MySQL query syntax error when used in PHP

Question

iPhone code

When I use this code it always show error password but I am entering correct credentials.

    NSString *post =[NSString stringWithFormat:@"UserName=%@&UserPas   sword=%@",userNameTextField.text, userPasswordTextFiled.text];

    NSString *hostStr = @"http://www.celeritas-solutions.com/emrapp/connect.php";
     = [hostStr stringByAppendingString:post];
    NSData *dataURL =  [NSData dataWithContentsOfURL: [ NSURL URLWithString: hostStr ]];    
    NSString *serverOutput = [[NSString alloc] initWithData:dataURL encoding: NSASCIIStringEncoding];
    if([serverOutput isEqualToString:@"Yes"]){
           UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Congrats" message:@"You are authorized "
                                                          delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
       [alertsuccess show];
           [alertsuccess release];


    } else {
            UIAlertView *alertsuccess = [[UIAlertView alloc] initWithTitle:@"Error" message:@"Username or Password Incorrect"
                                                          delegate:self cancelButtonTitle:@"OK" otherButtonTitles:nil, nil];
            [alertsuccess show];
            [alertsuccess release];

    }

I am getting validate username and password from data base but it gives sql syntax error that

   You have an error in your SQL syntax; check the manual that corresponds to your   MySQLserver version for the right syntax to use near 'AND UserPassword=' at line 1

  mysql_select_db("emriphone", $con);


  $u=$_GET['UserName'];
  $pw=$_GET['UserPassword'];

   $check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

  $login=mysql_query($check,$con) or die(mysql_error());

  if(mysql_num_rows($login)==1){

  $row =mysql_fetch_assoc($login);
  echo 'YES'; exit;
   }

 else{
   echo'NO';exit;
  }

 mysql_connect($con);

Answer 1

Use single quotes for variables in the query ''

Hope this helps you.

Answer 2

Protect yourself from sql injection while you're at it

$query = sprintf("SELECT UserName,UserPassword from appUsers WHERE UserName='%s' AND UserPassword='%s'", mysql_real_escape_string($u),mysql_real_escape_string($pw));

Answer 3

 $check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

And because you're using mysql, be sure to sanitize the Username and password against SQL Injection by using the following:

$u = mysql_real_escape_string($_GET['UserName']);
$pw = mysql_real_escape_string($_GET['UserPassword']);

And final thought; Use POST instead of GET for a login page ;D hehe

Answer 4

You need to place single quotes in your query -

$check ="SELECT UserName, UserPassword 
         FROM   appUsers 
         WHERE UserName='$u'           
         AND UserPassword='$pw'";      // These are probably varchar data columns 
                                       // in your db. In that case, you should 
                                       // put single quotes like this.

When you search text fields in your database, you should place single quotes around them. Otherwise MySQL will report it as an error.

Answer 5

Assuming username and password are text fields you should correct as following

$check ="SELECT UserName,UserPassword from appUsers WHERE UserName=$u AND UserPassword=$pw";

To

$check ="SELECT UserName,UserPassword from appUsers WHERE UserName='$u' AND UserPassword='$pw'";

included single quote around username and password

Answer 6

Maybe you need to add single quotes around around the username and password parameters in your where clause since I'm assuming those are strings. In MySQL you need to wrap the strings in single quotes.