0

I have mySQL v.5.3 I think... I cannot figure out what is going on. Ive searched high and low and cant find an answer as to why i keep getting a syntax error.

Heres the error I keep getting.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'username' = 'fffff'' at line 1

Here is the script

<?php
  include "header.php";
  
  if($session_name){
    echo "You are already logged in!\n";
  }else{
    if(!$_POST['submit']){
    echo "<table border=0 cellspacing=3 cellpadding=3>\n";
    echo "<form name=\"login\" method=\"post\" action=\"login.php\">\n";
    echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
    echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
    echo "<tr><td colspan=2 align=right><input type=\"submit\" name=\"submit\"value=\"login\"></td></tr>\n";
    echo "</form></table>\n";
    }else{
      $user = $_POST['username'];
      $pass = $_POST['password'];
      
      if($user && $pass){
        $sql = "SELECT * FROM 'users' WHERE 'username' = '$user'";
        $res = mysql_query($sql) or die(mysql_error());
        
        if(mysql_num_rows($res) == 0){
          $epass = md5($pass);
          $sql2 = "SELECT * FROM 'users' WHERE 'username' = '$user' AND 'password' = '$epass'";
          $res2 = mysql_query($sql2) or die(mysql_error());
          
          if(mysql_num_rows($res2) == 0){
            //success
            $row = mysql_fetch_assoc($res2);
            $_SESSION['uid'] = $row['id'];
            echo "You have successfully logged in as <b>$user</b>, please click any link to continue!\n";
          }else {
            echo "username and password combination are incorrect!\n";
          }
          }else {
            echo "The username you supplied does not exist in out database!\n";
          }
          }else {
            echo "You did not supply all the valid feilds\n";
          }
          }
        }
        include "footer.php";
        
?>

Heres were I think my problem is

if($user && $pass){
        $sql = "SELECT * FROM 'users' WHERE 'username' = '$user'";
        $res = mysql_query($sql) or die(mysql_error());
        
        if(mysql_num_rows($res) == 0){
          $epass = md5($pass);
          $sql2 = "SELECT * FROM 'users' WHERE 'username' = '$user' AND 'password' = '$epass'";

I need some help on this one. Thanks in advanced

3
Contributors
2
Replies
3
Views
6 Years
Discussion Span
Last Post by smantscheff
1

lines 15 and 16 should be:

$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

As for your ACTUAL problem, the reason for the error is that you are putting APOSTROPHES around the table and field names. That is wrong. You need backticks (On a standard English keyboard, it is on the same key as the ~ character) NOT apostrophes

if($user && $pass){
        $sql = "SELECT * FROM `users` WHERE `username`='$user'";
        $res = mysql_query($sql) or die(mysql_error());
        
        if(mysql_num_rows($res) == 0){
          $epass = md5($pass);
          $sql2 = "SELECT * FROM `users` WHERE `username`='$user' AND `password`= '$epass'";
2

Or drop the quotes altogethere where you do not need them. With table and field names without spaces you need neither quotes nor backticks.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.