0

my problem is too many quotation marks.

$come = mysql_query("SELECT * FROM users WHERE email="$_POST['email']" and password="$_POST['password']" ");

Then I tried this but it doesn't work ...

$come = mysql_query("SELECT * FROM users WHERE email="/$_POST['email']/" and password="/$_POST['password']/" ");

Please help me :/

Nol
  • 55
  • 2
  • 9
  • 4
    Use a modern DB interface and bind parameters. Anything else is a waste of everyone's time. – Mat Nov 24 '17 at 11:05
  • 1
    As Mat says you should use bind parameters, but if you insist on doing it like you are (which contains a security hole) then you should be using single quotes for `WHERE email='some string'`, even if MySQL lets you use double quotes there. Then you'll probably need to use escaped double quotes for `$_POST[\"email\"]`. Also, you should learn the difference between a slash and a backslash :) and use them before the thing you're trying to escape. – Wodin Nov 24 '17 at 11:11
  • 1
    And the difference between single and double quotes :-) which used in a nice way reduces the amount of scaping chars... – m3nda Nov 24 '17 at 11:40

2 Answers2

1

Solution to your question:

<?php
$come = mysql_query(sprintf('SELECT * FROM users WHERE email="%s" and password="%s"', $_POST['email'], $_POST['password']));

But you should never use code like this. You have a SQL Injection in your code. Rewrite this using PDO.

<?php

$pdo = new PDO('mysql:host=127.0.0.1;dbname=mydb', 'user', 'password');
$stmt = $pdo->prepare('SELECT * FROM users WHERE email=:email and password=:password');
$stmt->execute(['email' => $_POST['email'], 'password' => $_POST['password']]);
$result = $stmt->fetchAll();

More: http://php.net/manual/ru/pdo.prepared-statements.php

  • Okay, I 'll check it .. This is my school project so they do not mind security flaws. Thank you :) – Nol Nov 24 '17 at 11:22
-2
$come = mysql_query("SELECT * FROM users WHERE email='".$_POST['email']."' and password='".$_POST['password']."' ");

Try this it should fix your issue. But mysql is deprecated consider mysqli or pdo.

pr1nc3
  • 8,108
  • 3
  • 23
  • 36
  • 1
    Apart from the sql injection problem, this will not work as string values need to be quoted in mysql. – jeroen Nov 24 '17 at 11:09
  • Yop, thank you ... I forgot that there should be dots :) Thank you .. :)) #NewInMysql – Nol Nov 24 '17 at 11:10
  • 1
    I know there is sql injection danger and the method is deprecated but i cant understand the downvotes. I suggested to change method but my answer answers OP question. – pr1nc3 Nov 24 '17 at 11:17