PHP/MySQL Insert into Database not working

Question

I tried everything I could to fix the link of code but everything I tried gave me a white screen I know that this line of code is the only code is the only one that has a syntax error and the rest of the code is 100% fine. I am trying to insert name, email, password from a Form using $_POST and with md5 hashing for the password.

$link = connect to mySQL Database

$query="INSERT INTO 'users' ('name', 'email', 'password')
VALUES(
'".mysqli_real_escape_string($link, $_POST['name'])"',
'".mysqli_real_escape_string($link, $_POST['email'])."',
 '".md5(md5($_POST['email']).$_POST['password'])."')";

a start would be `hash('sha512', $password)` but even better would be http://php.net/manual/en/function.password-hash.php. Ofcourse you could somehow use `md5()` to hash the password before going trough one of the others — SuperDJ, Aug 21 '15 at 19:48
You don't quote column/table names, those should be backticks. `INSERT INTO \`users\` (\`name\`, \`email\`, \`password\`)`. — chris85, Aug 21 '15 at 19:52
possible duplicate of [When to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) — chris85, Aug 21 '15 at 19:55
possible duplicate of [PHP Parse/Syntax Errors; and How to solve them?](http://stackoverflow.com/q/18050071) — mario, Aug 21 '15 at 20:13
@JimGarrison I'm missing the injection hole here I think, what is it? — chris85, Aug 21 '15 at 20:49
Any time you construct a SQL query from user-provided strings you run a risk of SQL injection (no matter how well you supposedly "clean up" the strings). This is 100% avoidable using [prepared statements](http://php.net/manual/en/pdo.prepared-statements.php). — Jim Garrison, Aug 21 '15 at 23:49
@JimGarrison do you know we could use prepared statements in this strip of code? — m17, Aug 21 '15 at 23:55
I've posted a prepared example. I don't use `mysqli` i've always used `PDO` with prepared statements so thanks for the note on `mysqli_real_escape` being vulnerable @JimGarrison. — chris85, Aug 22 '15 at 01:20
@JimGarrison even prepared statements aren't a 100% safe. There is even a stackoverflow post about it — SuperDJ, Aug 22 '15 at 07:54

Berriel · Answer 1 · 2015-08-21T19:53:30.220

0

You missed a dot:

$query="INSERT INTO users (name, email, password) 
        VALUES('" . mysqli_real_escape_string($link, $_POST['name']) . "', '" . mysqli_real_escape_string($link, $_POST['email']) . "', '" . md5(md5($_POST['email']) . $_POST['password']) . "')";

edited Aug 21 '15 at 19:53

answered Aug 21 '15 at 19:47

Berriel

12,659
4
43
67

Parse error: syntax error, unexpected T_ELSE, expecting ',' or ';' in /home/sites/testdomain.io/html/index.php on line 30 – m17 Aug 21 '15 at 19:53

score 0 · Answer 2 · answered Aug 21 '15 at 19:53

0

query="INSERT INTO `users` (`name`, `email`, `password`)
    VALUES(
    '".mysqli_real_escape_string($link, $_POST['name'])"',
    '".mysqli_real_escape_string($link, $_POST['email'])."',
     '".md5(md5($_POST['email']).$_POST['password'])."')";

answered Aug 21 '15 at 19:53

volkinc

2,143
1
15
19

score 0 · Answer 3 · answered Aug 21 '15 at 19:53

Try the following:

$name = mysqli_real_escape_string($link, $_POST['name']);
$email = mysqli_real_escape_string($link, $_POST['email']);
$password = hash('sha512', md5( md5( $_POST['email'] ).$_POST['password'] ) );

$query = "INSERT INTO `users` (`name`, `email`, `password`) VALUES('$name','$email', '$password')";

Note the backticks around table and column names. Also note the difference in echoing the following:

echo 'hashed: '.hash('sha512', md5( md5( $_POST['email'] ).$_POST['password'] ) ).'<br>md5(): '.md5( md5( $_POST['email'] ).$_POST['password'] );

score 0 · Accepted Answer · answered Aug 21 '15 at 19:58

Why don't you make it simple instead? Something like:

$name  =   mysqli_real_escape_string($link, $_POST['name']);
$mail  =   mysqli_real_escape_string($link, $_POST['email']);
$pass  =   md5(md5($_POST['email']).$_POST['password']);

$query="INSERT INTO `users` (`name`, `email`, `password`) VALUES('$name','$mail', '$pass')";

score 0 · Answer 5 · answered Aug 21 '15 at 20:55

0

In the first line of VALUES() you've missed a point.

Incorrect:

'".mysqli_real_escape_string($link, $_POST['name'])"',

Correct:

'".mysqli_real_escape_string($link, $_POST['name'])."',

answered Aug 21 '15 at 20:55

Martin Joó

325
1
11

score 0 · Answer 6 · answered Aug 22 '15 at 01:12

Here's a rough (untested) sample of how your statement could look as a prepared statement.

$stmt = mysqli_prepare($link, 
"INSERT INTO `users` (`name`, `email`, `password`) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sss', $_POST['name'], $_POST['email'], md5(md5($_POST['email']).$_POST['password']));
//mysqli_stmt_execute($stmt); //<--to execute query, use where you execute

Here's the manual's reference on it, http://php.net/manual/en/mysqli-stmt.bind-param.php.

PHP/MySQL Insert into Database not working

6 Answers6