I get this error "Unknown column 'testuser' in 'where clause' when using the following query:

$query = "select * FROM members where login = ".$_SESSION['MEMBER']." LIMIT 1";
$sql = mysql_query($query,$link) or die(mysql_error());
$row_m = mysql_fetch_assoc($sql);

I also get these error messages when I first access MySQL phpMyAdmin:

import.php: Missing parameter: import_type (FAQ 2.8)
import.php: Missing parameter: format (FAQ 2.8)

I have a total of 376 records, size 1.1 MB and an overhead of 841 Bytes. I don't know if this is affecting my database or is

making a difference. I tried running the query without the LIMIT pramater and got the same error. Perhaps I'm overlooking something.

Please Help!

P.S. I know that the session variable exist as 'testuser' in the members table and login column.

I get this error "Unknown column 'testuser' in 'where clause' when using the following query:

$query = "select * FROM members where login = ".$_SESSION['MEMBER']." LIMIT 1";
$sql = mysql_query($query,$link) or die(mysql_error());
$row_m = mysql_fetch_assoc($sql);

You need tick marks 'testuser' around the data. Additionally, you should be careful what you put into a select statement. Just because you sent the session variable, don't assume someone hasn't somehow tampered with it.

$sessionmember = mysql_real_escape_string($_SESSION['MEMBER'], $link);
$query = "select * from members where login = '$sessionmember' limit 1";

Thank you jmucchiello for your reply. I'm glad that you pointed out the security issue because I'm big on security.

If you have the time and can give a brief example how someone can tamper with a session variable it would be appreciated. If you can't find the time I understand, and appreciate the time you spent on replying to my post.

I have successfully used "mysql_real_escape_string" in the past, however, I don't code often and completely forgot to use it. In fact I would need to go back into my notes to understand it, and this I don't have time to do. Hence, I am grateful for your help.

Thank you.

Even if I (and the other powweb members) were to tell you 10 ways session variables can be falsified (and I don't claim any great expertise here), someone will have an 11th way that gets around our ways. You should also look at variables that come from outside your script with suspicion at a minimum.

Now, session variables should be relatively secure since they are actually stored on the server by Apache. But if someone makes an exploit available such that Apache is vulnerable, then all users on the server are exposed. Not likely, but it's always better to be safe when you can.

Writing secure scripts is an ongoing process. It is not something that lends itself to check lists. Google around for php security and you will get a lot of (sometimes conflicting) advice. Good luck.

Thanks again jmucchiello. I'm going to try and keep a tight lid on whatever code I put out by doing some web research and perhaps a book or two if I find the time.

Best of wishes to you.