How should I use mysql_query?

Question

I'm having some problems with this function in the next code:

if(!($_SESSION['autenticado']))
    if($_POST["user"] && $_POST["pass"])
    {
        $user=$_POST["user"];
        $con=mysql_connect("localhost","root","3270");

            mysql_select_db("futbol",$con);
            $query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
            print_r($query);
            mysql_real_escape_string($query);
            mysql_query($query)or die mysql_error();
            //print_r($pas);
            //$_SESSION["autenticado"]=1;
     }

Am I using it wrowng?

Answer 1

You need to call mysql_real_escape_string on the string that needs escaping, not the whole query:

$user = mysql_real_escape_string($user);
$query = "SELECT us_pass FROM user WHERE us_nom = '$user'";

Addendum: if you are just exploring PHP's database integration, I'd urge you to have a look at PDO , which is a far more sophisticated and secure way of handling database operations.

---

Note also that you're not actually doing anything with mysql_query . This returns a resource, that you can then use to get information. For example, to get the password returned, use the following:

$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
    $password = $row['us_pass'];
}

Answer 2

To answer your question, you are using it wrong, you want to call the escape function on just the input, not the entire query:

$user = mysql_real_escape_string($user);

That said, mysql_* functions are deprecated and you should be using either PDO or MySQLi . Here's an example of a much better way to do it, using PDO:

$con = new PDO('mysql:dbname=futbol;host=127.0.0.1', 'root', '3270');
$stmt = $con->prepare('SELECT us_pass FROM user WHERE us_nom = :user');
$stmt->execute(array('user' => $user));
$result = $stmt->fetchAll();

Answer 3

mysql_real_escape_string Should be escaping $user before it's inserted in to the SQL query, then passed directly off to mysql_query . The purpose of this is to avoid $_POST['user'] from having apostrophes in it that could otherwise foul up the query (since your user value is already surrounded in them.

eg if $_POST['user'] had joe'bob as a value, your query would then become:

SELECT us_pass FROM user WHERE us_nom = 'joe'bob'

You can then see how a stray apostrophe could propose a problem.

Instead, try the following:

if(!($_SESSION['autenticado']))
  if($_POST["user"] && $_POST["pass"])
  {
    $con=mysql_connect("localhost","root","3270");
    $user=mysql_real_escape_string($_POST["user"]); // escape your value here (and move below connection)

    mysql_select_db("futbol",$con);
    $query = "SELECT us_pass FROM user WHERE us_nom = '$user'";
    print_r($query);
    mysql_query($query) or die mysql_error();
    //print_r($pas);
    //$_SESSION["autenticado"]=1;

    // here you would mysql_fetch_array/result/etc. and get what
    // was returned from the database
 }

Answer 4

Based on your comments to the other answers: You are sending your form using POST and not GET right?

The only reasons that you're not seeing anything are your if conditions not being met, a problem connecting to the database or an error in your php (with errors suppressed); the script does not reach your print_r statement.

I´m not sure, but you also might want to use {} for your first if statement and clean-up your code a bit: I'd recommend isset() instead of just feeding strings to if statements.

And check your error log.