Syntax error with Special Characters in Password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Syntax error with Special Characters in Password

Post by $var »

Hi,

I am having trouble with validation.
When I validate a user I'm getting errors with special characters in the username and password.
The error appears in $result = mysql_query($sql)

Username is similar to this: username@honeycombworldwide.com
Password is similar to this: password!

----

Code: Select all

$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT * FROM it_mem WHERE Mem_Email=".$username." AND Mem_Password=".$password;
$result = mysql_query($sql) or die (mysql_error());
---

When I echo $result with $username and $password filters, i get this error:

Code: Select all

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@honeycombworldwide.com AND Mem_Password=password!' at line 1
When I echo $result with just $password as a filter, i get this error:

Code: Select all

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '!' at line 1

--

Any idea? Thanks for looking
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

String literals have to be marked for mysql.

Code: Select all

SELECT x,y,z FROM abc WHERE foo='bar'
Your script is also prone to sql injections, see http://en.wikipedia.org/wiki/SQL_injection

try

Code: Select all

$password = mysql_real_escape_string($_POST['password']);
$username = mysql_real_escape_string($_POST['username']);
$sql = "SELECT
		*
	FROM
		it_mem
	WHERE
		Mem_Email='$username'
		AND Mem_Password='$password'";
$result = mysql_query($sql) or die (mysql_error());
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

thanks, that's so handy.
Post Reply