PHP MySQL Column invalid

Question

I have been trying for the past four days to get this working. It's just a simple logon page, where no sensitive information is stored, but I'm having problems with the PHP.

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $uname = $_POST["login"];
    $pword = $_POST["pass"];
    $uname = htmlspecialchars($uname);
    $pword = htmlspecialchars($pword);
    $user_name = "bradf294_access";
    $password = "********";
    $database = "bradf294_clients";
    $server = "localhost";
    $db_handle = mysql_connect($server, $user_name, $password);
    $db_found = mysql_select_db($database, $db_handle);
    print(mysql_errno());
    print($db_found);
    if(isset($db_found)){
        print($db_found."Success");
        $SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
        $result = mysql_query($SQL);
        print("Query made");
        print(mysql_errno());
        if ($result) {
            print("result:".$result);
        }
        else {
            print("Incorrect Login Details");
        }
        if ($result > 0) {
            print("found user");
            $errorMessage= "logged on ";
            session_start();
            $_SESSION['login'] = "1";
            header ("Location: progressuser.php");
        }
        else {
            print("Invalid Logon");
        }
    } else {
        print("Database not found. The Webmaster has been notified. Please try again   later");
        $subject = "Automated login error" ;
        $message = "An error occured whilst trying to connect to the MySQL database, to login to the progress checker" ;
        mail("a-bradfield@bradfieldandbentley.co.uk", $subject, $message);
    }

From the output on the page which I've been using to debug, it appears to be the lines which don't seem to be working, which are giving a 1054 error - "Unknown column '%s' in '%s'"

$SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
$result = mysql_query($SQL)

even though I copied and pasted the $SQL string into phpMyAdmin and it worked perfectly?

Is there anything blatantly obvious I'm doing wrong? Go to http://www.bradfieldandbentley.co.uk/test/progress.php and enter the details Reference: TST001 and pass: dnatbtr121 to see the output for yourselves.

Answer 1

You need to quote out the variables:

$SQL = "SELECT * FROM basicinfo WHERE ref = '$uname' AND pass = '$pword'";

HOWEVER

The mysql_* functions are being deprecated - you should look at moving to PDO or mysqli_* instead. Those both make it a lot easier for you to write secure code, as well as fixing the quoting problem for you.

Answer 2

Should the value in your WHERE conditions not be surrounded by quotes, like in a normal MySQL statement? Yes. Also, you are going to get a bunch of comments about SQL injection.