[SOLVED] MySQL insert query error?

[mrhobbz]

I'm trying to run this query:

$sql = "INSERT INTO i_usr (NULL, usrname, usrpass, usremail, usrhandle) VALUES (NULL, '$username, '$password, '$email', '$handle')";	

 

This is the error it spits out: 

Error : MySQL - Database Query

 

[1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'NULL usrname usrpass usremail usrhandle VALUES test 098f6bcd4621d373cade4e832627' at line 1

 

 

Any ideas?

[pocobueno1388]

Take out the NULL. If you don't specify a field, it will enter a null automatically.

 

So try this instead

$sql = "INSERT INTO i_usr (usrname, usrpass, usremail, usrhandle) VALUES ('$username, '$password, '$email', '$handle')";

[moselkady]

Try this one:

$sql = "INSERT INTO i_usr VALUES (NULL, '$username, '$password, '$email', '$handle')";

 

[mrhobbz]

Tried that, still nothing..

 

I'm passing it through this function:

public function query($sql) {
$sql = $this->clean_sql($sql);
$this->act = @mysql_query($sql, $this->con);

			if(!$this->act) {
				$this->err('MySQL', 'Database Query');
			}
			$this->affected_rows = mysql_affected_rows($this->con);	
}

and it shoots the sql statement through this function:

public function clean_sql($string) {
$string = ereg_replace("[\'\")(;|`,]", "", $string);
$string = mysql_real_escape_string(trim($string), $this->con);
return $string;
}

[mmoxley]

From my limited MySQL work I see a posible problem; you do not have quotations on your usernam and password.

 

$sql = "INSERT INTO i_usr (usrname, usrpass, usremail, usrhandle) VALUES ('$username', '$password', '$email', '$handle')";

 

[mrhobbz]

Good eye, I tried that and i get:

 

Error : MySQL - Database Query

 

[1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usrname usrpass usremail usrhandle VALUES test 098f6bcd4621d373cade4e832627b4f6 ' at line 1

[wildteen88]

You have no commas separating your fields/values. This is because your clean_sql function removes comma's (and other required characters) from your query. This is the offending line:

$string = ereg_replace("[\'\")(;|`,]", "", $string);

I'd recommend you remove that line.

 

[mrhobbz]

Tried that, just using the mysql_real_escape_string and I get:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'test\', \'098f6bcd4621d373cade4e832627b4f6\', \'test@gmail.com\', \'test\')' at line 1

[wildteen88]

You need to rethink how you escape data in your query. Currently you're passing the whole query to your query() method, which in turn passes the query to clean_sql() method which will escape all quotes in your query and not your queries values.

 

You should escape all data before constructing the query itself.

 

 

[mrhobbz]

Its escaped before its stuck into the query string.

[wildteen88]

Then why are you passing the whole query to your clean_sql() method? Change your query() method to

public function query($sql) {

$this->act = @mysql_query($sql, $this->con);

			if(!$this->act) {
				$this->err('MySQL', 'Database Query');
			}
			$this->affected_rows = mysql_affected_rows($this->con);	
}

[mmoxley]

Look's like it is still seeing exta " ' ".  try debugging by doing one item at a time to see what value is caussing the burp.

 

$sql = "INSERT INTO i_usr (usrname) VALUES ('$username')"; 

 

then

$sql = "INSERT INTO i_usr (usrpass) VALUES ('$password)"; 

 

if no problems there, you'r varibale as fine.  If you do have a problem, you have to look at what your variables are.  You might also want to try "$username" double quotes.

 

 

 

 

 

 

 

[mrhobbz]

I got it figured it, removed that pointless expression and the trim and its working fine. Thanks guys.