wugang_bob wrote:$query = "select * from userid where username=.$_REQUEST[username]";
qartis wrote:$query = "SELECT * FROM `userid` WHERE username=".$_REQUEST[username];
also note that qartis silently fixed part or your problem.
Code: Select all
// no concatenation with the string literal
$query = "select * from userid where username=$_REQUEST[username]";
or
Code: Select all
//concat two strings $query = "select * from userid where username=" . $_REQUEST['username']; // please note: $arr['key']
Now take a look at what mysql will receive, e.g.
Code: Select all
select * from userid where username=Nick
but mysql needs to get string literals quoted just as php does, something like
Code: Select all
select * from userid where username='Nick'
so they have to be added to the query-string (btw: your table really has the name userid, sounds more like a field to me but anyway)
Code: Select all
$query = "select * from userid where username='$_REQUEST[username]'";
Now think about what happens if a user sends a malicious request making $_REQUEST[username] something like
' OR username LIKE '%. The resulting query string would be
Code: Select all
select * from userid where username='' OR username LIKE '%'
outch!

And this is one of the more harmless insertions...
But just like you can mark certain characters as content (not special characters) in php you can for mysql.
Take a look at
http://php.net/mysql_escape_string
then try
Code: Select all
$query = "select * from userid where username='" . mysql_escape_string($_REQUEST['username']) . "'";
$result = mysql_query($query) or die(__FILE__ . '@' . __LINE__ . ': '. mysql_error()); // extending qartis' lookup