0

In my web service, when a user signs up they are given a token (in this case, it's a GUID without any separators) which is stored in a table.

To test it's working, I go to PHPMyAdmin and in the SQL query tab enter 

SELECT * FROM MyTable WHERE Token=my_guid AND Username=user AND Password=pass

this returns the row correctly

I have a web service that takes 3 parameters and performs the same SQL query, however, no rows are returned. If I remove the token parameter, the row returns fine. The table has it that the Token field is set to 42 characters.

In my PHP file, the failing query looks like this

$query = "SELECT * from Login WHERE Username = '$username' AND Password = '$password' AND Token = '$token';";
$result = mysql_query($query,$link) or die('Errant query:  '.$query);

Is there some sort of terminal character stripping going on as I can't see why the query should work with the token removed but not work when it's there and in the database.

The server is using PHP 5.6.35

Nodoid
  • 1,449
  • 3
  • 24
  • 42

1 Answers1

0

It should be 

$query = "SELECT * from Login WHERE Username = '{$username}' AND Password = '{$password}' AND Token = '{$token}';";
Marko Paju
  • 314
  • 1
  • 13
  • Thanks. Is there a reason why without the braces the queries still work when I'm not comparing the token field? – Nodoid Apr 20 '18 at 11:06
  • maybe this helps: https://stackoverflow.com/questions/3446216/what-is-the-difference-between-single-quoted-and-double-quoted-strings-in-php – Marko Paju Apr 20 '18 at 11:06
  • 1
    if this work it should also work with without brace also, not proper solution. – Null Pointer Apr 20 '18 at 11:09