0

Ok, I have this PHP $_POST['username'] variable and I need to query everything on the user via MYSQL. The only problem is it keeps throwing me errors.

something like 

$user = $_POST['username'];
$query = mysql_query("SELECT * FROM user WHERE username = $user");

I've tried

$query = mysql_query("SELECT * FROM user WHERE username = `$user`");
$query = mysql_query("SELECT * FROM user WHERE username = ".$user);

Not sure what i'm doing wrong.

Improve this question
2
  • what errors???? (Ignore the excessive question marks, they are there to circumvent the comment character limit. I am not surprised, just asking what the errors are.) Commented Jul 4, 2011 at 3:18
  • DO NOT directly use user input in a query string. DO read about SQL injection. DO read about parameterized queries. Commented Jul 4, 2011 at 3:23

3 Answers 3

Reset to default
1

Your problem is that strings in SQL need to be enclosed in single quotes.

The most preferable approach would be to use PDO. But sprintf (along with mysql_real_escape_string) is a better interim approach that what is posted:

$query = sprintf("SELECT u.* 
                    FROM USER u
                   WHERE u.username = '%s'",
                  mysql_real_escape_string($_POST['username']));

$result = mysql_query($query);

Lest we forget Little Bobby Tables ;)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
$user = $_POST['username'];
$query = ('SELECT * FROM user WHERE username LIKE "' . $user . '"');
Improve this answer

Comments

0

Use this:

$query = mysql_query("SELECT * FROM user WHERE username = '$user'");
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.