Page 1 of 1

trouble calling query with session info

Posted: Thu Feb 08, 2007 1:56 pm
by $var
hello...

i'm having a peculiar issue.
i'm using a SELECT * FROM statement to call a user profile based on their username.

Code: Select all

if (!empty($_POST['uniquename'])) {
    $_SESSION['uniquename'] = $_POST['uniquename'];}

$q1 = 'SELECT * FROM hcw_userDetail WHERE UserDetail_UniqueName='.$_SESSION['uniquename'];
$_SESSION['uniquename'] prints mbent, which is correct.

the thing is, it appears to be substituting the column UserDetail_UniqueName with 'mbent'...
the query prints this: SELECT * FROM hcw_userDetail WHERE UserDetail_UniqueName=mbent
but i get this error, and the user isn't selected
Unknown column 'mbent' in 'where clause'
any ideas?

Posted: Thu Feb 08, 2007 2:11 pm
by RobertGonzalez
mbent is a string and needs to be wrapped in single quotes in the query...

Code: Select all

<?php
$q1 = "SELECT * FROM hcw_userDetail WHERE UserDetail_UniqueName='{$_SESSION['uniquename']}'";
?>

Posted: Thu Feb 08, 2007 3:43 pm
by Mordred
The shown code has an SQL injection in $_POST['uniquename']

Also, if the result should logically be unique, add a "LIMIT 1" at the end of the query. I usually do this, even if it's redundant, because it is self-documenting and increases the readability as it clearly states your expectations.