In the future, be sure to tell us what evidence you have that it isn't working (not inserting, any error messages, etc.).
Never, ever, ever, ever, ever, ever put $_POST or $_GET variables directly into MySQL queries. You're opening yourself up to injection attacks. This edit cycles through each of the $_POST keys, and uses mysql_real_escape_string to sanitize the variables (make them safe to put in a query). In the process, it assigns a variable with the name of the $_POST key (e.g., $_POST['firstname'] equals $firstname). The reason the script wasn't working was because you had single quotes embedded in single quotes.
Code: Select all
<?php
//Confirm the password
if ($_POST['pswd'] != $_POST['cpswd']) {
echo $errmsg1; }
//Check to make sure all fields were filled out
elseif(empty($_POST['firstname']) || empty($_POST['lastname']) || empty($_POST['email']) || empty($_POST['cemail']) || empty($_POST['guests']) || empty($_POST['pswd']) || empty($_POST['cpswd']))
{
echo $errmsg3;
}
else
{
foreach($_POST as $key => $value) {
$$key = mysql_real_escape_string($value);
}
$query = "INSERT INTO user (userid, firstname, lastname, email, pass, guests) VALUES ('', '$firstname', '$lastname', '$email', '$pswd', '$guest')";
mysql_query($query) or die('Error, registration failed');
}
?>