[SOLVED] PHP and MySql Select * FROM where help

[zpearldrummerz]

I'm working on a simple login script. i have a mysql db named BandSpace with the table admin to hold the admin username and passwords. the problem i'm having is when i try and use a variable $User in the where clause, it comes up as unknowm column 'username' in where clause.

<?PHP
mysql_connect("localhost","BandSpace","ra2001") or die(mysql_error());
mysql_select_db("BandSpace") or die(mysql_error());
$User = $_POST['UserName'];
$Pass = $_POST['PassWord'];
$Pass = md5($Pass);
$result = mysql_query("SELECT * FROM admin WHERE UserName='$User' ") or die(mysql_error());  
$row = mysql_fetch_array( $result );
$iUsername = $row['UserName'];
$iPassWord = $row['PassWord'];
if($iUsername == $User) {
	if($iPassWord == $Pass){
		header('Location: Admin.php');
	}
} else {
	header('Location: no.php');
           }
?>

 

Thats what i have right now, that isn't coming up with the unknown column though. I just get a completey blank page, like you would get if you forget a ";" or the " and ' are conflicting ect. anyone know what the problem could be. everything works fine if i put in the actuall user name like

("SELECT * FROM admin WHERE UserName='username'");

[gazalec]

The problem is spelling and capitalization, in your code you have 'UserName' but that is different from USERNAME and username or UsErNaMe so check your database for the column name.

 

sorry didn't read the full post,

 

the problem with the variables is you have to stopn the html string to put in a php variable

 

instead of

$result = mysql_query("SELECT * FROM admin WHERE UserName='$User' ") or die(mysql_error());

 

try

$result = mysql_query("SELECT * FROM admin WHERE UserName='".$User."' ") or die(mysql_error());

 

you have to concatinate your strings and variables

[zpearldrummerz]

I have everything spelled just as it is on my database. the fields on there are (ID, UserName, PassWord) spelled and capitalized just like that.

[gazalec]

try what i posted before, notice the first is yours and $User is in red, PHP is treating it like HTML which you dont want to happen and notice in the one below it is in blue, so PHP is treating it as a PHP variable and that is what you want

 

Just post back if you get an errors

[zpearldrummerz]

thanks for the help, i'll fix what you said, but another thing i thing my problem is withing my database, i had the password field limited to characted, and i needed it to use the md5 format, which i'm just figureing out uses more that 16 characters to encrpyt a 6 letter password

[gazalec]

i aint done much on password protection sorry i just leave most of mine as plain text but i only use that for testing so sorry

 

[zpearldrummerz]

I think i might just try it without the encryption for now, just until i can learn a little more about it

[suttercain]

Hello,

 

I would not post this:

mysql_connect("localhost","BandSpace","ra2001") or die(mysql_error());
mysql_select_db("BandSpace") or die(mysql_error());

 

in a public forum someone might try and hack you.  Should use this when posting in a forum for security reasons:

mysql_connect("localhost","user","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

 

Just a friendly tip.

[gazalec]

its localhost though not on the internet  ???

[zpearldrummerz]

now if i posted an ip has the host, then i could see that being a big problem

[zpearldrummerz]

wow, i feel like an dumbass right now, i totally missed the double quotes around .$User., every thing is now working properly. thanks for ur help guys.