[SOLVED] You have an error in your SQL syntax! What? Where?

[ShiloVir]

This is the code im using:

<?php
$sql = mysql_real_escape_string("SELECT f_name, l_name, airline_id, callsign FROM auth_users WHERE airline_id = 
'".$_POST["airline_id"]."' AND password = PASSWORD('".$_POST["password"]."')");
$result = mysql_query($sql, $conn) or die(mysql_error());
?>

 

and its giving me this error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\r\n\'sva\' AND password = PASSWORD(\mehpassword\')' at line 1

[dezkit]

Are you trying to pass a function inside the query?

[ShiloVir]

IM trying to do what it says above. haha, sorry. Ima Newbie and dont know what u mean. if you stating... am I trying to pass $_POST['']; variables in a query then the answer is "yes"!

[PFMaBiSmAd]

You don't apply mysql_real_escape_string() to the query string, you apply it to the pieces of data within the query string.

[ShiloVir]

haha. oops! Ima dummy. I knew that too! Why did I do that??

 

TOPIC SOLVED!! (I need some coffee)

[ShiloVir]

This works:

 

<?php
$sql = "SELECT f_name, l_name, airline_id, callsign FROM auth_users WHERE airline_id = 
'".mysql_real_escape_string($_POST["airline_id"])."' AND password = PASSWORD('".mysql_real_escape_string($_POST["password"])."')";
$result = mysql_query($sql, $conn) or die(mysql_error());
?>

 

Thanks guys!

[PFMaBiSmAd]

Don't use the mysql PASSWORD() function in your application -

 

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.

 

The hash used by the PASSWORD() function has been changed on occasions, resulting in broken applications by those who used it against the recommendations of mysql.

[ShiloVir]

so what do I use now instead of it? I need a hash in my database. I cant leave that unsecured