Insert works but doesnt work at same time!

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Insert works but doesnt work at same time!

Post by SirChick »

Ok basically when i click register the record goes to the table fine and gets its userid.

But the values from the php variables:

Code: Select all

$TermsOfService = $_POST['TermsOfService'];
$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']); 
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
$ip = $_SERVER["REMOTE_ADDR"];
$Gender = $_POST['Gender'];

Does not get inserted.. it just inserts blanks. My insert code is:

Code: Select all

$query = "INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('$Username', '$Password', '$Email', '$Country', '$ip', '$Gender')";
    mysql_query($query) or die(mysql_error());
Also the $ip = $_SERVER["REMOTE_ADDR"]; when i test this, in the database the result comes out as "Array" instead of an IP number :S? Im not entirely sure why this is.. any thoughts?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Echo $query.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

Ok i would paste the error but its behind my main site so i can't paste it neatly.

But it says:

Notice: Trying to get property of non-object in C:\xampp\htdocs\RegisterPage.php on line 1

repeated x 31

Notice: Trying to get property of non-object in C:\xampp\htdocs\RegisterPage.php on line 32
INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('', '', '', '', '127.0.0.1', 'Male')



I deffinatly inputted something into the fields but only IP and gender actually appears in the database table.

I checked for case sensitivity on the field names its deffinatly a match so i duno why it wont input.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

SirChick wrote:I checked for case sensitivity on the field names its deffinatly a match so i duno why it wont input.
Because regardless of how right you think it is, it's wrong. :P print_r($_POST).
Also, we can't help you with the other errors if you don't post that code up as well.

And on a different note, why is that you escape some posted data, but not all?
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

where have i escaped it ?

Code: Select all

<?php
error_reporting(E_ALL); 
if (isset($_POST['RegistrationSubmission'])) {

$TermsOfService = $_POST['TermsOfService'];
$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']); 
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
$ip = $_SERVER["REMOTE_ADDR"];
$Gender = $_POST['Gender'];
$jump2 = 1;
if ($Password != $Password2) {
    echo "Passwords did not match";
	if ($TermsOfService == "off") {
	echo "You must agree to the terms of service before registering!";
$jump2 = 0;
}
}

If ($jump2 ==1){
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
 $getUSERNAME = mysql_fetch_object($chkUSERNAME);
 if($_POST['Username'] == $getUSERNAME->Username) {
  die('Username already registered, please choose a different username!');
 }
$chkEmail = mysql_query("SELECT * FROM `userregistration` WHERE `Email` = '".$_POST['EmailRegistration']."'");
 $getEmail = mysql_fetch_object($chkEmail);
 if($_POST['EmailRegistration'] == $getEmail->Email) {
  die('Email already registered, please choose a different username!');
 }

 If ($Password == $Password2) {
    mysql_connect("localhost", "root", "private") or die (mysql_error());
    mysql_select_db("civilian") or die (mysql_error());
    $query = "INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('$Username', '$Password', '$Email', '$Country', '$ip', '$Gender')";
    echo $query;
	mysql_query($query) or die(mysql_error());
	}
	}
	}
?>
User avatar
nathanr
Forum Contributor
Posts: 200
Joined: Wed Jun 07, 2006 5:46 pm

Post by nathanr »

SirChick wrote:where have i escaped it ?

escaped here>> (some others aren't escaped)

Code: Select all

$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']); 
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
but not escaped here.. which leaves you open to sql injections..

Code: Select all

$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
 ...
$chkEmail = mysql_query("SELECT * FROM `userregistration` WHERE `Email` = '".$_POST['EmailRegistration']."'");
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

Is that why its not working ? And how do i structure it with escaped
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

There are a couple of things that would bother me if i were reviewing the code...

- Variable naming: what does '$jump2' represent?

- Using data that might not exists: $Username = mysql_real_escape_string($_POST['Username']);

- Using data that is not prepared for use in a query: $chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");

- Odd logic: You simply want to select a count of the rows where the username or e-mail equal something that already exists...
Post Reply