Niels
May 4 2002, 09:20 PM
I am making a site with a big usersystem.
I have made the signup form and defined $database and have selected the DB.
Then i use this mysql query:
mysql_query("insert into users('username','email','password','firstname','lastname','country') values('$username','$email','$password','$firstname','$lastname','$country'");
It looks like everything is fine but it doesnt put anything in my DB.
Please help me!!
the problem is with the '$username' thing .. you should do it like this:
mysql_query("insert into users('username','email','password','firstname','lastname','country') values('".$username."','".$email."','".$password."','".$firstname."','".$lastname."','".$country."'");
the problem is because PHP does not parse the variables that are in simple quotation marks. when you type '$variable' it's not the same as you type "$variable" just like
print '$variable'; //prints $variable out
print "$variable"; //prints out the value of variable
Hope this helps ..
[ 05-05-2002, 11:48 AM: Message edited by: 3a3 ]
PHPMemX-Points
May 4 2002, 09:53 PM
I've always used this query on PHPMemX-Points, and it doesn't let me down..
$query = "insert into pointsusers values ('$username', '$pass', '$name', '$email', '300', 'Copper', NULL, NULL, 'No', '$randseed')";
$result = mysql_query($query);
Works fine.
Hope this helps
well .. I'm not gona argue with you, but I have had the same problem as Niels and my solution helped.
And I must say, I don't believe that the query you typed works for you .. sorry, but that is against the rules of building queries .. and PHP syntax.
PHPMemX-Points
May 4 2002, 11:04 PM
Heh, people say that after you code PHP for so long, you can't understand how other people code. Thats what it's like with me. The code i typed was directly from my registration script, and as i got users signup, it must have worked
YBonline
May 5 2002, 03:44 AM
Try this:
mysql_query("insert into users(username,email,password,firstname,lastname,country) values('$username','$email','$password','$firstname','$lastname','$country')");
You added a "'" around the field name which MySQL doesn't like for some reason, and missed the ) at the end...
Also to ensure you are using a valid connection, I strongly recommend that in your mysql_connect you do this:
$link=mysql_connect("localhost","username","password");
and then for readability reasons
$query="insert into users(username,email,password,firstname,lastname,country) values('$username','$email','$password','$firstname','$lastname','$country')";
Then when you call mysql_query, all it has to look like is this:
mysql_query($query,$link) or die("Query failed: ".mysql_error());
The or die returns the exact error that mysql gave, very nice for debugging reasons such as you are doing now...
[ 05-05-2002, 05:46 PM: Message edited by: YBonline ]
Yrlec
May 5 2002, 04:35 AM
quote:
Originally posted by 3a3:
well .. I'm not gona argue with you, but I have had the same problem as Niels and my solution helped.
And I must say, I don't believe that the query you typed works for you .. sorry, but that is against the rules of building queries .. and PHP syntax.
PHPMemX-Points is right, you can write like that.
I use it in degoo and I've also written an article about security in PHP for a Swedish computer magazine were I actually mention that you should use single-quotes around variables in your queries to prevent users from creating their own queries; so I do know what I'm talking about :-)
If you don't believe me you can look here: http://www.php.net/manual/en/language.types.string.php
well .. I'm not some professional, who has completed lots of courses for thousands of $, I've learned all on my own .. so take me as I am ..
can you please show me any sample of that can use double quoted strings that users can use to make their own query?
Yrlec
May 5 2002, 11:42 PM
quote:
Originally posted by 3a3:
well .. I'm not some professional, who has completed lots of courses for thousands of $, I've learned all on my own .. so take me as I am ..
can you please show me any sample of that can use double quoted strings that users can use to make their own query?
I've actually also learned everything on my own, I've gained my experience by working with degoo.
Here's a classic example of a dangerous query:
mysql_query("UPDATE users SET password='$password'
WHERE userid=$userid and password=?$oldpassword?");
If a hacker then goes to this URL: changepass.php?userid=1%23&password=abc , then $userid would equal 1# and $password equal abc. Since # is a comment-sign in mysql the rest of the query would be omitted and the hacker would be able to set the password for any user, since he doesn't have to know the user's password to be able to change it.
[ 05-06-2002, 01:47 PM: Message edited by: Yrlec ]
The way I do is that I use my own function my_query, that is defined and removes all the symbols like '#', ';' and so on .. .. so these hackers are not dangerous to me anyway ..
Yrlec
May 6 2002, 06:35 AM
But the hacker can still define their own WHERE clauses by writing their own AND/OR conditions...
as I've said above .. I don't want to argue with you guys, coz I'm not so professional .. ..
Niels
May 11 2002, 07:04 PM
Many thanks guys. Think i figured something out, gonna call my webhost tommorow and get it corrected.
Niels
May 11 2002, 07:07 PM
Stupid me!!! *takes a gun out and shoots himself* the problem was that i selected users and said insert into users, it should have been select cyber_web_dk insert ino users.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.