2015-12-01 08:43



This question already has an answer here:

I'm trying to relearn SQL and phpmyadmin, and I'm having trouble getting the SQL connection and my query to work. I am using a basic form to work out how adding information through a form is supposed to work. I have a table with 5 columns: user_ID, email, username, first_name, and last_name. user_ID is the primary key with the auto-update and bigint properties, while email and username are both unique keys. The user has the following global privileges: SELECT, INSERT, UPDATE, DELETE, and CREATE TEMPORARY TABLES. I'm hoping I can figure out what's going wrong so I can continue with my work.

Edit: I just verified that the '$cxn' part of my code is working, and it's just my $results query. I also checked, and all of the data from the form is being passed to the query correctly. I also fixed the formatting of the code, and I'm still getting the same error.

$host = 'localhost';
$user = 'users';
$dbpass = 'password';
$dbname = 'users';
$cxn = mysqli_connect($host,$user,$dbpass,$dbname) or die("Could not connect to server.");

if(isset($_POST['submitted']) and $_POST['submitted'] == 'yes')
    $query = "insert into 'user_info' ('email', 'username', 'first_name', 'last_name') values ([".$_POST['email']."], [".$_POST['username']."], [".$_POST['first_name']."], [".$_POST['last_name']."])";
    $result = mysqli_query($cxn,$query) or die('Can\'t complete query.');
    echo "Congratulations!"; 

Edit 2: Following the advice of some of the comments, I have changed my code to the following. I think this should be safe from SQL injection and should be formatted correctly. However, it still gives me errors when submitted, and I'm not sure what else I can change. I'm starting to think that something is wrong with the database itself, though I haven't changed any settings other than adding the user.

$email = $_POST['email'];
        $username = $_POST['username'];
        $first_name = $_POST['first_name'];
        $last_name = $_POST['last_name'];
        $safe_email = mysql_real_escape_string($email);
        $safe_username = mysql_real_escape_string($username);
        $safe_first = mysql_real_escape_string($first_name);
        $safe_last = mysql_real_escape_string($last_name);

        $query = "insert into `user_info` (`email`, `username', `first_name`, `last_name`) values ('$safe_email', '$safe_username', '$safe_first', '$safe_last')";
        $result = mysqli_query($cxn,$query) or die('Can\'t complete query.');
        echo "Congratulations!"; 
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • dtup3446 dtup3446 6年前

    Change your insert query to -

    $query = "insert into `user_info` (`email`, `username`, `first_name`, `last_name`) values ('{$_POST['email']}', '{$_POST['username']}', '{$_POST['first_name']}', '{$_POST['last_name']}')";

    Also, following the comments, your code is open for SQL-injection. Please use prepared statements with parameterized queries to avoid that.

    Also refer this thread for more information.

    点赞 评论 复制链接分享
  • dongxun1142 dongxun1142 6年前

    I'm not sure, but I would do the following:

    $query = "insert into user_info (email, username, first_name, last_name) values ('".$_POST['email']."', '".$_POST['username']."', '".$_POST['first_name']."', '".$_POST['last_name']."')";
    点赞 评论 复制链接分享
  • dongze5043 dongze5043 6年前

    please remove [] from besides the $_POST values and make proper "" for each value like this: '".$_POST['email']."'

    点赞 评论 复制链接分享