用$ _POST变量连接Db字段php / mysql

HTML

  <form style="margin:5px 0;" action="#" method="post"> 
                Buyer <input type="radio" name="addType" value="Buyer" />
                &nbsp;&nbsp;Merchant <input type="radio" name="addType" value="Merchant" />
            </form>
            <form id="NewBuyerRegHp" method="post" action="check.php">
                Username or Email: <input type="text" name="userOrEmail" class="UserLogin" value="Username" onFocus="clearText(this)" /> <br />
                Password: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="password" name="userPass" class="UserLogin" value="Password" onFocus="clearText(this)"  /> <br />
                <input type="submit" name="SubmitNewBuyerHp" value="Secure Login" />
            </form>

PHP

require_once('../inc/db/dbc.php');

$entPass =  $_POST['userPass']; #entered password by user.
$SaltyPass = hash('sha512',$dynamSalt.$escapedInputtedPass); #more secure pass with dynam salt using SHA512 Hashing

$NewUserLoginCheck = mysql_query("SELECT uUName, uEmail, uUPass, dynamSalt FROM User WHERE uUName OR  uEmail = '".mysql_real_escape_string($_POST['userOrEmail'])."' AND uUPass = '".mysql_real_escape_string($_POST['userPass'])."'    ")or die(mysql_error());

How do I concatenate the inputted user pass with mysql_real_escape_string($_POST['userPass']) with the dynamSalt field?? I want to combination of mysql_real_escape_string($_POST['userPass']) . dynamSalt but I can't use the dynamSalt until its accessed in the SQL statement?

How would I go about doing this?

Try this

require_once('../inc/db/dbc.php');

//$entPass =  $_POST['userPass']; #entered password by user.
//$SaltyPass = hash('sha512',$dynamSalt.$escapedInputtedPass); #more secure pass with dynam salt using SHA512 Hashing

$NewUserLoginCheck = mysql_query("SELECT uUName, uEmail, uUPass, dynamSalt FROM User WHERE uUName OR  uEmail = '".mysql_real_escape_string($_POST['userOrEmail'])."' AND uUPass = sha2(concat(dynamSalt, '".mysql_real_escape_string($_POST['userPass'])."'), 512)    ")or die(mysql_error());

I personally am not a fan of concat or escaping strings in the middle of a query. If possible it is best (imo) to do everything pre-query. That way your query is easily readable, and your can perform more checks on the user input easier like running through functions and such.