LemonInflux Posted November 21, 2007 Share Posted November 21, 2007 <?php // Added php wrappers for highlighting... $user = mysql_real_escape_string($_POST['username']); $pass = md5(mysql_real_escape_string($_POST['password'])); $mail = mysql_real_escape_string($_POST['e-mail_address']); $sql = mysql_query("INSERT INTO `". MEMBERS ."` (`userid`, `username`, `password`, `posts`, `avatar`, `signature`, `msn`, `aim`, `website`, `IP`, `email`, `rank`, `last_active`, `birthday`, `location`, `interests`, `title`) VALUES (NULL, '". $user ."', '". $pass ."', \'\', \'\', NULL, NULL, NULL, NULL, '". $_SERVER['REMOTE_ADDR'] ."', '". $mail ."', '4', CURRENT_TIMESTAMP, NULL, NULL, NULL, NULL") or die(mysql_error()); ?> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'\', \'\', NULL, NULL, NULL, NULL, '127.0.0.1', '[email protected]', '4', CURRENT_TIMES' at line 1 I'm not seeing the error :/ The php query was generated by PHPMyAdmin. Anyone have any ideas? Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/ Share on other sites More sharing options...
pranav_kavi Posted November 21, 2007 Share Posted November 21, 2007 U dont need to escape the single quotes.Hence,shud b $sql = mysql_query("INSERT INTO `". MEMBERS ."` (`userid`, `username`, `password`, `posts`, `avatar`, `signature`, `msn`, `aim`, `website`, `IP`, `email`, `rank`, `last_active`, `birthday`, `location`, `interests`, `title`) VALUES (NULL, '". $user ."', '". $pass ."', '', '', NULL, NULL, NULL, NULL, '". $_SERVER['REMOTE_ADDR'] ."', '". $mail ."', '4', CURRENT_TIMESTAMP, NULL, NULL, NULL, NULL") or die(mysql_error()); Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-395846 Share on other sites More sharing options...
kratsg Posted November 21, 2007 Share Posted November 21, 2007 $sql = mysql_query("INSERT INTO `". MEMBERS ."` (`userid`, `username`, `password`, `posts`, `avatar`, `signature`, `msn`, `aim`, `website`, `IP`, `email`, `rank`, `last_active`, `birthday`, `location`, `interests`, `title`) VALUES (NULL, '". $user ."', '". $pass ."', \'\', \'\', NULL, NULL, NULL, NULL, '". $_SERVER['REMOTE_ADDR'] ."', '". $mail ."', '4', CURRENT_TIMESTAMP, NULL, NULL, NULL, NULL") or die(mysql_error()); Not quite sure why you escaped... ALL THAT STUFF, it should be something like this: $query = "INSERT INTO `MEMBERS` (`userid`, `username`, `password`, `posts`, `avatar`, `signature`, `msn`, `aim`, `website`, `IP`, `email`, `rank`, `last_active`, `birthday`, `location`, `interests`, `title`) VALUES (NULL, '$user', '$pass','','',NULL,NULL,NULL,NULL,'".$_SERVER['REMOTE_ADDR']."', '$mail','4','".time()."',NULL,NULL,NULL,NULL"; $query = mysql_query($query) or die(mysql_error()); I also fixed up some combos of the double/single quotes a little bit... Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-395847 Share on other sites More sharing options...
LemonInflux Posted November 21, 2007 Author Share Posted November 21, 2007 Sorry, I have security OCD I'll try that. Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-395849 Share on other sites More sharing options...
LemonInflux Posted November 21, 2007 Author Share Posted November 21, 2007 Didn't work: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1' Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-395852 Share on other sites More sharing options...
LemonInflux Posted November 21, 2007 Author Share Posted November 21, 2007 Have uploaded the project so people can look: http://www.reflexprojects.net/ - the project http://www.reflexprojects.net/register.php - the problem Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-395881 Share on other sites More sharing options...
