current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 6.6 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote 0 down vote favorite

I have this piece of code in php for make a query from mysql database

if(isset($_SESSION["esb2b_userid"])){
     $check_row = mysql_num_rows(mysql_query("select * from esb2b_basket where es_session='.$site.' and es_uid=".$_SESSION["esb2b_userid"]) or die(mysql_error()));

     echo "Logged in as <b>" . $_SESSION["esb2b_username"] . "</b>" ;
    ?> <?   }else{
    ?>  <? echo "$to" ?> Our Website <? } ?> <? if($_SESSION['esb2b_userid']=='')
            {?> <span id="log-info"><a href="<?=$domain_url?>/signup.html"><? echo "$Join_Free" ?></a><?php }?> |

     <? if($_SESSION['esb2b_userid']=='')
            {?> <a href="<?=$domain_url?>/signin.php?file="><? echo "$Sign_In" ?></a><?php } else { ?><a href="<?=$domain_url?>/logout.php" > <? echo "$Sign_out" ?> </a><?php }?>

But here I am getting error like this

Unknown column 'esb2b_userid' in 'where clause'

So can someone kindly tell me whay I am getting this result and how can I solve this issue? Any help and suggestions will be really appreciable. Thanks

share|improve this question

closed as too localized by Till Helge, Ocramius, Jocelyn, tereško, Graviton Mar 5 '13 at 2:00

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.If this question can be reworded to fit the rules in the help center, please edit the question.
    
Hi! You should use PDO with prepared queries. – Guicara Mar 4 '13 at 11:27
1  
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial. – Till Helge Mar 4 '13 at 11:27
    
Can we see your database schema? Obviously teh esb2b_userid column doesn't exist. Also, your code is missing a closing double quote and is subject to trivial SQL insertion attacks. – Jan Dvorak Mar 4 '13 at 11:42
up vote 1 down vote

you should escape your variable by mysql_real_escape_string from sql injection try this 

  $check_row = mysql_num_rows(mysql_query("select * from esb2b_basket 
  where es_session= '".mysql_real_escape_string($site)."' 
         and es_uid='".mysql_real_escape_string($_SESSION["esb2b_userid"])."' ") or die(mysql_error()));

and please dont use mysql , change to mysqli or PDO

share|improve this answer
up vote 0 down vote

Your parentheses in your query are a bit mixed up, try:

$check_row = mysql_num_rows(mysql_query("select * from esb2b_basket where es_session='".$site."' and es_uid='".$_SESSION["esb2b_userid"]."') or die(mysql_error()));
share|improve this answer
up vote 1 down vote

change this

mysql_query("select * from esb2b_basket where es_session='.$site.' and es_uid=".$_SESSION["esb2b_userid"])

to

mysql_query("select * from esb2b_basket where es_session='".$site."' and es_uid=".$_SESSION["esb2b_userid"])
share|improve this answer
    
still I am getting the same error in that line... – Pradeep Mahapatra Mar 4 '13 at 11:31

Not the answer you're looking for? Browse other questions tagged or ask your own question.