another php/sql question!

[matzomeal]

<?php
$host = "localhost";
$dbusername = "*********";
$dbpassword = "*********";
$dbname = "matzo_friendbase";
$tblname = "users";

mysql_connect($host, $dbusername, $dbpassword) OR die("Cannot connect.");
mysql_select_db($dbname) OR die("Cannot select database.");

$username = $_POST['uname'];
$pass = $_POST['pword'];

echo "username: " . $username;
echo "password: " . $pass;

$sql = "SELECT * FROM $tblname WHERE name=$username AND password=$pass";
$result = mysql_query($sql) OR die("Problem running query.");

$count = mysql_num_rows($result);
if($count==1) {
session_register("myusername");
session_register("mypassword");
} else {
echo "Wrong username or password.";
}
?>


keeps telling me "Problem running query", and I'm not sure what's exactly wrong with the query. I have a table named 'users' with 4 columns: 'name' 'password' 'email' and 'user_id'. Any suggestions?

EDIT: i fixed it. i needed single quotes around the $username and $pass in the sql statement

 

[misson]

You also need to sanitize your input.

Is users.name unique?

 

[xav0989]

FYI, matzomeal, there is a nice little feature to include PHP/HTML/regular code into a website. You simply wrap the php code with [ PHP ] [ /PHP ].

 

[daman371]

FYI, matzomeal, there is a nice little feature to include PHP/HTML/regular code into a website. You simply wrap the php code with [ PHP ] [ /PHP ].

Just a little technicality. You mean forum and the tags are called BBcode.