1

I'm trying to create a sign up page for a website using PHP and PHPMyAdmin. I have set 2 fields in the form needed for registration: email and password, with password confirmation.

Both of them are treated as string in PHP and as varchar in database. I don't know why, but everytime the user insert email and password and confirm, the new user is being inserted in database, but with email and password as 0 insted their real value. I'm sure that email and password values inside the PHP variables are correct, because i printed to output their content immediatly before the mysqli query, so i'm assuming that is a database problem.

I'm currently using Wamp Server for Windows 8 and PHPMyAdmin 4.1.14. Database is of type InnoDB and with latin_swedish_ci characters. The query used in PHP is:

"INSERT INTO users (email,password) VALUES (email = '$email', password = '$password')"

using mysqli_query for the execution.

Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
Matz92
  • 21
  • 3
  • 1
    yeah it's a syntax problem! Now everything works fine.. thank you all for your help, i choose Fred answer for it's completeness.. I already use mysqli escape but i dind't post here the full code :) – Matz92 Oct 13 '14 at 20:29
  • @MatteoPotestà Glad I could help Matteo, *cheers* – Funk Forty Niner Oct 13 '14 at 20:43

3 Answers3

7

Instead of doing column equals variable, do:

VALUES ('$email','$password')

if an INSERT is indeed what you wish to use.

that syntax VALUES (email = '$email', password = '$password') is for when you want to check if a column equals something, when using a WHERE clause for example.

WHERE email = '$email'

or

WHERE email = '$email' AND password = '$password'

when doing an UPDATE as another example:

UPDATE table_name SET email = '$email', password = '$password'  
WHERE column_x='something'

or, when doing a SELECT as another example:

SELECT * FROM table_name  
WHERE column_x = 'something' OR column_y = 'something else'
  • Sidenote: OR can be replaced by AND, depending on the desired query.

Yet, when you do fix it, that present method is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

  • Look into those, you will be glad you did.

A basic example to prevent SQL injection is:

$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);

Error checking sidenote:

Add error reporting to the top of your file(s) which will help during production testing.

error_reporting(E_ALL);
ini_set('display_errors', 1);

and or die(mysqli_error($con)) to mysqli_query() while replacing $con with your DB connection variable.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
2

Matteo - also, you should consider parameterizing your php syntax to prevent SQL injections. Better to do it now than to have to come back to it later. You can find an explanation of the concepts here; https://stackoverflow.com/questions/25316766/understanding-parameterized-queries-and-their-usage-in-preventing-sql-injections

Community
  • 1
  • 1
Kimomaru
  • 993
  • 4
  • 14
  • 30
0
INSERT INTO users (email,password) VALUES ('$email', '$password')

you don't need column name after VALUES. You have already specified it after table name.

By the way, you may want to look at php prepared statement

Ayush choubey
  • 606
  • 6
  • 23