trouble calling query with session info

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

trouble calling query with session info

Post by $var »

hello...

i'm having a peculiar issue.
i'm using a SELECT * FROM statement to call a user profile based on their username.

Code: Select all

if (!empty($_POST['uniquename'])) {
    $_SESSION['uniquename'] = $_POST['uniquename'];}

$q1 = 'SELECT * FROM hcw_userDetail WHERE UserDetail_UniqueName='.$_SESSION['uniquename'];
$_SESSION['uniquename'] prints mbent, which is correct.

the thing is, it appears to be substituting the column UserDetail_UniqueName with 'mbent'...
the query prints this: SELECT * FROM hcw_userDetail WHERE UserDetail_UniqueName=mbent
but i get this error, and the user isn't selected
Unknown column 'mbent' in 'where clause'
any ideas?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

mbent is a string and needs to be wrapped in single quotes in the query...

Code: Select all

<?php
$q1 = "SELECT * FROM hcw_userDetail WHERE UserDetail_UniqueName='{$_SESSION['uniquename']}'";
?>
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

The shown code has an SQL injection in $_POST['uniquename']

Also, if the result should logically be unique, add a "LIMIT 1" at the end of the query. I usually do this, even if it's redundant, because it is self-documenting and increases the readability as it clearly states your expectations.
Post Reply