Syntax error with Special Characters in Password [Archive]

Click to See Complete Forum and Search --> : Syntax error with Special Characters in Password

$var

10-30-2006, 08:15 AM

Hi,

I am having trouble with validation.
When I validate a user I'm getting errors with special characters in the username and password.
The error appears in $result = mysql_query($sql)

Username is similar to this: username@honeycombworldwide.com
Password is similar to this: password!

----
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT * FROM it_mem WHERE Mem_Email=".$username." AND Mem_Password=".$password;
$result = mysql_query($sql) or die (mysql_error());
---

When I echo $result with $username and $password filters, i get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@honeycombworldwide.com AND Mem_Password=password!' at line 1

When I echo $result with just $password as a filter, i get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '!' at line 1

--

Any idea? Thanks for looking

stephan.gerlach

10-30-2006, 08:26 AM

The problem is not special characters. the problem is that these are strings and not numbers. Your SQL is wrong

try this

$password = $_POST['password'];
$username = $_POST['username'];
$sql = 'SELECT * FROM it_mem WHERE Mem_Email="'.$username.'" AND Mem_Password="'.$password.'"';
$result = mysql_query($sql) or die (mysql_error());

stephan.gerlach

10-30-2006, 08:27 AM

Oh another suggestion. it seems like you are not encrypting the password -> bad idea
you are not performing any validation on username and password -> bad idea

both are potential security risks

NogDog

10-30-2006, 11:23 AM

See Example 3 on www.php.net/mysql_real_escape_string for a way to prevent SQL injection attacks (and automatically handle the quoting where necessary).

$var

10-30-2006, 12:21 PM

okay... well, i got that sorted, however, i found what was the real problem is I am trying to set a sessionID. this used to work on my old server, so if it's wrong I can imagine... but do I not just do this:

setcookie ("ID01", $accessresults["Mem_ID"]);
$_SESSION['IDO1'] = "$accessresults[Mem_ID]";

NogDog

10-30-2006, 12:36 PM

Better would be:

$_SESSION['IDO1'] = $accessresults['Mem_ID'];

There's no need to quote the variable if that's all that's being assigned, plus your array index should be quoted when it's a string literal like that.

PS: I just noticed that you used ID01 (with a zero) for the cookie ID, but IDO1 (with a capital letterl "O") for the session value. I'm guessing the latter should also be a zero?