post error

pinehead18

$sql = "SELECT * FROM users where user=$POST['uname'] and pass=$POST['pass']";

I'm trying to use post.. So i can secure my php pages.. However, this seems not to be working.

Does anybody know what i'm doing wrong here.. Also i seem to be retarted today and can't find the information about $post and $get on php.net could anybody post me a url to that as well?

Thank you
anthony

LordShryku

1). Seperate you superglobals from the string, and use quotes in your SQL for anything that's not a number

$sql = "SELECT * 
        FROM   users 
        WHERE  user='".$_POST['uname']."' 
        AND    pass='".$_POST['pass']."'";

2) http://www.php.net/manual/en/language.variables.predefined.php

pinehead18

$sql = "SELECT * FROM users where user='".$POST['uname']."' and pass='".$POST['pass']."'";

perhaps i did this wrong? Cuase it is not reconizing the uname and pass...

any suggestions..?

LordShryku

Doesn't look like it. How are you debugging? Try echoing them before the SQL to make sure they exist, then echo the SQL to see if it takes them there

echo $_POST['uname']."<br />";
echo $_POST['pass']."<br />";
$sql = "SELECT *
        FROM   users
        WHERE  user='".$_POST['uname']."'
        AND    pass='".$_POST['pass']."'";
echo $sql;

pinehead18

When i do the ehco.. it shows that the user and pass dont' exist..
Any ideas?

LordShryku

do a print_r($_POST) at the very top of the page. May be a variable naming thing, or maybe they're just not getting to the page...