Simple table query syntax error?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-08 19:46 出处：网络

I hope someone here can help me see where this error is coming from. I have a form with two fields: email and password. The form\'s action takes it to a php page that is supposed to

相关专题：php

I hope someone here can help me see where this error is coming from.

I have a form with two fields: email and password. The form's action takes it to a php page that is supposed to

start a session
connect to a database via mysql
run a query and select a row in a table where the email field is similar to the email submitted in the form.

At this stage it is incomplete, I only echo some of the fields at the end of the script to see if it works.

I tested it and there was an unexpected end error that came up right at the last line; a bracket I left out. So I though there would be no other errors, but then when I tested it again I got this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com' at line 6

@gmail.com is the last bit of the email I submitted.

Here is the code of the php (action) page:

<?php
session_start();
$_SESSION['sessionemail'] = $_POST['email'];
$_SESSION['sessionpassword'] = $_POST['password'];
$_SESSION['authuser'] = 0;

$dbhost = 'somewhere.com';
$dbuser = 'user';
$dbpass = 'pw';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

$dbname = 'medreunten_db1';
mysql_select_db($dbname) or die(mysql_error($conn)); 


$query = 'SELECT
    name, smacker, surname, sex, age, nationality, email
    FROM
 开发者_如何学C   employee
    WHERE
    email = ' . $_POST['email'];
$result = mysql_query($query, $conn) or die (mysql_error($conn));
extract(mysql_fetch_assoc($result));  


while ($row = mysql_fetch_array($result)) {
echo $row['name'];
echo $row['surname'];
echo $row['age'];
}
?>

I tried removed the first 5 lines and I still got the same error.

Somehow, when the php gets parsed, the browser reads the content of the email variable as if it is part of my php code. At least that's what I thought because the error I receive states that there is a problem with the syntax near "@gmail.com".

I hope someone can give me a clue!

You have an SQL injection, always apply mysql_real_escape_string() to any user-submitted or otherwise potentially tampered-with data before sending to a MySQL database.

Note the ' around the email variable.

$email = mysql_real_escape_string($_POST['email']);

$query = "
SELECT name, smacker, surname, sex, age, nationality, email
FROM employee
WHERE email = '$email'
";

<?php
session_start();
$_SESSION['sessionemail'] = $_POST['email'];
$_SESSION['sessionpassword'] = $_POST['password'];
$_SESSION['authuser'] = 0;

$dbhost = 'dedi147.cpt2.host-h.net';
$dbuser = 'medreunten_1';
$dbpass = 'AGqrVrs8';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

$dbname = 'medreunten_db1';
mysql_select_db($dbname) or die(mysql_error($conn)); 


$query = "SELECT name, smacker, surname, sex, age, nationality, email FROM employee WHERE email = '" . $_POST['email']."'";
$result = mysql_query($query, $conn) or die (mysql_error($conn));
extract(mysql_fetch_assoc($result));  


while ($row = mysql_fetch_array($result)) {
echo $row['name'];
echo $row['surname'];
echo $row['age'];
}
?>

try this, should work