Having trouble using MySQLi INSERT queries

Question

Okay, so I'm updating my site from MySQL to MySQLi, which means I have to re-code some of the database stuff.

I looked on php.net on how to use MySQLi queries to insert data into a table and did exactly what they said to, but no luck.

Here's my connection variable:

$con = mysqli_connect("localhost", "username", "password", "database");

And here is the code to insert the data:

mysqli_query($con, "INSERT INTO users ('user', 'pass', 'email') VALUES ('$user', '$pass', '$email')");

It doesn't reply with any errors, and it just takes me to the intended landing page. It doesn't actually add the data to the table though.

Any ideas?

Answer 1

As answered above, removing the quotes from the column names will solve your problem:

mysqli_query($con, "INSERT INTO users (user, pass, email) VALUES ('$user', '$pass', '$email')");

But I also noted that your script is vulnerable against SQL injection attacks. In MySQLi you can prepare your statements before execution, so you will be sure that no one will inject SQL commands in your database.

If you don't want to prepare each sql statements before execution, at least use the mysqli_real_escape_string function, that will protect your system against SQL injection too. Use like that:

mysqli_query($con, "INSERT INTO users (user, pass, email) VALUES ('" . mysqli_real_escape_string($user) . "', '" . mysqli_real_escape_string($pass) . "', '" . mysqli_real_escape_string($email) . "')");

Answer 2

remove single quotes from column names

mysqli_query($con, "INSERT INTO users (user, pass, email) VALUES ('$user', '$pass', '$email')");

OR

mysqli_query($con, "INSERT INTO users (`user`, `pass`, `email`) VALUES ('$user', '$pass', '$email')");