paulhume Posted June 12, 2012 Share Posted June 12, 2012 Hi all, Up until recently I have been using Dreamweaver to generate all of the MYSQL code that has been needed. I am now starting to write my own and I have a an insert query that looks like it should work but for some reason it doesn't. Any help would be appreciated. Here is the code: <?php // Check if add button is clicked if ($_POST['insert'] == "userdetails") { // Check that username field is not blank if ($_POST['UserName'] <> "") { // Check that password field is not blank if ($_POST['Password'] <> "") { //Collect Data $InsertUserName = $_POST['UserName']; $InsertPassword = $_POST['Password']; $InsertAccess = $_POST['Access']; //Insert into database mysql_query("INSERT INTO users (UserName, Password, Access) VALUES ($InsertUserName, $InsertPassword, $InsertAccess)"); //Go to users page header('LOCATION: users.php'); } else { $InsertFailed = "Password"; } } else { $InsertFailed = "Username"; } } ?> I know the connection to the DB is working fine. Thank you in advance for any help. Quote Link to comment Share on other sites More sharing options...
Jessica Posted June 12, 2012 Share Posted June 12, 2012 strings need to be surrounded by single quotes in a query. Next step, google SQL injection. Your code is very insecure. You also need to learn how to capture mysql errors, I'd find an actual tutorial rather than trying to learn from Dreamweaver code. Quote Link to comment Share on other sites More sharing options...
paulhume Posted June 12, 2012 Author Share Posted June 12, 2012 I had already tried it with single quotes, I changed it to double as I have another insert with double quotes and that one works? Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted June 12, 2012 Share Posted June 12, 2012 You've tried this? mysql_query("INSERT INTO users (UserName, Password, Access) VALUES ('{$InsertUserName}', '{$InsertPassword}', '{$InsertAccess}')"); Also, you need to use mysql_real_escape_string around all these variables. It's also a good idea to actually check and handle error messages for queries (which you're not doing). And finally, you must die() directly after a header() call. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 12, 2012 Share Posted June 12, 2012 The individual string values within the query string need to be quoted. Also, it's not good practice to form the query string within the call to the mysql_query() function. As you can see, it precludes the ability to echo the query string for debugging. $query = "INSERT INTO table (text1, text2, numeric1) VALUES ('$string1', '$string2' $number)"; $result = mysql_query($query); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.