PHP not inserting into MySQL database

Question

I am currently having difficulty understanding why the following script returns success back to the browser but doesn't actually insert the data into the database. I know I am using the old MySQL instructions but I doubt this should be creating this problem. Thanks in Advance Alistair

<?php

ob_start();
$host="localhost"; // Host name 
$username="XXXXXX"; // Mysql username 
$password="XXXXXXXXXXXXXXXXXXX"; // Mysql password 
$db_name="XXXXXXXX"; // Database name 
$tbl_name="XXXXXXXXXX"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define Variables
$myusername=$_POST['username']; 
$password1=$_POST['password1']; 
$password2=$_POST['password2']; 
$emailadd=$_POST['emailadd']; 

if($password1==$password2){
    //Ecnrypt Password Using SHA512
    $password1 = hash("sha512", $password1);
}

else {
    //Passwords don't match return user to form with parameter
    header("location:adduser.php?pwnomatch");
}

//Check user doesn't already exist
$sqlcheckuser="SELECT * FROM $tbl_name WHERE username='$username'";
$result1=mysql_query($sqlcheckuser);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result1);

//If user exists redirect back to login form
if($count==1){
    header("location:adduser.php?userexist");
}

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($myusername);
$password1 = stripslashes($mypassword);
$emailadd = stripslashes($emailladd);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$emailadd = mysql_real_escape_string($emailladd);
$sqlinsertuser="INSERT INTO $tbl_name ('username', 'password', 'emailaddress' VALUES ($username, $password1, $emailadd)";
mysql_query($sqlinsertuser);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result2);

// Register user then redirect to "viewuser.php" with success parameter
header("location:viewuser.php?success");

ob_end_flush();
?>

SQL Injections, here I come. :) – hjpotter92 Mar 23 '13 at 11:46 — hjpotter92, Mar 23 '13 at 11:46

score 3 · Accepted Answer · edited May 23 '17 at 11:49

3

INSERT INTO $tbl_name ('username', 'password', 'emailaddress' VALUES ($username, $password1, $emailadd)

You have no closed your bracket on the column names. So your query should look like:

INSERT INTO $tbl_name (`username`, `password`, `emailaddress`) VALUES ($username, $password1, $emailadd)

Something I did not notice in my original post; You have used quotes instead of backticks.

Quotes in queries normally represent a string, backticks are explained here:

Using backticks around field names

edited May 23 '17 at 11:49

Community

1
1

answered Mar 23 '13 at 11:44

Daryl Gill

5,464
9
36
69

2

I didn't downvote, but if I had, it would be because inverted commas are not backticks – Strawberry Mar 23 '13 at 11:49
Of course, inverted commas are still useful where strings are concerned, but with +4 votes to your name, who cares? ;-) – Strawberry Mar 23 '13 at 12:14

score 1 · Answer 2 · answered Mar 23 '13 at 11:47

You have a lot of errors in your query string. It should be

$sqlinsertuser="INSERT INTO $tbl_name (`username`, `password`, `emailaddress` )
        VALUES( '$myusername', '$mypassword', '$emailadd' )";

Notice the use of backticks instead of apostrophe for passing the field names. And usage of the quote marks instead inside VALUES.

You are using wrong variables inside the query.

PHP not inserting into MySQL database

2 Answers2