help with passing php variables to mysql query

[arjang]

i am trying to pass form variables to MYSQL query but i get this error:

Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'bamo'' AND password=''KosaryBram1'' LIMIT 1' at line 1

here is my code:

public static function authenticate($username="", $password=""){
	global $database;
	$username = $database->GetSQLValueString($username, "text");
	$password = $database->GetSQLValueString($password, "text");

	$sql =  "SELECT * FROM users ";
	$sql .= "WHERE username ='{$username}' ";
	$sql .= "AND password='{$password}' ";
	$sql .= "LIMIT 1";
	$result_set = self::find_by_sql($sql);
	$found = $database->fetch_array($result_set);
	return !empty($found) ? $found : false;		
}

[DavidAM]

If you look closely at the error message. You will see that the single-quotes are doubled-up around your strings. It appears that your GetSQLValueString() method is returning a string that is already surrounded by single-quotes. Then you are putting single-quotes around that in:

		$sql =  "SELECT * FROM users ";
	$sql .= "WHERE username ='{$username}' ";
	$sql .= "AND password='{$password}' ";

 

since GetSQLValueString() is providing the surrounding quotes, try:

		$sql =  "SELECT * FROM users ";
	$sql .= "WHERE username ={$username} ";
	$sql .= "AND password={$password} ";

 

[arjang]

thank you:) it works now