-2
$query = "select * from login details where User_id like '$user_name' and Password '$user_pass'";

I cannot find any error but it showing error.

brombeer
  • 8,716
  • 5
  • 21
  • 27
Veneeshaah Kalidas
  • 5
  • 3
    Unless `$user_name` contains `%` there's no reason to use `like` here. One error I can spot is the missing `=` after `Password` - which is most likely not the cause for the error – brombeer Apr 28 '22 at 05:45
  • 3
    Please [edit] your question and post some more lines of code before and after that line 16. And take the [tour](https://stackoverflow.com/tour), which you should have done when registering – brombeer Apr 28 '22 at 05:47
  • 4
    Using `like` to match a user name sounds like an easy hack to get round, plus you should look into using `password_hash` rather than storing plain passwords in the database (https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) AND use prepared statements (https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Nigel Ren Apr 28 '22 at 06:10
  • 2
    Small side note: Try not to use like if you don't use a wildcard when you want to do a comparison like in your example. For different reasons. Performance, possible errors etc. https://stackoverflow.com/a/2336940/14807111 – Maik Lowrey Apr 28 '22 at 06:10
  • 2
    Can You share your code from line 1 to the line 16, please? – Maik Lowrey Apr 28 '22 at 06:14

1 Answers1

0

Please stop execute queries as native call, your query have SQL INJECTION, you can execute queries with PDO like this:

$query = "SELECT * FROM login WHERE User_id LIKE ? AND Password = ?";
$params = array("%$user_name%", "$user_pass");
$stmt = $handle->prepare($query);
$stmt->execute($params);

REF LINK

REF LINK

Also please prevent check UserId column as like on query and Password column without hash value.

Sajjad Dehghani
  • 640
  • 1
  • 6
  • 15
  • 2
    Although good advice _in general_, why would this resolve an “unexpected ‘;’” syntax error? – rickdenhaan Apr 28 '22 at 06:34
  • when ``$user_name`` or ``$password`` contain ``'`` character query after parsing will be bad string, also please check before line code from query line. – Sajjad Dehghani Apr 28 '22 at 06:40
  • 1
    While your statement is correct, this won't result in a syntax error but a SQL error during runtime – DarkBee Apr 28 '22 at 06:48
  • replace your query code with this: ``$query = "select * from login details where User_id like %"+$user_name+"% and Password="+$user_pass+""`` dont need ``'`` character between ``"`` duble quotation. – Sajjad Dehghani Apr 28 '22 at 06:59
  • 1
    Unsure what you are saying, but the code OP posted is *not* the problem here - [demo](https://ideone.com/SeKHD2) – DarkBee Apr 28 '22 at 07:02