frijole Posted February 26, 2008 Share Posted February 26, 2008 I am confused as to what the neccesary components of the query below are. I understand everything except the '".$_POST['username']."' is that really neccesary? And, if so I would love to know why. //Check if username already exists... $q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '".$_POST['username']."'"); $q3 = mysql_fetch_object($q2); if($q3->username == $_POST['username']) Quote Link to comment Share on other sites More sharing options...
dbo Posted February 27, 2008 Share Posted February 27, 2008 While the code should be properly validated, sanitized, and finally escaped before being entered into this query (which it presumably is not), this is a pretty basic concept. There is a form with the method of post set. The user fills out the form putting the variables in the post array. The username field is accessed via $_POST['username'] so that it can dynamically create the query string. Quote Link to comment Share on other sites More sharing options...
stormen81 Posted February 27, 2008 Share Posted February 27, 2008 <?php $q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '" . $_POST['username'] . "';"); ?> I do this all the time to help me code and debug faster in Dreamweaver.... I love the color text for all the keywords. but you all so could do: <?php $q2 = mysql_query("SELECT * FROM `members` WHERE `username` = '$_POST[username]';"); ?> This does the same thing as the code above. It is more of a coding preference practice than anything else. Later Stormen Quote Link to comment Share on other sites More sharing options...
Xeoncross Posted February 27, 2008 Share Posted February 27, 2008 <?php $result = mysql_query("SELECT * FROM `members` WHERE `username` = '".$_POST['username']."'"); $obj = mysql_fetch_object($result); if($obj->username == $_POST['username']) { print 'we found a row with the same username as the username in POST!'; } else { print 'this could logicly never run'; } ////////////////////////////////// //This should be used instead: ////////////////////////////////// //mysql_real_escape_string protects from SQL injections (hacking) $result = mysql_query('SELECT * FROM `members` WHERE `username` = \''. mysql_real_escape_string($_POST['username']). '\''); //If we found a matching row if(mysql_num_rows() > 0) { //Get the row as an object $obj = mysql_fetch_object($result); print 'We found the username <b>'. $obj->username. '</b>'; } else { print 'Username not found'; } ?> Quote Link to comment Share on other sites More sharing options...
spikeon Posted February 27, 2008 Share Posted February 27, 2008 wow... noone answered the damn question... the logic is that php puts strings together with periods. like: $a1 = "i am a "; $a2 = "big doo doo head"; $a = $a1 . $a2; $a would return "i am a big doo doo head" the logic is that, to make sure EVERYTHING is kosher, you stop the mysql string EXACTLY where the " is, which is right before a ' and put the varible in without adding extra spacing by accident hope thats what you needed. Quote Link to comment Share on other sites More sharing options...
frijole Posted February 27, 2008 Author Share Posted February 27, 2008 thank you, all of those replies were interesting and informative. The concatenation is what i was confused about though. thanks for your help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.