Including a variable in an php sql query

[Paramount]

Just a quickie guys, I'm making a login script (only college level) where I've got a page to process the username and password submitted using POST. I'm trying to set up an sql query that looks something like below (very roughly). Is it right to include the variables in the query like I've done? I've tried w3schools but can't seem to find my scenario.


$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "select * from users where user=$user and pass=$pass";


It would then go on to ask if any rows were returned (thus proving the username and password matched) to set a session for the username and redirect to the 'success' page, or else give an error that the username and password were wrong. Does that sound about right?

 

[Paramount]

Can you point me somewhere that'll explain that in more depth? This is for a basic college project so I haven't anticipated that. But it'll be good practice for the future no doubt.

From what I gather if someone submits the username as some more SQL query then it'll mess up the results?

 

[Paramount]

Thanks mossy, just what I needed. Another question as I've seen this before, but what do the %s mean/do?


Ps. would this work:

$user = mysql_real_escape_string($_POST['user']);

$pass = mysql_real_escape_string($_POST['pass']);

 

[Paramount]

me again! instead of making a new thread I thought id just update this one.

making some good progress and learnt a lot but hit a snag. why doesn't this work?

$message = "Hi ".$user.", This message confirms your order! Please check below for the items you ordered. \n\n". do {

blah blah stuff here

} while ($row_basket = mysql_fetch_assoc($basket));

The error is about the do being wrong I think, but I don't know how to make it right!

Parse error: syntax error, unexpected T_DO in /home/jordaann/public_html/oaklandia/store/checkoutconfirm.php on line 38