[SOLVED] SELECT Statement Syntax for Variables

[rawky1976]

Hello all

 

I've just got a quick question, the statement below isn't returning the expected results. I've echoed it at runtime and the variables are missing. I presume it's just the syntax?

 

$query = "SELECT field FROM database.table WHERE email='$e' AND password='$p'";

 

Can anyone help please?

 

Mark

[revraz]

Use Single quotes around the entire string and double quotes around the variables.

 

Hello all

 

I've just got a quick question, the statement below isn't returning the expected results. I've echoed it at runtime and the variables are missing. I presume it's just the syntax?

 

$query = "SELECT field FROM database.table WHERE email='$e' AND password='$p'";

 

Can anyone help please?

 

Mark

[rawky1976]

Thanks but it's now printing the variables, not their contents?

 

SELECT field FROM database.table WHERE email="$e" AND password="$p"

[kenrbnsn]

Can you post some of the code before this line. Where are the variables $e and $p being set?

 

You're syntax is correct. The one given by revraz is not.

 

Ken

[rawky1976]

Previous code as requested

 

$errors = array();
  if (empty($_POST['email'])) {
    $errors[] = 'You forgot to enter your email address.';
  } else {
    $e = escape_data($_POST['email']);

 

Thank you, Mark

[kenrbnsn]

That shows where $e is being set. How about $p?

 

Do you have an "or die" clause on the mysql_query() function:

<?php
$rs = mysql_query($query) or die("Problem with the query: $query<br>" . mysql_error());
?>

 

Ken

 

[rawky1976]

The code for $p is the same as $e but for password field instead of email.

 

I've added the die but it hasn't printed any errors on the page: -

 

$query = "SELECT userid FROM knowledgebase.users WHERE email='$e' AND password='$p'";
    $result = mysql_query($query) or die("Problem with the query: $query<br>" . mysql_error());

[dbo]

How about right before where you actually run the query you do this:

 

<?php

 

  echo "TEST E: $e";

  echo "TEST P: $p";

 

?>

[rawky1976]

OK thanks, I added: -

 

echo "TEST E: $e";

echo "TEST P: $p";

 

and it outputs: -

 

TEST E: TEST P:

The email address and current password do not match those in the database.

 

SELECT userid FROM knowledgebase.users WHERE email='' AND password=''

 

Is it a setting with the quotes or something rather than the script?

[dbo]

The problem is for whatever reason those variables have no contents.

 

Can you show us your escape_data function?

 

Also can you try this:

 

replace this:

$e = escape_data($_POST['email']);

 

with this:

echo "BEFORE: " . $_POST['email'] . "<br />";

$e = escape_data($_POST['email']);

echo "AFTER: $e<br />";

[rawky1976]

Before shows my email address!!!

After shows: -

 

AFTER: TEST E: TEST P:

 

Here is the function (it's out of a book).

 

function escape_data ($data) {
  global $dbc;
    if (ini_get('magic_quotes_gpc')) {
      $data = stripslashes($data);
    }
    return mysql_real_escape_string(trim($data), $dbc);
  }

 

Thanks again, Mark

[dbo]

So, just as expected, the culprit is that escape_data function.

 

Where are you using $dbc elsewhere in your code? I'd have to read up on mysql_real_escape_string but I think that the problem is it's not a valid database handle.

[rawky1976]

It's not being used elsewhere at all.

 

I commented out the function and removed the calls from the script and it drags the correct fields into the variables.

 

The SELECT still fails but that's something else for me to ponder over!

 

Thanks for you help, Mark

[dbo]

Well you still need to escape your inputs before sending them to a query. So don't get rid of it all together.