Thread: Php - Sql Help

  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Rep Power

    Php - Sql Help

    HI guys

    i really need some help can anyone tell me whats wrong with the code below, it can connect to the database but not insert customer


    <title>Scotia Cruises registration</title>
    <h1>Member Registration</h1>

    /* example line below should be
    $FirstName = $_POST['customer_forename'];
    $Title = $_POST['customer_title'];
    $FirstName = $_POST['customer_forename'];
    $SecondName = $_POST['customer_surname'];
    $AddressLine1 = $_POST['customer_address_1'];
    $AddressLine2 = $_POST['customer_address_2'];
    $Town = $_POST['customer_town'];
    $Postcode = $_POST['customer_postcode'];
    $Age = $_POST['customer_age'];
    $Country = $_POST['customer_country'];
    $TelephoneNumber = $_POST['customer_telephone_number'];
    $Email = $_POST['customer_email'];
    $Password = $_POST['customer_password'];

    @ $db = mysql_connect('', '*********', '*********');
    if (!$db)
    echo 'Error: Could not connect to database. Please try again later.';
    /* query values should be $title, $FirstName, $SecondName etc
    so for example:
    insert into 'customer'('customer_title','customer_forename') values ($title,$FirstName)
    $query = "insert into customer('customer_title','customer_forename','customer_surname','customer_address_1','customer_addr ess_2','customer_town','customer_postcode','customer_age','customer_country','customer_telephone_num ber','customer_email','customer_password','userlevel') values ($customer_title,$customer_forename,$customer_surname,$customer_address_1,$customer_address_2,$custo mer_town,$customer_postcode,$customer_age,$customer_country,$customer_telephone_number,$customer_ema il,$customer_password,user)";
    $result = mysql_query($query);
    if ($result)
    echo 'Member inserted';
    echo 'Did not work';
    <p>Click <a href="Manage_account.html">here</a> to return to the login page</font></p>
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Rep Power

    for the next time, please do some basic debugging yourself: output the query, execute it in phpmyadmin and see what error message you get. If you can't figure it out yourself, post all this data here in the forum.

    Your query is not valid SQL, because you cannot wrap identifiers (table names, column names etc.) in single quotes. You can and must do that with values. So it's exactly the other way round in your INSERT query.

    Apart from that, your code is wide open to SQL injections, because you simply dump the POST values into the query string. Anybody could manipulate the query in any way.

IMN logo majestic logo threadwatch logo seochat tools logo