tags:

views:

58

answers:

1
Q: 

MySQL multiple tables problem?

I want to be able to check my email if it equals $e but my email is in another table called info how can I can I fix this problem?

Here is my MySQL query so far.

"SELECT password, salt FROM users WHERE (email = '" . $e . "' OR username = '" . $e . "') AND active IS NULL"
A: 

Use a JOIN:

SELECT users.password, users.salt
FROM users
JOIN info
ON info.id = users.info_id
WHERE (users.email = $e OR info.username = $e)
AND users.active IS NULL

Note: you may need to modify the line starting ON depending on how you have structured your schema. If you are unsure of what modification to make, update your question to include the output of SHOW CREATE TABLE users and SHOW CREATE TABLE info.

Also you might want to double-check that there isn't an SQL injection vulnerability in your code. It is good practice to use parameters, or at least make sure that the strings are properly escaped. It is not clear from your code extract if you are escaping correctly or not.

Mark Byers  2010-10-02 11:54:20
What's the SQL injection comment about?
needHELP  2010-10-02 11:55:37
@needHelp, it's about [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) and if you are asking what it is then your site might be facing a great risk.
Darin Dimitrov  2010-10-02 11:57:03
@Darin Dimitrov quick to jump to conclusions believe my I'm using a purifier and escaping my user inputted data.
needHELP  2010-10-02 11:59:18
You shouldn't escape your user inputted data. You should use parametrized queries.
Darin Dimitrov  2010-10-02 12:00:29
@Mark Byers what is exactly supposed to happen before i go messing around with my database?
needHELP  2010-10-02 12:00:35
@needHELP: If you are not escaping correctly it should fetch passwords for all users. You can see how it works if you want, just substitute $e for the above string.
Mark Byers  2010-10-02 12:02:51
Try: `')OR(''='`
Mark Byers  2010-10-02 12:06:01
@Mark Byers my error message of please try again comes up:)
needHELP  2010-10-02 12:06:05
@needHELP: Great, that means either your system is safe from certain types of attack, you copied and pasted incorrectly, or I messed up the query. Hopefully the first of those options.
Mark Byers  2010-10-02 12:07:43
@Mark Byers I guess I could not win with you even if I did it correctly :(
needHELP  2010-10-02 12:09:06
@needHELP: I think it's unrealistic to *"do it correctly"* - that is make a completely 100% secure site. Even a company like Google or Microsoft makes an error sometimes and leaves a vulnerability in one of their services. But by following best practices you can reduce the number of ways that you can mess up. It seems you are already aware of the issues so that's a good start.
Mark Byers  2010-10-02 12:14:49
@needHELp: PS: Did my suggestion of using a JOIN work for you?
Mark Byers  2010-10-02 12:18:36
yes it did but I have another problem now.
needHELP  2010-10-02 12:36:17

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL