-1

I have a php form that is telling me i have errors in my sql syntax upon submission, however I'm coming up blank as the same form and php works on another site, that is hosted through the same provider, however on a different server:

Here is some of the php (the suspected problem area):

    $sql = mysql_query("INSERT INTO members (name, email, password, streetadd, city, state, zip, phone, ext)
VALUES('$name', '$email', '$password', '$streetadd', '$city', '$state', '$zip', '$phone', '$ext')")
or die (mysql_error());
$id = mysql_insert_id();

mkdir("members/$id", 0755);

If any more code is needed let me know; I'd appreciate it if someone could let me know where I am going wrong, perhaps my knowledge is becoming outdated and i need to relearn mysql and php, but I think this should be working.

Nathan
  • 319
  • 1
  • 4
  • 29
  • 3
    Use PDO! http://php.net/manual/en/ref.pdo-mysql.php Protect yourself from injections. – Bogdan Burym Oct 30 '12 at 14:30
  • 2
    Use PDO or at-least mysqli... Oh, and the error that mysql_error() give you is... – Brian Oct 30 '12 at 14:30
  • 1
    Did you forget the closing `)` at the end of your VALUES? – Joshua Dwire Oct 30 '12 at 14:30
  • @jdwire, no sorry, it's there i accidentally deleted it while posting on SO – Nathan Oct 30 '12 at 14:32
  • You are using [an obsolete database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also exposing yourself to [SQL injection attacks](http://bobby-tables.com/) that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Oct 30 '12 at 14:32
  • Ok so I am getting a bit outdated here apparently, I do appreciate it bogdan, brian and quentin, I'll have some reading to do! will my current code not function with mysql? – Nathan Oct 30 '12 at 14:35
  • Could you add the exact error message you're getting to the question? – andrewsi Oct 30 '12 at 14:39
  • 1
    If you get this code working and put it live, you're *asking* to get hacked. This is so recklessly unsafe it's really not a good idea to fix it. It takes all of thirty minutes to pick up PDO and use it effectively. You should make that a top priority. – tadman Oct 30 '12 at 14:44

2 Answers2

3

You are missing a paranteses at the end after '$ext':

  $sql = mysql_query("INSERT INTO members (name, email, password, streetadd, city, state, zip, phone, ext)
VALUES('$name', '$email', '$password', '$streetadd', '$city', '$state', '$zip', '$phone', '$ext')")
or die (mysql_error());
$id = mysql_insert_id();

mkdir("members/$id", 0755);

Another thing is you could have one of these fields be a int or some other number and those quotes might be a problem. Post the tables shema if you want more help the query seems fine really.

Iznogood
  • 12,447
  • 3
  • 26
  • 44
  • thanks, i noticed that thanks to jdwires comment, i actually deleted it when editing the 8 space deal for posting code, good eye though and thanks! In the functioning script it is present. – Nathan Oct 30 '12 at 14:34
  • Then please post the error message as vague as it must be. ALso make sure your tables matches these fields. – Iznogood Oct 30 '12 at 14:35
0

I don't know if the problem comes from here, but your query is incomplete, you forgot to close the parenthesis:

Try this:

 $sql = mysql_query("INSERT INTO members (name, email, password, streetadd, city, state, zip, phone, ext)
VALUES('$name', '$email', '$password', '$streetadd', '$city', '$state', '$zip', '$phone', '$ext');")
or die (mysql_error());

But as people said in comments, you should not use this old method. PDO is better with prepared statements (it is more secure). Or at least use mysqli.

Bgi
  • 2,513
  • 13
  • 12