help i'm new to mySQL

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
i dont know what i'm doing wrong i'm trying to get all the fields from a
specific row by user name i'm using php and i got the connection string down
and i made a query like this:

$query = mysql_query("SELECT * FROM <DBname> WHERE name = $_POST[user]");

the variable $_POST[user] was passed to the php code from a previous html
form i get the error:
Unknown column '<username here>' in 'where clause'

the <username here> part shows whatever i typed in my previous form as a
user name

i'm guessing i'm using the wrong syntax and i cant find any help on it
perhaps some one could explain this to me and point me to a site or manual
on this sort of thing. i treid but they have mostly different
functions i couldnt find this one there

~ K.R

Re: help i'm new to mySQL


Quoted text here. Click to load it

Some things:

1) Do a google for "PHP SQL injection" and then never use form-submitted
   data directly in a query again, you're risking your db and server!

   SQL Injection

2) The username is a string, it has to be single-quoted in the query.

The missing quotes are what causes error, because MySQL treats the
submitted username as a column name instead of a value.

Quoted text here. Click to load it

The error is caused by MySQL, not PHP. Have a look at (or better
download) the MySQL manual.

10.1.1 Strings">

10.2 Database, Table, Index, Column, and Alias Names">


Re: help i'm new to mySQL

Quoted text here. Click to load it

$sql = sprintf("SELECT * FROM %s WHERE name = '%s'",
    $dbname, $_POST[user]);

echo $sql;
$result = mysql_query($sql);
if(! $result || mysql_error() || mysql_num_rows($result) < 1)
   echo "Unable to find records [$sql] : " . mysql_error() . "<br>\n";

Re: help i'm new to mySQL

*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):
Quoted text here. Click to load it

What I've found to be wrong:

1) FROM clause needs a table name, not a database name
2) Strings in SQL must be quoted (single quotes)
3) You must escape single quotes within strings to avoid SQL injection and
syntax errors
4) Associative arrays use a string as an index, not a constant

It shold be:

"SELECT * FROM table_name WHERE name='" . mysql_escape_string($_POST['user']) .

-+ Álvaro G. Vicario - Burgos, Spain
+- (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions

Re: help i'm new to mySQL

 .oO(Alvaro G. Vicario)

Quoted text here. Click to load it

The above is correct (simple) PHP syntax. Quoting the index there would
cause a parse error. When using complex (curly) syntax or accessing the
array outside a string then you're right.


Re: help i'm new to mySQL

Quoted text here. Click to load it

thanks for all the help i looked up all those sites an dlearned a thing or
two but it still didnt help me... i know about the risk to th server and DB
but i'm not worried, noone knows about this DB and i'm not plnin to use it
anywhere its just for my own practice. I'm still having problems but i think
i DID make some progress heres whats going on now...

what I did to test what is going on is I put my query string in an echo
satement and the literal string that comes out that is used in the query is

SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1

i copied and pasted this exact string into PHPMyAdmin and replaced <user>
with a real user name in my table and it did pull the record, but now my PHP
gives this error:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused

Re: help i'm new to mySQL

I noticed that Message-ID:

Quoted text here. Click to load it don't show us that bit of code...
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs /

Re: help i'm new to mySQL

Quoted text here. Click to load it

The message means what it says. The manual tells you what parameters the
mysql_query() function requires, and you have obviously gone and given it
something which is completely different. I suggest you learn to read.

Tony Marston

Re: help i'm new to mySQL

Kamil wrote:
Quoted text here. Click to load it
It needs to be in quotes.


Site Timeline