I have this $sql=mysql_query(SELECT EMAIL FROM USERNAME WHERE EMAIL <> ‘.$_REQUEST[‘EMAIL’].’ AND EMAIL NOT

Question

0

Asked: June 3, 20262026-06-03T20:32:04+00:00 2026-06-03T20:32:04+00:00

I have this $sql=mysql_query(SELECT EMAIL FROM USERNAME WHERE EMAIL <> ‘.$_REQUEST[‘EMAIL’].’ AND EMAIL NOT

0

I have this

$sql=mysql_query("SELECT EMAIL FROM USERNAME WHERE EMAIL <> '".$_REQUEST['EMAIL']."' AND EMAIL NOT IN (".$str.")") or die("Error: ". mysql_error(). " with query ". $sql);

for example $str holds the value ‘d’,’f’ and there is a d and f in the EMAIL column in my table.

When I run the query I get this error “Error: Unknown column ‘d’ in ‘where clause’ with query”

I am a complete noob to mysql so I hope I’m just missing something very basic here. Any help is greatly appreciated!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-03T20:32:06+00:00

Nice SQL injection hole there. Enjoy having your server pwn3d.

The IN syntax works either as

WHERE field IN (value1, value2, value3, ...)

or

WHERE value IN (field1, field2, field3, ...)

Given you’re getting the ‘no such d, you’re probably forgetting to quote those values, producing

WHERE field IN (d, f)

which is interpeted as “field d” and “field f”, where it shoul be:

WHERE field IN ('d', 'f')

Note the quotes – they turn those d and f’s into strings, not field names.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have this $sql=mysql_query(SELECT EMAIL FROM USERNAME WHERE EMAIL <> ‘.$_REQUEST[‘EMAIL’].’ AND EMAIL NOT

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply