PLEASE!! help me. I also ran my code through https://phpcodechecker.com/ and it cant see any errors in my code. This is the full function.

function login($username,$password){
global $db_conn;
$conn = new mysqli($db_conn['servername'], $db_conn['username'], $db_conn['password'], $db_conn['dbname']);
$username = $_POST['username'];
$password = $_POST['password'];

$login = "SELECT * FROM users WHERE name= ".$username." AND password= ".$password."";
    $login_result = $conn->query($login);

    if ($login_result->num_rows > 0) {

        $output = array();
        while($row = $login_result->fetch_assoc()) {
            $output[] = $row;
            echo "".$row['name']."-".$row['password']."<br>";
        }
        } else {
            echo "Invaild Login Details!"."<br>" ;
            $conn->close();
            return false;
        }
}

Every time it says "Invalid Login Details!" But I know their is one result that gets returned.

What am I doing wrong?

Inserting variables into your SQL directly is a major source of SQL Injection Attacks. Use PDO for security. https://www.php.net/manual/en/book.pdo.php#114974

$login = "SELECT * FROM users WHERE name= `'`".$username."`'` AND password= `'`".$password."`'`"; how about add a single quote for the variable — Stanley Cheung, Oct 24 '17 at 09:08
What does echo $login; return? Does the pw contain sql specific chars? — Zim84, Oct 24 '17 at 09:09
be conscious that these sql queries are [good candidates to sql injection risk](http://bobby-tables.com/), you should use prepared statements — Kaddath, Oct 24 '17 at 09:10

score 2 · Accepted Answer · answered Oct 24 '17 at 09:10

2

change the query like this

$login = "SELECT * FROM users WHERE name= '$username' AND password= '$password'";

note: this method is prone to sql injection attacks. try prepared statements to avoid it

answered Oct 24 '17 at 09:10

Anandhu Nadesh

672
2
11
20

score 0 · Answer 2 · answered Oct 24 '17 at 09:12

0

try with ''(single quote) for comparing name and password

"SELECT * FROM users WHERE name= '".$username."' AND password= '".$password."'";

answered Oct 24 '17 at 09:12

Bhargav Chudasama

6,928
5
21
39

whats wrong with this query – Bhargav Chudasama Nov 03 '17 at 11:26
there is nothing wrong with this query. may be he doesn't know how to write code with proper php syntax. – romal tandel Nov 04 '17 at 10:38

score -1 · Answer 3 · answered Oct 24 '17 at 09:10

-1

$login = "SELECT * FROM users WHERE name = '{$username}' AND password = 
'{$password}' ";

answered Oct 24 '17 at 09:10

cmprogram

1,854
2
13
25

It would be useful to add a short explanation about what your code does. – Hannu Oct 24 '17 at 10:06

score -1 · Answer 4 · answered Oct 24 '17 at 09:12

-1

You can simply specify the variables no need to go for string append to construct query in php

Eg :

Query = "SELECT * FROM `users` where username = '$username' AND  password = '$password' " ;

answered Oct 24 '17 at 09:12

Naresh Kumar

1,706
1
14
26

score -1 · Answer 5 · answered Oct 24 '17 at 09:14

-1

try following code

$login = "SELECT * FROM users WHERE name= '".$username."' AND password= '".$password."'";

answered Oct 24 '17 at 09:14

romal tandel

481
12
19

Mysql Query not returning my results when adding variables into the query

5 Answers5