Code help for PHP newbie

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jm999
Forum Commoner
Posts: 28
Joined: Tue Aug 29, 2006 11:58 am

Code help for PHP newbie

Post by jm999 »

This doesn't seem to be working. If I take out the query then everything works fine. Can anyone spot any errors?

Code: Select all

//Confirm the password
if ($_POST['pswd'] != $_POST['cpswd']) {
	echo $errmsg1;  }
	

	
//Check to make sure all fields were filled out
elseif(empty($_POST['firstname']) || empty($_POST['lastname']) || empty($_POST['email']) || empty($_POST['cemail']) || empty($_POST['guests']) || empty($_POST['pswd']) || empty($_POST['cpswd']))
	{
	echo $errmsg3;
	}
else 
{
$query = "INSERT INTO user (userid, firstname, lastname, email, pass, guests) VALUES ('', '($_POST['firstname'])', '($_POST['lastname'])', '($_POST['email'])', '($_POST['pswd'])', '($_POST['guests'])')";

mysql_query($query) or die('Error, registration failed');
}
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

In the future, be sure to tell us what evidence you have that it isn't working (not inserting, any error messages, etc.).

Never, ever, ever, ever, ever, ever put $_POST or $_GET variables directly into MySQL queries. You're opening yourself up to injection attacks. This edit cycles through each of the $_POST keys, and uses mysql_real_escape_string to sanitize the variables (make them safe to put in a query). In the process, it assigns a variable with the name of the $_POST key (e.g., $_POST['firstname'] equals $firstname). The reason the script wasn't working was because you had single quotes embedded in single quotes.

Code: Select all

<?php
//Confirm the password
if ($_POST['pswd'] != $_POST['cpswd']) {
        echo $errmsg1;  }
       

       
//Check to make sure all fields were filled out
elseif(empty($_POST['firstname']) || empty($_POST['lastname']) || empty($_POST['email']) || empty($_POST['cemail']) || empty($_POST['guests']) || empty($_POST['pswd']) || empty($_POST['cpswd']))
{
	echo $errmsg3;
}
else
{
	foreach($_POST as $key => $value) {
		$$key = mysql_real_escape_string($value);
	}
	
	$query = "INSERT INTO user (userid, firstname, lastname, email, pass, guests) VALUES ('', '$firstname', '$lastname', '$email', '$pswd', '$guest')";
	mysql_query($query) or die('Error, registration failed');
}
?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

parens vs braces

() vs {}
jm999
Forum Commoner
Posts: 28
Joined: Tue Aug 29, 2006 11:58 am

Post by jm999 »

Hey, thanks for the help and the advice. The page just wasn't executing. I would just get a blank white page when I'd submit the information. The query also wasn't inserting any data. It works now so that is all set. Is mysql_real_escape_string() necessary when checking user submitted data against information in the database, or is it just recommended for insertions?
determinedmoth
Forum Commoner
Posts: 33
Joined: Wed Jul 07, 2004 9:13 am

Post by determinedmoth »

jm999 wrote:Is mysql_real_escape_string() necessary when checking user submitted data against information in the database, or is it just recommended for insertions?
Yes, very necessary if your $user_var is to appear in ANY MySQL query.

Code defensively by habit - always check and clean user submitted data.
Post Reply