MYSQL PHP inserting into table

Question

<?php
$conn= new mysqli("localhost", "my_user", "my_password", "world"); //changed for the sake of this question

$username = $_POST['Username'];
$password = sha1($_POST['Password']);
$email = $_POST['Email'];
$firstname = $_POST['FirstName'];
$lastname = $_POST['LastName'];

$insert = 'INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES ("'.$firstname.'", "'.$lastname.'", "'.$email.'", "'.$username.'", "'.$password.'", 'User');';

$result = $conn->query($insert);

?>
<form method='post' action='regprocess.php'>
<fieldset class="register">
<h2>Register</h2>
<ul>
    <li><label for="FirstName">First Name: </label> <input type="text" name="FirstName" id="FirstName"></li>
    <li><label for="LastName">Last Name: </label> <input type="text" name="LastName" id="LastName"></li>
    <li><label for="Email">Email: </label><input type="email" name="Email" id="Email"></li>
    <li><label for="Username">Username: </label><input type="text" name="Username" id="Username"></li>
    <li><label for="Password">Password: </label><input type="password" name="Password" id="Password"></li>
    <li><input type="submit" value="Register"></li>
</ul>
</fieldset></form>

The form and the top sql code are in separate files.

Hello everybody, I'm trying to insert into an mysql table, and it won't insert into my table. I'm trying to get it to insert through a registration table. And I'm not quite sure why it's not working. Some insight would be great. If you need me to provide the table I will, but I don't think it's part of the reason it's not working.

Answer 1

It's a good thing you're using mysqli, but you're using it incorrectly and are exposing yourself to a number of very serious SQL injection bugs, the consequences of which could be severe.

This is what you should be doing to actually fix the numerous problems present in your example:

$stmt = $conn->prepare('INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES (?,?,?,?,?,?)');

$stmt->bind_param($firstname, $lastname, $email, $username, $password, 'User');
$stmt->execute();

$result = $stmt->get_result();

The primary advantage of placeholders is not having to worry about how to properly quote data, it's done for you automatically. It also largely avoids having to use two different kinds of quotes within your statement.

If you do not use placeholders for ANY and ALL data being put into your SQL you may end up in serious trouble. You must be vigilant about this.

Answer 2

As an advice, always use " from the start to the end of the sql query text;

$insert = 'INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES ("'.$firstname.'", "'.$lastname.'", "'.$email.'", "'.$username.'", "'.$password.'", 'User');';

put it like:

$insert = "INSERT INTO User(`FirstName`, `LastName`, `Email`, `Username`, `Password`, `Type`) VALUES ('$firstname', '$lastname', '$email', '$username', '$password', 'User');";

In your query, you had 'User' and you need to escape the ' as \'

And dont forget to always sanitize your content before adding it to the database

Answer 3

I don't know PHP. I will try helping you with MySQL though.

I think there is a problem with quotation marks in the insert query.

Try removing single quotes from your values clause.

Answer 4

Your last parameter value is in single quotes. Replace with double quotes so that it reads ..."'.$password.'", "User");';