<?php session_start();
include ('connection.php');?>
<?php
$username='pablorex192';
$consulta=mysql_query("SELECT question FROM users WHERE user = $username") or die ('This is the error: '.mysql_error());
echo $consulta
?>
This is the error: Unknown column 'pablorex192' in 'where clause'
It gives me that error and I really don't know why, here some screenshots of my database. http://puu.sh/iMFy3/d23d9b0942.png http://puu.sh/iMFyQ/8343a4876c.png
First off the mysql_*() functions should not be used any more. They're deprecated, and is slated for removal shortly. Use MySQLi or PDO instead.
Secondly I'm suspecting that you're fetching the username from an input form, which means that you're not in control of what's being written there. That means that simply concatenating it into the query leaves you open the SQL injections, which is not good. Use Prepared Statements, or at the very least the proper escaping functions for the DB.
Thirdly, and a pet peeve of mine: If you have the lines you pasted in the same file, you should not exit PHP mode between them.
All of the above combined gives us the following code:
// Start the session and SQL connection, assuming PDO.
session_start ();
include ("connection.php");
// Check for posted content here. If none, show the input form and exit.
if (!submitted ()) {
return;
}
// Validate that we actually have something that could be a username.
if (!ctype_alnum ($_POST['username'])) {
// Input contained illegal characters, add error to output.
return;
}
// Create the prepared statement to fetch the (security?) question from the database.
$stmt = $DB->prepare ("SELECT question FROM users WHERE user = ?");
if (!$stmt->exec (array ($_POST['username']))) {
// Failed, add error to output.
return;
}
// Now we've got the question.
$question = $stmt->fetch()[0];
You'll also noticed that I removed "echo mysql_error()", as this is something which should never be shown to the user. It allows a potential attacker to learn a lot of useful information about your system.
PS: You will also notice, that by using prepared statements you don't have to muck about with quoting the strings. The database driver does it for you. ;)
You should have written:
$consulta=mysql_query("SELECT question FROM users WHERE user = '$username'") or die ('This is the error: '.mysql_error());
Note the single quote around $username, so that it becomes a string in the SQL query, otherwise it is considered a column name.
You should use single comma as your variable holds a string value. If your variable use integer value then it will work.
So you can write
"SELECT question FROM users WHERE user = '$username'"
or
"SELECT question FROM users WHERE user = '".$username."'"
You should write:
("SELECT question FROM users WHERE user = '$username'");
Instead:
("SELECT question FROM users WHERE user = $username")
Because when you're sending the variable $username (pablorex192) without simple quotes your SELECT statement is being executed like this:
SELECT question FROM users WHERE user = pablorex192;
The documentation in MySQL says:
A string is a sequence of bytes or characters, enclosed within either single quote (“'”) or double quote (“"”) characters.
Don't forget to put simple quotes in your queries when comes from Php connections.
