dhillon555 Posted June 5, 2009 Share Posted June 5, 2009 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"tom\"' at line 1 I am am getting the following error I am using the following code can anybody help me ??? $username = mysql_escape_string($_SESSION['myusername']); $query = "SELECT user_info.username, user_info.`password`, user_info.UserID, user_info.EmailAddress, user_info.Address, user_info.Postcode, user_info.FirstName, user_info.LastName FROM user_info WHERE user_info.username = \"$username\""; $results = mysql_query(mysql_escape_string($query)) or die(mysql_error()); while ($row = mysql_fetch_array($results)) { extract($row); echo $username; echo $password; echo $UserID; echo $EmailAddress; echo $Address; echo $Postcode; echo $FirstName; echo $LastName; } ?> Link to comment https://forums.phpfreaks.com/topic/161005-you-have-an-error-in-your-sql-syntax/ Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 You don't escape the whole SQL string; only the variables you substitute into it. Link to comment https://forums.phpfreaks.com/topic/161005-you-have-an-error-in-your-sql-syntax/#findComment-849698 Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 And strings in MySQL are surrounded by single quotes, not double quotes. Link to comment https://forums.phpfreaks.com/topic/161005-you-have-an-error-in-your-sql-syntax/#findComment-849699 Share on other sites More sharing options...
dhillon555 Posted June 5, 2009 Author Share Posted June 5, 2009 Does anybody know if the below code is correct I am getting the error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"tom\"' at line 1 $username = ($_SESSION['myusername']); $query = "SELECT user_info.username, user_info.`password`, user_info.UserID, user_info.EmailAddress, user_info.Address, user_info.Postcode, user_info.FirstName, user_info.LastName FROM user_info WHERE user_info.username = '$username'"; $results = mysql_query(mysql_escape_string($query)) or die(mysql_error()); while ($row = mysql_fetch_array($results)) { extract($row); echo $username; echo $password; echo $UserID; echo $EmailAddress; echo $Address; echo $Postcode; echo $FirstName; echo $LastName; } ?> Link to comment https://forums.phpfreaks.com/topic/161005-you-have-an-error-in-your-sql-syntax/#findComment-849706 Share on other sites More sharing options...
Ken2k7 Posted June 5, 2009 Share Posted June 5, 2009 Use mysql_real_escape_string on $username like you had it on the first post. roopurt18 was telling you to escape the username string, but not the SQL as a whole, meaning the function call to mysql_escape_string() inside mysql_query() should be removed. Link to comment https://forums.phpfreaks.com/topic/161005-you-have-an-error-in-your-sql-syntax/#findComment-849751 Share on other sites More sharing options...
roopurt18 Posted June 5, 2009 Share Posted June 5, 2009 <?php $username = mysql_real_escape_string($_SESSION['myusername']); // escape input going INTO the database $query = "SELECT user_info.username, user_info.`password`, user_info.UserID, user_info.EmailAddress, user_info.Address, user_info.Postcode, user_info.FirstName, user_info.LastName FROM user_info WHERE user_info.username = '$username'"; $results = mysql_query($query) // DONT escape the entire SQL query...BAD BAD BAD or die(mysql_error()); while ($row = mysql_fetch_array($results)) { extract($row); echo $username; echo $password; echo $UserID; echo $EmailAddress; echo $Address; echo $Postcode; echo $FirstName; echo $LastName; } ?> Bleh, ken beat me to it! Link to comment https://forums.phpfreaks.com/topic/161005-you-have-an-error-in-your-sql-syntax/#findComment-849752 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.