TalkPHP - View Single Post

martins256 · 09-28-2008, 08:40 AM

What do you get when you echo $usrAdd; ?
I think that you haven't added ' ' in the SQL.

try this:

PHP Code:


			
$md5pass = quote_smart(md5($_POST['password']));

$_POST['username'] = quote_smart($_POST['username']);

$_POST['email'] = quote_smart($_POST['email']);

$_POST['fullName'] = quote_smart($_POST['fullName']);





$usrAdd = "INSERT INTO users(username, password, email, fullName)

            VALUES(".$_POST['username'].", ".$md5pass.", ".$_POST['email'].", ".$_POST['fullName'].")"; 



function quote_smart($value)

{

    if( is_array($value) ) {

        return array_map("quote_smart", $value);

    } else {

        if( get_magic_quotes_gpc() ) {

            $value = stripslashes($value);

        }

        if( $value == '' ) {

            $value = 'NULL';

        } if( !is_numeric($value) || $value[0] == '0' ) {

            $value = "'".mysql_real_escape_string($value)."'";

        }

        return $value;

    }

}

check out these:
to avoid sql injections

to avoid XSS

09-28-2008, 08:40 AM	#2 (permalink)
martins256 The Wanderer Join Date: Mar 2008 Posts: 18 Thanks: 0	What do you get when you echo $usrAdd; ? I think that you haven't added ' ' in the SQL. try this: PHP Code: $md5pass = quote_smart(md5($_POST['password'])); $_POST['username'] = quote_smart($_POST['username']); $_POST['email'] = quote_smart($_POST['email']); $_POST['fullName'] = quote_smart($_POST['fullName']); $usrAdd = "INSERT INTO users(username, password, email, fullName) VALUES(".$_POST['username'].", ".$md5pass.", ".$_POST['email'].", ".$_POST['fullName'].")"; function quote_smart($value) { if( is_array($value) ) { return array_map("quote_smart", $value); } else { if( get_magic_quotes_gpc() ) { $value = stripslashes($value); } if( $value == '' ) { $value = 'NULL'; } if( !is_numeric($value) \|\| $value[0] == '0' ) { $value = "'".mysql_real_escape_string($value)."'"; } return $value; } } check out these: to avoid sql injections to avoid XSS