Explore our sites

Stack Exchange
tour help careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

Few others have got this same problem at the outset, however, I'm repeating this question because mine seems to be specific to EMail IDs.

I have a query that retrieves the password given a specific email id as input. THis is my query

Select Password from userauth where user_name in (select id from users where email = '[email protected]')

This query executes without any problem when done from phpMyAdmin.

However, it doesn't work when I do it through a php script. That php script is as follows:

<?php

// Grab User submitted information
$email = $_POST["users_email"];
$pass = $_POST["users_pass"];

// Connect to the database
$con= mysql_connect("localhost","root","sriram123");
// Check connection
if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// Select the database to use
mysql_select_db("mydb",$con);

echo "Select Password from userauth where user_name in (select id from users where email = '$email')";

$result = mysql_query("Select Password from userauth where user_name in (select id from users where email = $email)");

if($result === FALSE) {
    echo "Error Occured. ";
    die(mysql_error()); // TODO: better error handling
}

while($row = mysql_fetch_array($result))
{
    echo $row['Password'];
}


mysqli_close($con);
?>

Now, I get an error message like this when I execute it:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@xxx.com)' at line 1

I am new to PHP, and i'm just not sure why this thing works in phpMyAdmin but fails to work in my PHP script.

share|improve this question
2  
Have you tried putting quotes around the variable? $email => '$email' –  Elliot Lings Sep 15 '13 at 16:20
add comment

4 Answers

up vote 4 down vote

xkcd

It looks like you didn't put the proper quotes around the variable, but you should use mysql_real_escape_string to make sure it's actually safe to use in a query.

share|improve this answer
add comment
up vote 2 down vote

1) Use PDO

2) Escape MYSQL names (Select Password from -> Select `Password` from)

3) Quote variables ($email -> '$email')

4) Never expose your password ($con= mysql_connect("localhost","root","PASSWORD");)

Start with this :)

share|improve this answer
1  
5) Never use such a simple password anyway XD –  Niet the Dark Absol Sep 15 '13 at 16:24
 
6) Don't expose the already exposed password. –  Amal Murali Sep 15 '13 at 16:33
 
you are very right about number 6 –  Laurent Sep 15 '13 at 17:44
add comment
up vote 1 down vote 
$result = mysql_query("Select Password from userauth where user_name in
    (select id from users where email = $email)");

If $email is [email protected] it would be like:

$result = mysql_query("Select Password from userauth where user_name in
    (select id from users where email = [email protected])");

You are missing the '' around the e-mail address, as its a string.

Also, always use mysql_real_escape_string to escape every external string put into your query, otherwise your site will be vulnerable to SQL Injection attacks.

share|improve this answer
add comment
up vote 0 down vote

You don't have the correct quotes around the $email variable. Try wrapping them in single quotes.

Change your code to:

$email = mysql_real_escape_string($email); //escaping
$query = "
SELECT Password
FROM userauth
WHERE user_name IN
    (SELECT id
     FROM users
     WHERE email = '$email')
     ";

$result = mysql_query($query);

Also, your MySQL query, as it currently stands, is vulnerable to SQL injection, and you should look into escaping user input. Better yet, stop using the deprecated mysql_* functions and switch to MySQLi or PDO.

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.