0

I'm trying to insert variables from $_GET into a MySQL Database. I am a noob and I can't figure out what is wrong with it! The code runs and it outputs the user and userid added to table but when I check in phpMyAdmin

$username = "username";
$password = "password";
$host = "host";
$database = "database";
$input_username = $_GET["username"];
$input_userId = $_GET["userId"];
mysql_connect($host,$username,$password);
mysql_select_db($database) or die("Couldn't select database: " . $database);
$sql = "INSERT INTO  users( UserId ,  Username )        VALUES('$_GET['userId']','$_GET['username']');";
echo "Username: " . $input_username . ", UserId: " . $input_userId ." added to table.";
mysql_close();

EDIT: I altered the code to fit the replied answers but now I get this error:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in PAGEPATH on line 10

Adam S.
  • 305
  • 1
  • 3
  • 14

3 Answers3

2

You didn't execute the query! Add :

    $db = mysql_connect($host,$username,$password);
    mysql_select_db($database) or die("Couldn't select database: " . $database);

 $userId = mysql_real_escape_string($_GET["userid"]);
 $userName = mysql_real_escape_string($_GET["username"]);

$sql = "INSERT INTO  users(  UserId ,  Username ) 
VALUES ('". $userId  ."','". $userName  ."');";

        mysql_query($sql, $db);
Tosx
  • 606
  • 3
  • 8
  • The “vulnerability” is irrelevant to the original question. The question of SQL injection is a non-issue in this small script. Who cares? – Giacomo1968 Dec 29 '13 at 20:11
  • You're right JakeGould it's why i just answer the basic question :) – Tosx Dec 29 '13 at 20:13
  • 1
    downvote will be harsh but @PeteR right. if OP doesn't realise now, he never will. – itachi Dec 29 '13 at 20:13
  • “if OP doesn't realise now, he never will.” EXACTLY! Let the original poster learn. If they can’t even run the query they will never understand larger concepts. – Giacomo1968 Dec 29 '13 at 20:15
  • @JakeGould: Yes, you are quite right. Why should I, or anyone else, actually give a crap? It's not my site, downvote retracted. – The Blue Dog Dec 29 '13 at 20:15
  • This will be a bit more safe @Adam S – Tosx Dec 29 '13 at 20:23
1

Try this i have remove ; and add mysql_query($sql);

<?php
$username = "sd";
$password = "asd";
$host = "sad";
$database = "asd";


$input_username = $_GET["username"];
$input_userId = $_GET["userId"];

mysql_connect($host,$username,$password);

mysql_select_db($database) or die("Couldn't select database: " . $database);

$sql = "INSERT INTO  users(  UserId ,  Username ) 
VALUES ('$_GET[userid]','$_GET[username]')";
mysql_query($sql);

echo "Username: " . $input_username . ", UserId: " . $input_userId ." added to table.";
mysql_close();
?>
Adam S.
  • 305
  • 1
  • 3
  • 14
Muhammad Rashid
  • 563
  • 1
  • 6
  • 25
1

Well, If you want to use a so vulnerable code, your sql must looks like:

$sql = "INSERT INTO  users(  UserId ,  Username ) 
VALUES ('".$_GET["userid"]."','".$_GET["username"]."');";
mysql_query($sql, $db);
MillaresRoo
  • 3,808
  • 1
  • 31
  • 37