0

I have the follow php script for registering a user

<?php

require_once "setting.php";
extract($_REQUEST);

$link = mysqli_connect($dbHost, $dbUser, $dbPass, $dbName);

if (mysqli_connect_errno()){
    echo "Connection failed".mysqli_connect_error();
}

$initQuery = "SELECT * FROM users WHERE email = ".$email;
$initResult = mysqli_query($link, $initQuery);

$dbResults = mysqli_fetch_array($initResult, MYSQLI_ASSOC);

if($dbResults == null ){
    echo('in the if statement');

    $userId = uniqid();
    echo($userId);

    $query = "INSERT INTO users(email, password, userId) VALUES ($email, $password, $userId )";
    echo($query);

    $addResult = mysqli_query($link, $query);
    echo($addResult);
}

mysqli_free_result($initResult);
mysqli_free_result($addResult);
mysqli_close($link);
?>

The second mysqli_query is not adding a user, I've checked the syntax of the sql statement and it works fine. Does anyone have any ideas?

Also I was thinking about maybe trying to write a mysqli_multi_query to run both queries. I've read that the multi_query will return false if the first query fails, is there anyway to have it execute the second query if the first one fails and not execute the second query if the first one succeeds?

Mike F
  • 309
  • 1
  • 8
  • 18

4 Answers4

1

For the love of God, at least put the string values inside quotes if not use prepared statements

"INSERT INTO users(email, password, userId) VALUES ($email, $password, $userId)"

Is invalid. Those string values should be inside quotes

"INSERT INTO users(email, password, userId) VALUES ('$email', '$password', '$userId')"

Please read this before you implement the solution given above:

How can I prevent SQL injection in PHP?

At the very least, please escape the values with mysqli_real_escape_string

Community
  • 1
  • 1
Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
  • I thought that if I was using variables, I was not supposed to but them in quotes? – Mike F Jun 13 '14 at 05:29
  • You still do for MySQL. PHP variables are unknown to MySQL only the value is and if the value is a string, it needs to be in quotes – Hanky Panky Jun 13 '14 at 05:30
  • It is now entering email, password and userId with quotation marks. Does that matter? Can I make a adjustment somewhere to avoid them. Thank you in advance for the advice. – Mike F Jun 13 '14 at 16:07
0

Hope this works:

$query = "INSERT INTO users (email, password, userId) VALUES ('$email', '$password', $userId)";

Give a space after table name and all the variables in single quote. :)

UPDATE

Space is not mandatory to give, but would be good for better coding :)

prava
  • 3,916
  • 2
  • 24
  • 35
0

Try to put the values inside quotes. 

$query = "INSERT INTO users(email, password, userId) VALUES ('$email', '$password', '$userId' )";

To understand why quotes are mandatory i give an example :). Mysql supports SELECT from another table for inserted values like in the code below:

INSERT INTO users (email, password, userId) 
VALUES
((SELECT email FROM user_info WHERE id = '$userId'),'$password','$userId'))
mihutz
  • 195
  • 1
  • 3
  • 11
0

  1. Use quotes for your values.

    $query = "INSERT INTO users(email, password, userId) VALUES ('$email', '$password', '$userId' )";

    $addResult = mysqli_query($link, $query);

  2. If you are facing error than use die function to get the error detail.

    $addResult = mysqli_query($link, $query) or die(mysqli_error($link));

It will show you the error also.

Vivek
  • 1,446
  • 18
  • 27