webguync Posted April 9, 2009 Share Posted April 9, 2009 Hi, I am getting the following SQL error when trying to login authenticating against MSQL table info. the error is "The query failed You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''roster' WHERE username='bruce.gilbert@edtsi.com'' at line 2" the authentication code again the DB I am using is below. The fields I am authenticating against are 'username' and 'pwid' <?php ini_set("display_errors","1"); ERROR_REPORTING(E_ALL); $con = mysql_connect("localhost","username","pw"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("DBNAME", $con); // Start a session. Session is explained below. session_start(); // Same checking stuff all over again. if(isset($_POST['submit'])) { if(empty($_POST['username']) || empty($_POST['pwid'])) { echo "Sorry, you have to fill in both your username and password"; exit; } // Create the variables again. $username = $_POST['username']; $pwid = $_POST['pwid']; // Encrypt the password again with the md5 hash. // This way the password is now the same as the password inside the database. $pwid = md5($pwid); // Store the SQL query inside a variable. // ONLY the username you have filled in is retrieved from the database. $query = "SELECT username,pwid FROM 'roster' WHERE username='$username'"; $result = mysql_query($query); if(!$result) { // Gives an error if the username given does not exist. // or if something else is wrong. echo "The query failed " . mysql_error(); } else { // Now create an object from the data you've retrieved. $row = mysql_fetch_object($result); // You've now created an object containing the data. // You can call data by using -> after $row. // For example now the password is checked if they're equal. if($row->pwid != $pwid) { echo "I am sorry, but the passwords are not equal."; exit; } // By storing data inside the $_SESSION superglobal, // you stay logged in until you close your browser. $_SESSION['username'] = $username; $_SESSION['sid'] = session_id(); // Make it more secure by storing the user's IP address. $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; // Now give the success message. // $_SESSION['username'] should print out your username. echo "Success! You are now logged in " . $_SESSION['username']; } } ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> </body> </html> Quote Link to comment Share on other sites More sharing options...
cyberbob1uk Posted April 9, 2009 Share Posted April 9, 2009 Does removing the single quotes around roster do anything? <?php $query = "SELECT username,pwid FROM 'roster' WHERE username='$username'"; Quote Link to comment Share on other sites More sharing options...
webguync Posted April 9, 2009 Author Share Posted April 9, 2009 yea, that was the problem. Thanks! Quote Link to comment Share on other sites More sharing options...
Maq Posted April 10, 2009 Share Posted April 10, 2009 Only the values you're comparing to need single quotes around them (unless the field type is integer). You may have seen backtick ` around table names, that's due to the table name is a MySQL reserved word, and with backticks it kind of escapes that word and knows it's a table name rather than a MySQL function/keyword. Please mark as [sOLVED]. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.