I have this
$sql=mysql_query("SELECT EMAIL FROM USERNAME WHERE EMAIL <> '".$_REQUEST['EMAIL']."' AND EMAIL NOT IN (".$str.")") or die("Error: ". mysql_error(). " with query ". $sql);
for example $str holds the value 'd','f' and there is a d and f in the EMAIL column in my table.
When I run the query I get this error "Error: Unknown column 'd' in 'where clause' with query"
I am a complete noob to mysql so I hope I'm just missing something very basic here. Any help is greatly appreciated!
Nice SQL injection hole there. Enjoy having your server pwn3d.
The IN syntax works either as
WHERE field IN (value1, value2, value3, ...)
or
WHERE value IN (field1, field2, field3, ...)
Given you're getting the 'no such d, you're probably forgetting to quote those values, producing
WHERE field IN (d, f)
which is interpeted as "field d" and "field f", where it shoul be:
WHERE field IN ('d', 'f')
Note the quotes - they turn those d and f's into strings, not field names.
you're missing single quotes after the NOT IN part. It should be:
$sql = mysql_query("
SELECT EMAIL FROM USERNAME WHERE EMAIL <> '".$_REQUEST['EMAIL']
."' AND EMAIL NOT IN ('".$str."')"
) or die("Error: ". mysql_error(). " with query ". $sql);
Also, as Marc pointed out, you're better using mysql_real_escape_string() on client variables you're going to put inside your queries.
