Page 1 of 1
Code help for PHP newbie
Posted: Wed Nov 01, 2006 10:18 pm
by jm999
This doesn't seem to be working. If I take out the query then everything works fine. Can anyone spot any errors?
Code: Select all
//Confirm the password
if ($_POST['pswd'] != $_POST['cpswd']) {
echo $errmsg1; }
//Check to make sure all fields were filled out
elseif(empty($_POST['firstname']) || empty($_POST['lastname']) || empty($_POST['email']) || empty($_POST['cemail']) || empty($_POST['guests']) || empty($_POST['pswd']) || empty($_POST['cpswd']))
{
echo $errmsg3;
}
else
{
$query = "INSERT INTO user (userid, firstname, lastname, email, pass, guests) VALUES ('', '($_POST['firstname'])', '($_POST['lastname'])', '($_POST['email'])', '($_POST['pswd'])', '($_POST['guests'])')";
mysql_query($query) or die('Error, registration failed');
}
Posted: Thu Nov 02, 2006 12:14 am
by aaronhall
In the future, be sure to tell us what evidence you have that it isn't working (not inserting, any error messages, etc.).
Never, ever, ever, ever, ever, ever put $_POST or $_GET variables directly into MySQL queries. You're opening yourself up to injection attacks. This edit cycles through each of the $_POST keys, and uses mysql_real_escape_string to sanitize the variables (make them safe to put in a query). In the process, it assigns a variable with the name of the $_POST key (e.g., $_POST['firstname'] equals $firstname). The reason the script wasn't working was because you had single quotes embedded in single quotes.
Code: Select all
<?php
//Confirm the password
if ($_POST['pswd'] != $_POST['cpswd']) {
echo $errmsg1; }
//Check to make sure all fields were filled out
elseif(empty($_POST['firstname']) || empty($_POST['lastname']) || empty($_POST['email']) || empty($_POST['cemail']) || empty($_POST['guests']) || empty($_POST['pswd']) || empty($_POST['cpswd']))
{
echo $errmsg3;
}
else
{
foreach($_POST as $key => $value) {
$$key = mysql_real_escape_string($value);
}
$query = "INSERT INTO user (userid, firstname, lastname, email, pass, guests) VALUES ('', '$firstname', '$lastname', '$email', '$pswd', '$guest')";
mysql_query($query) or die('Error, registration failed');
}
?>
Posted: Thu Nov 02, 2006 7:01 am
by feyd
parens vs braces
() vs {}
Posted: Thu Nov 02, 2006 7:16 am
by jm999
Hey, thanks for the help and the advice. The page just wasn't executing. I would just get a blank white page when I'd submit the information. The query also wasn't inserting any data. It works now so that is all set. Is mysql_real_escape_string() necessary when checking user submitted data against information in the database, or is it just recommended for insertions?
Posted: Thu Nov 02, 2006 11:24 am
by determinedmoth
jm999 wrote:Is mysql_real_escape_string() necessary when checking user submitted data against information in the database, or is it just recommended for insertions?
Yes, very necessary if your $user_var is to appear in ANY MySQL query.
Code defensively by habit - always check and clean user submitted data.