Error in Mysql

zxt3st · 09-28-2008, 08:18 AM

Here is the error

Code:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@yahoo.com, )' at line 2

Here is my code.

PHP Code:


			
<?php



include('includes/dbsettings.php');



$duplicates = "SELECT username FROM users WHERE username='".trim($_POST['username'])."'";

$result = mysql_query($duplicates, $link)or die("Could not execute query");

if (mysql_num_rows($result)>0)

{

    print ("<script>\n alert('Username already exists!')\n history.back(); </script>");

    exit();

}

if (($_POST['username'] == "")||($_POST['password'] == "" && $_POST['password2'] == "")||($_POST['email'] == "")||($_POST['name'] == ""))

{

    print ("<script>\n alert('All fields are required!')\n history.back(); </script>");

    exit();

}

if ($_POST['password'] != $_POST['password2'])

{

    print ("<script>\n alert('Password does not match!!')\n history.back(); </script>");

    exit();

}

if(!eregi("^[a-zA-Z0-9]+[a-zA-Z0-9_.-]*@[a-zA-Z0-9]+[a-zA-Z0-9_.-])*\.[a-z]{2,4}$", $_POST['email']))

{

    print ("<script>\n alert('Email is invalid!!!')\n history.back(); </script>");

    exit();

}

$md5pass = md5($_POST['password']);

$usrAdd = "INSERT INTO users(username, password, email, fullName)

            VALUES(".$_POST['username'].", ".$md5pass.", ".$_POST['email'].", ".$_POST['fullName'].")";

if(mysql_query($usrAdd, $link))

{

    echo "User SUccessfully Added!";

}else{

    echo mysql_error();

}



?>

above is my code, its still plain and not the purpose is to just solely register an account.

I already do some research in google but i stil can't find my answers. THanks.

martins256 · 09-28-2008, 08:40 AM

What do you get when you echo $usrAdd; ?
I think that you haven't added ' ' in the SQL.

try this:

PHP Code:


			
$md5pass = quote_smart(md5($_POST['password']));

$_POST['username'] = quote_smart($_POST['username']);

$_POST['email'] = quote_smart($_POST['email']);

$_POST['fullName'] = quote_smart($_POST['fullName']);





$usrAdd = "INSERT INTO users(username, password, email, fullName)

            VALUES(".$_POST['username'].", ".$md5pass.", ".$_POST['email'].", ".$_POST['fullName'].")"; 



function quote_smart($value)

{

    if( is_array($value) ) {

        return array_map("quote_smart", $value);

    } else {

        if( get_magic_quotes_gpc() ) {

            $value = stripslashes($value);

        }

        if( $value == '' ) {

            $value = 'NULL';

        } if( !is_numeric($value) || $value[0] == '0' ) {

            $value = "'".mysql_real_escape_string($value)."'";

        }

        return $value;

    }

}

check out these:
to avoid sql injections

to avoid XSS

zxt3st · 09-28-2008, 08:43 AM

im just making a simple code yet for my simple tutorial about it :) and will add another code for the sql injection and xss :)

btw, thnx i will try the code.

And i am making a registration system for user.

btw this is what i get when i echo the $usrAdd

Quote:

INSERT INTO users(username, password, email, fullName) VALUES(aldin, 9cdfb439c7876e703e307864c9167a15, aldin@yahoo.com, aldin moreno)You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@yahoo.com, aldin moreno)' at line 2

And im making a simple registration system, but still the same error.

zxt3st · 09-28-2008, 08:53 AM

btw, i have just added your code, and it works :)

Thanks has been added :)

But i am still willing to hear from other guyz on why am i getting those errors using that simple code i made ;)

thnx,
t3st

martins256 · 09-28-2008, 09:24 AM

The SQL should work if it looked like this:
INSERT INTO users(username, password, email, fullName) VALUES('aldin', '9cdfb439c7876e703e307864c9167a15', 'aldin@yahoo.com', 'aldin moreno')

read more here