-3

What the hell is actually wrong with the logic behind this form ... I can't find out, just help me out and don't say that I need to make it safe with adding sql injection measures ect ect ... i'll get round to that when i can actually build a god damn login/registration form ... its like going to somebody and asking them to build a bugatti veyron when all they can do at the moment is build bikes.

 <?php

require 'database/connect.php';

 if (isset ($_POST['username'], $_POST['password'], $_POST['firstname'], $_POST['lastname'], $_POST['email'], $_POST['age'])) {

    $username = $_POST['username'];
    $password = $_POST['password'];
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $email = $_POST['email'];
    $age = $_POST['age']; 


    $result = mysqli_query($conn, "INSERT INTO user_login_details ('username','firstname','lastname','email','password','age') 
                                   VALUES ('$username', '$firstname', '$lastname', '$email', '$password', '$age' ");

    if ($result == true){

        echo "User Created Successfully" ;

    } else {

        echo "Cannot create user";



    }
  }

  ?>
Tom Dunwoody
  • 9
  • 4
  • 2
    You're open to SQL injection :-) – AbraCadaver Jan 30 '15 at 02:41
  • Explain how it misbehaves. What does `mysqli_error()` say? -- Btw, SQL escaping is less about security, and more about making things work correctly. Whoever duped you into using `mysqli` over `PDO` didn't do you any favours there. – mario Jan 30 '15 at 02:45
  • Basically, there is an error in my query as the "isset if statement" passes through the msyqi query but then the result is false so it returns the "Cannot create user". But where the living christ is this error ... like I knew programming was pretty anal, but this is actually retarded. – Tom Dunwoody Jan 30 '15 at 02:47
  • Besides John's answer, add error reporting to the top of your file(s) right after your opening ` – Funk Forty Niner Jan 30 '15 at 03:03
  • I take it this ^ worked; why? – Funk Forty Niner Jan 30 '15 at 03:56

1 Answers1

3

Don't use quotes around column identifiers. use ticks or nothing at all.

$result = mysqli_query($conn, "INSERT INTO user_login_details (username,firstname,lastname,email,password,age) 
                               VALUES ('$username', '$firstname', '$lastname', '$email', '$password', '$age' ");

Also, you don't check for errors. It's difficult to diagnose an error if you don't look for them in your code. Use mysqli_error() to see what error MySQL is reporting.

You are also wide open to SQL injections

Community
  • 1
  • 1
John Conde
  • 217,595
  • 99
  • 455
  • 496