LemonInflux Posted November 21, 2007 Author Share Posted November 21, 2007 do I need the time() thing, or can I just NULL that? Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-395915 Share on other sites More sharing options...
LemonInflux Posted November 25, 2007 Author Share Posted November 25, 2007 current query: <?php $user = mysql_real_escape_string($_POST['username']); $pass = md5(mysql_real_escape_string($_POST['password'])); $mail = mysql_real_escape_string($_POST['e-mail_address']); $query = "INSERT INTO `". MEMBERS ."` (`userid`, `username`, `password`, `posts`, `avatar`, `signature`, `msn`, `aim`, `website`, `IP`, `email`, `rank`, `last_active`, `birthday`, `location`, `interests`, `title`) VALUES (NULL, '". $user ."', '". $pass ."', NULL, NULL, NULL, NULL, NULL, NULL,'". $_SERVER['REMOTE_ADDR'] ."', '". $mail ."','4','". time() ."', NULL, NULL, NULL, NULL"; $query = mysql_query($query) or die(mysql_error()); ?> And still unsolved Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398634 Share on other sites More sharing options...
Gamic Posted November 25, 2007 Share Posted November 25, 2007 <?php $sql="insert into members( username, password, IP, email, rank, last_active )values( '$user',PASSWORD('$pass'),'{$_SERVER['REMOTE_ADDR']}','$mail','4','".time()."' );"; ?> Ok, there are several things going on now, with this query. I have removed each NULL and each field that null was being inserted into. Unless there is some reason to have these they are not needed. I have added "PASSWORD ('$pass')" instead of just "'$pass'". This is so that you don't store the password. When checking a user login you would do something like select user from members where username='foo' and password=PASSWORD('bar'); . Finally the {$_ARRAY['fooBar']} works just fine, and will help if you are having trouble escaping the single or double quotes in the right place. Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398643 Share on other sites More sharing options...
LemonInflux Posted November 25, 2007 Author Share Posted November 25, 2007 so what did PASSWORD do? I have md5 anyway? Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398669 Share on other sites More sharing options...
trq Posted November 25, 2007 Share Posted November 25, 2007 Do not use mysql's PASSWORD function. It is an internal function used by mysql to store passwords and not intended for use in client code. Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398674 Share on other sites More sharing options...
LemonInflux Posted November 25, 2007 Author Share Posted November 25, 2007 Okay. Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398681 Share on other sites More sharing options...
LemonInflux Posted November 25, 2007 Author Share Posted November 25, 2007 Yay, it worked (didn't use password). Topic solved! Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398687 Share on other sites More sharing options...
Gamic Posted November 25, 2007 Share Posted November 25, 2007 so what did PASSWORD do? I have md5 anyway? PASSWORD() is a mysql function that encrypts some plain text. It is used so that you don't store plain text passwords in your database. This is good for several reasons (for which I'll suggest listening to Secruity Now). It is perfectly acceptable for a client to use this function inside an sql query as it is not the client that resolves the function, but the server. I am not sure if md5 is just as good (But I am sure that someone will point me in to a good article), but at least you are not storing passwords in plain text. But don't, for any reason, think that it is unaccaptable to use something just because it is implemented in the database. However, and this is important, I am assuming that the database client and the database server are on the same physical machine. Using a combination of some php md5() function and mysql's password() function could lead to the best comprimise. *as an aside, by thorpe's logic you should never use count(), sum() or any function in mysql just because it is an internal function used to count(numberOfrows) or sum(someColumn). But yes, glad to hear that it's working now. Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398734 Share on other sites More sharing options...
revraz Posted November 25, 2007 Share Posted November 25, 2007 The con of using password is that your code is not portable. What if you update your DB to a new version and now all of a sudden none of your PW's work? md5 would be better, and sha1 even better still. Search google for md5 vs sha1 and decide for yourself. Link to comment https://forums.phpfreaks.com/topic/78224-solved-problem-with-mysql-query/#findComment-398737 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.