How to resolve: You have an error in your SQL syntax;

Question

How to resolve: You have an error in your SQL syntax;

Asked 6 years, 4 months ago

Viewed 645 times

-1

I am developing a login system, but this error is arresting me and I found no answers so far:

You have an error in your SQL syntax; check the manual that corresponds
  to your MySQL server version for the right syntax to use
  near '�rios WHERE login = 'admin'' at line 1

I’ll put in the code section to help with the advice:

if(empty($login) or empty($senha)):
        $erros[] = "<li> O campo login/senha precisa ser preenchido </li>";
    else:
        $sql = "SELECT login FROM usuários WHERE login = '$login'";
        $resultado = mysqli_query($connect, $sql) or die(mysqli_error($connect)); //mysqli_query($connect, $sql) or die mysql_error();

        if(mysqli_num_rows($resultado) > 0):
            $senha = md5($senha);
            $sql = "SELECT * FROM usuários WHERE login = '$login' AND senha = '$senha'";
            $resultado = mysqli_query($connect, $sql);

                if(mysqli_num_rows($resultado) == 1):
                    $dados = mysqli_fetch_array($resultado);
                    $_SESSION['logado'] = true;
                    $_SESSION['id_usuário'] = $dados['id'];
                    header('Location: home.php');
                else:
                    $erros[] = "<li> Usuário e senha incorretos </li>";
                endif;


        else: 
            $erros[] = "<li> Usuário inexistente </li>";
        endif;

2

Your table is called usuários, with same accent? If yes, check the file encodings and database.

– Woss

2019/06/27 at 01:15
yes, in the database is saved with the accent, and in all parts of the code I reference to it I add the accent too, I am searching for 1 hour and I find nothing :/

– Hugo Melo

2019/06/27 at 01:17
Can you enter the full code? Apparently the message is showing that the error is on line 1 (at line 1).

– user144209

2019/06/27 at 01:29
I’ll put it in the same comment ? but the line 1 is the opening of php and then has a require_once

– Hugo Melo

2019/06/27 at 01:32
<?php //Connection require_once 'db_connect.php'; //Session session_start(); //Send button if(isset($_POST['btn-login']): /Send button $bugs = array(); $login = mysqli_escape_string($connect, $_POST['login']); $password = mysqli_escape_string($connect, $_POST['password']);

– Hugo Melo

2019/06/27 at 01:32
this is the beginning of the code (line 1 to line 14)

– Hugo Melo

2019/06/27 at 01:33

Show 1 more comment

1 answer

Browser other questions tagged php mysql mysqli

You are not signed in. Login or sign up in order to post.

by Rafael Pereira • 16 points · Answer 1 · 2019-06-27T08:30:11+00:00

Use Prepared statments, so your query is vulnerable.

Your error is probably in the query because you are using an accent on "users" !

Anyway it uses the Prepared statments you have here the example of the code and the link of the documentation site: https://www.php.net/manual/en/mysqli.prepare.php

Code:

if(empty($login) or empty($senha)):
    $erros[] = "<li> O campo login/senha precisa ser preenchido </li>";
else:
    $sql = $mysqli->prepare("SELECT login FROM usuarios WHERE login=");

    $sql->bind_param("s", $login);

    $sql->execute();

    $resultado = mysqli_query($connect, $sql) or die(mysqli_error($connect)); //mysqli_query($connect, $sql) or die mysql_error();

    if(mysqli_num_rows($resultado) > 0):
        $senha = md5($senha);
        $sql = "SELECT * FROM usuarios WHERE login = '$login' AND senha = '$senha'";
        $resultado = mysqli_query($connect, $sql);

            if(mysqli_num_rows($resultado) == 1):
                $dados = mysqli_fetch_array($resultado);
                $_SESSION['logado'] = true;
                $_SESSION['id_usuário'] = $dados['id'];
                header('Location: home.php');
            else:
                $erros[] = "<li> Usuário e senha incorretos </li>";
            endif;


    else: 
        $erros[] = "<li> Usuário inexistente </li>";
    endif;