Member Avatar for JayGeePee

I have mySQL v.5.3 I think... I cannot figure out what is going on. Ive searched high and low and cant find an answer as to why i keep getting a syntax error.

Heres the error I keep getting.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'username' = 'fffff'' at line 1

Here is the script

<?php
  include "header.php";
  
  if($session_name){
    echo "You are already logged in!\n";
  }else{
    if(!$_POST['submit']){
    echo "<table border=0 cellspacing=3 cellpadding=3>\n";
    echo "<form name=\"login\" method=\"post\" action=\"login.php\">\n";
    echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
    echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
    echo "<tr><td colspan=2 align=right><input type=\"submit\" name=\"submit\"value=\"login\"></td></tr>\n";
    echo "</form></table>\n";
    }else{
      $user = $_POST['username'];
      $pass = $_POST['password'];
      
      if($user && $pass){
        $sql = "SELECT * FROM 'users' WHERE 'username' = '$user'";
        $res = mysql_query($sql) or die(mysql_error());
        
        if(mysql_num_rows($res) == 0){
          $epass = md5($pass);
          $sql2 = "SELECT * FROM 'users' WHERE 'username' = '$user' AND 'password' = '$epass'";
          $res2 = mysql_query($sql2) or die(mysql_error());
          
          if(mysql_num_rows($res2) == 0){
            //success
            $row = mysql_fetch_assoc($res2);
            $_SESSION['uid'] = $row['id'];
            echo "You have successfully logged in as <b>$user</b>, please click any link to continue!\n";
          }else {
            echo "username and password combination are incorrect!\n";
          }
          }else {
            echo "The username you supplied does not exist in out database!\n";
          }
          }else {
            echo "You did not supply all the valid feilds\n";
          }
          }
        }
        include "footer.php";
        
?>

Heres were I think my problem is

if($user && $pass){
        $sql = "SELECT * FROM 'users' WHERE 'username' = '$user'";
        $res = mysql_query($sql) or die(mysql_error());
        
        if(mysql_num_rows($res) == 0){
          $epass = md5($pass);
          $sql2 = "SELECT * FROM 'users' WHERE 'username' = '$user' AND 'password' = '$epass'";

I need some help on this one. Thanks in advanced

lines 15 and 16 should be:

$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

As for your ACTUAL problem, the reason for the error is that you are putting APOSTROPHES around the table and field names. That is wrong. You need backticks (On a standard English keyboard, it is on the same key as the ~ character) NOT apostrophes

if($user && $pass){
        $sql = "SELECT * FROM `users` WHERE `username`='$user'";
        $res = mysql_query($sql) or die(mysql_error());
        
        if(mysql_num_rows($res) == 0){
          $epass = md5($pass);
          $sql2 = "SELECT * FROM `users` WHERE `username`='$user' AND `password`= '$epass'";

Or drop the quotes altogethere where you do not need them. With table and field names without spaces you need neither quotes nor backticks.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.