PHP/MYSQLI Query Help Please

General Database (Oracle, SQL Server, etc)
#1

This may be a vary dumb question with a very simple answer. I hope…

This is a class project, yes I am new to php, however I am having fun.

Anyway, my question is this: Can I use a SESSION variable in a PHP/MYSQLI statement
to run a query on a database?

I use the code below in other areas using $_POST, however, it does not seem to work using SESSION.
I take the where clause out and the table data prints fine. My goal is to get specific user information,
from a user that is already logged in, not the whole table. The echo statement below prints fine, I put that there
to verify the session passed the variable.

[code]<?php
removed DB connection info

  if (mysqli_connect_errno())
        {
        printf("Connect failed: %sn", mysqli_connect_error());
        exit();
        }

  if($result=$DBConnect->query("SELECT User_ID, Username, Password FROM tbl_users WHERE Username = {$_SESSION['Username']}"))
     {

        while($fieldData=$result->fetch_object())

        {
        echo 'Your ID:'.$fieldData->User_ID.'

‘;
echo ‘Your Username:’.$fieldData->Username.’
‘;
echo ‘Your Password:’.$fieldData->Password.’
';

        }

     }

echo $_SESSION[‘Username’];

  $DBConnect->close();

?>[/code]

#2

Don’t embed the Session Variable in the string
instead of
“SELECT User_ID, Username, Password FROM tbl_users WHERE Username = {$_SESSION[‘Username’]}”

use
“SELECT User_ID, Username, Password FROM tbl_users WHERE Username = '”.$_SESSION[‘Username’]."’
note that the '" is a SINGLE quote followed by a DOUBLE quote (After Username = )
and the same with "’ is a DOUBLE quote followed by a SINGLE quote (After the SESSION variable)

#3

The issue with your SQL query was that you put a string variable (the value of $_SESSION[‘username’] in the query directly, without encapsulating it in quotes. This may cause issues or unexpected behaviour, depending on the actual value and the (version of the) database engine.

#4

Just for reference, peg110. Why would you use option B opposed to option A in your response?

#5

Because MySQL is smart enough to recognize a single word as an unquoted string, but doesn’t know how to handle a string containing spaces for example. I’m not going to explain the mechanics of SQL injection and escaping, since I’m pretty sure you’re capable of doing that kind of research yourself, but just know that encapsulating a string in a SQL query is the way to go:

SELECT * FROM table WHERE column1 = water
SELECT * FROM table WHERE column1 = water and wine
SELECT * FROM table WHERE column1 = “water and wine”
SELECT * FROM table WHERE column1 = water and wine = true

Realize that the first, third and fourth queries are all syntactically correct, but do different things. The second query fails on a syntax error.

#6

Err, I mean.

Which option would you choose? And, why?

  1. “SELECT User_ID, Username, Password FROM tbl_users WHERE Username = ‘$escaped_var’”
  2. “SELECT User_ID, Username, Password FROM tbl_users WHERE Username = '”.$escaped_var."’
#7

The second is preferable, but again, realize what both of them do and why. That’s your answer.

Sponsor our Newsletter | Privacy Policy | Terms of Service