Home/ Questions/Q 584769
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T14:55:57+00:00

In accessing my database, I have the user fill out a form, and in

  • 0

In accessing my database, I have the user fill out a form, and in the target page, the posted values are used in the resulting MySQL query.

$query = mysql_query("SELECT pass FROM database WHERE user='$_POST[user]'");

However, for some reason or another, MySQL doesn’t like my using a $_POST variable in the command, and it only works if I define (for example) $user = $_POST['user'];, and then put $user directly in the SQL command.

On the other hand, I can use $_POST values in INSERT statements where specific column names are not required:

$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', '$_POST[user]'");

If I try an INSERT statement where attributes are defined (e.g. user='foo'), then the same problem appears.

What am I doing wrong in my SQL query that causes the command to error out when run, but works with the specific method of formatting an INSERT command?

Hopefully, it’s not “tough luck, looks like you have to assign all of your posted values”. Heh.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First of, watch out for SQL Injections!

    Now, to answer your question try doing this instead:

    $query = mysql_query("SELECT `pass` FROM `database` WHERE `user` LIKE '" . mysql_escape_string($_POST['user']) . "';");

    You were doing a couple of things wrong:

    • using the = operator instead of LIKE operator
    • not enclosing the value in the SQL query with '
    • not enclosing the user index in the $_POST array with '

    PS: You should use mysql_real_escape_string() instead of mysql_escape_string()!

    • 0