1

Simple question. How do i make the query work? I know you can't directly use $_POST in a query. But i do not know how to get this to work.

$sql    = 'SELECT * FROM users WHERE `password` = $_POST[password] AND `username` = $_POST[username]';
$result = mysqli_query($link, $sql);

if (!$result) {
echo "DB Error, could not query the database\n";
echo 'MySQL Error: ' . mysqli_error($link);
exit;

I have also tried using the mysqli_real_escape_string like this :

    $username_sql = mysqli_real_escape_string($link, $_POST['username']);
    $password_sql = mysqli_real_escape_string($link, $_POST['password']);

This did not work as planned. As it did still not work.

Thanks,

Mike

Improve this question
8
  • 2
    As you're already using MySQLi, you should do it using prepared statements/bind variables.... you should not be injecting user-entered values directly into an SQL query string Commented Dec 1, 2015 at 10:22
  • 3
    And you certainly should not be storing plaintext passwords in your database.... use PHP's built-in password_hash()/password_verify().... learn the correct way to do this now, and you won't need to re-learn it again later Commented Dec 1, 2015 at 10:25
  • 1
    Use prepared statements please! Commented Dec 1, 2015 at 10:25
  • 1
    @mike - my point is that learning bad habits when you're just starting out, it's a lot harder to unlearn them and learn good habits later.... learning good habits (such as the use of prepared statements) now will stand you in better stead in the coming months/years Commented Dec 1, 2015 at 10:31
  • 1
    NEVER TRUST USER INPUT! Commented Dec 1, 2015 at 10:34

4 Answers 4

Reset to default
5

use '' with string comparison of MySQL 

$username_sql = mysqli_real_escape_string($link, $_POST['username']);
$password_sql = mysqli_real_escape_string($link, $_POST['password']);

$sql = "SELECT * FROM users 
WHERE `password` = '$username_sql' AND `username` = '$password_sql'";
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks, this works. Would you mind telling me what i did wrong? So i will not make this mistake anymore.
use '' with string comparison of MySQL @mike
if my answer helps you please accept my answer @mike
I suggest to use prepared statements
4

Use prepared statements to avoid sql injection and syntax errors with commas .

$sql    = 'SELECT * FROM users WHERE `password` = ? AND `username` = ?';

$stmt = mysqli_stmt_init($link);
mysqli_stmt_prepare($stmt, $sql);
mysqli_stmt_bind_param($stmt, "ss", $_POST['password'], $_POST['username']);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

while($row = mysqli_fetch_assoc($result){
    echo $row['username'] .'<br>';
}
Improve this answer

Comments

4

I think it is necessary to add at least one example of prepared statements, just to show that it is not more difficult and it makes your application safer (SQL-injection).

$stmt = $mysqli->prepare('SELECT * FROM users WHERE `password` = ? AND `username` = ?');
$stmt->bind_param("ss", $_POST[password], $_POST[username]);
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
// read the result...
$stmt->close();

Be aware that passwords should not be stored plain text, instead one should use the functions password_hash() and password_verify().

Improve this answer

Comments

0

You answered your question yourself. mysqli_real_escape_string() is the way to go.

$sql    = 'SELECT * FROM users WHERE `password` = "' . mysqli_real_escape_string($_POST[password]) . '" AND `username` = "' . mysqli_real_escape_string($_POST[username]') . '"';
Improve this answer

1 Comment

mysqli_real_escape_string() hasn't been the way to go for a long while, prepared statements/bind variables are the way to go

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.