SQL statement check

Philosophaie · June 28, 2014, 7:23pm

$user and $pass exist.

username, password and idl are columns in table: login and are defined with values.

I am trying to validate the existence of the username and password combination thru $result and $idl.

Could someone check my SQL statement.

if ($user!=null And $pass!=null){
        ...
        $sql = "SELECT `idl` FROM `login` WHERE username=" . $user . " AND password=" . $pass . ";";
        .....
}

Drummin · June 29, 2014, 3:32am

You are going to want to single quote those variables and get rid of extra ; at the end. So it’s a little hard to tell but I have a full quote, then single quote then full quote at the end. Also if you are going to add … for marking or other reason, you’ll want to comment them out with //.

&lt;?php
if ($user!=null And $pass!=null){
        //.....
        $sql = "SELECT `idl` FROM `login` WHERE username = '" . $user . "' AND password = '" . $pass . "'";
        //.....
}
?&gt;

tpunt · June 30, 2014, 3:20pm

Drummin:

You are going to want to single quote those variables and get rid of extra ; at the end. So it’s a little hard to tell but I have a full quote, then single quote then full quote at the end. Also if you are going to add … for marking or other reason, you’ll want to comment them out with //.
&lt;?php
if ($user!=null And $pass!=null){
        //.....
        $sql = "SELECT `idl` FROM `login` WHERE username = '" . $user . "' AND password = '" . $pass . "'";
        //.....
}
?&gt;

In this case, I think interpolation offers far better readability that concatenation:


$sql = "SELECT `idl` FROM `login` WHERE username = '{$user}' AND password = '{$pass}'";

@Philosophaie, be sure to sanitise those variables before using them inside of your query.