0

im trying to insert a user to the databse nd its returning an error.

Code: 

                    //Add User To Database
                if(isset($_POST['add_user'])){
                    $uuid = $_POST['uuid'];
                    $fullname = $_POST['fullname'];
                    $email = $_POST['email'];
                    $securitykey = $_POST['security-key'];
                    $password = $_POST['password'];
                    $phone = $_POST['phone'];
                    $activated = $_POST['activated'];
                    $role = $_POST['role'];

                         //All Fields Entered
                         //Convert Password to MD5
                         $password = md5($password);
                         //Split Full Name
                         list($firstname, $lastname) = explode(' ', $fullname);

                         //Convert Security Key To Caps Lock
                        $securitykey = strtoupper($securitykey);

                         //Insert Details into Database
                         $sqlQuery = ("INSERT INTO list_users (uuid, password, email, security_key, firstname, lastname, phone_no, activated, role) 
                         VALUES ($uuid, $password, $email, $securitykey, $firstname, $lastname, $phone, $activated, $role)");

                         if($sqlLink->query($sqlQuery) === TRUE){
                             alert("This user has been added to the database. Thanks!");
                         }else{
                            alert("Whoops, there was an error adding this user: " . $sqlLink->error);
                         }


                }

Database: Database Structure

Error Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com, FFGT, test, test, 0777777777, 0, superadmin)' at line 2

Form:

                                        <?php
                                    //Add new user
                                    echo "<form action='control.php' method='POST'>";
                                    echo "<tr>";
                                    echo "<td><div class='input-group'><input autocomplete='false' name='uuid' type='text' class='form-control' placeholder='UUID'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false'' name='fullname' type='text' class='form-control' placeholder='Full Name'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false' name='email' type='text' class='form-control' placeholder='Email'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false' name='security-key' type='text' class='form-control' placeholder='Access Key'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false' autocomplete='off' name='password' type='password' class='form-control' placeholder='Password'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false' name='phone' type='text' class='form-control' placeholder='Phone No.'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false' name='activated' type='number' min='0' max='1'class='form-control' placeholder='0'></div></td>";
                                    echo "<td><div class='input-group'><input autocomplete='false' name='role' type='text' class='form-control' placeholder='Role'></div></td>";
                                    echo "<td><button name='add_user' type='submit' class='btn btn-sm btn-info'><i class='fa fa-plus'></i> Add User</button></td>";
                                    echo "</tr>";
                                    echo "</form>";

                                    ?>
Joosh
  • 136
  • 1
  • 9

2 Answers2

1

values that are string need to be sigle quoted in sql query. Integers can be not quoted but if they are it not matters, Something like:

$sqlQuery = ("INSERT INTO list_users (uuid, password, email, security_key, firstname, lastname, phone_no, activated, role) 
                     VALUES ('$uuid', '$password', '$email', '$securitykey', '$firstname', '$lastname', '$phone', '$activated', '$role')");
fico7489
  • 7,931
  • 7
  • 55
  • 89
  • 1
    This is still incorrect. Unless all of those columns are VARCHARs. And it's STILL wrong to do it this way. – durbnpoisn Oct 25 '15 at 18:07
  • durbnpoisn you are not right. Integers can be in single quotes. Why is this wrong way ???? If you have in mind security you are writing rubbish. This is not post about SQL INJECTION and SECURITY!!!! What if I am using php for private crawlers and there is no need for securing queries?!?!?!? – fico7489 Oct 25 '15 at 18:10
  • @fico7489 because what if the user has a `'` in their lastname? For example: O'Charley. That will break your query. durbnpoisn is referring to using prepared statements –  Oct 25 '15 at 18:20
0

change

($uuid, $password, $email, $securitykey, $firstname, $lastname, $phone, $activated, $role)");

to

('$uuid', '$password', '$email', '$securitykey', '$firstname', '$lastname', '$phone', '$activated', '$role')");

It's not good idea to do this in this way. Please read about SQL INJECTION and SQL ESCAPE STRING.

pigmej
  • 169
  • 5
  • You are writing rubbish. This is not post about SQL INJECTION!!!! I am using php for private crawler and there is no need for securing queries. – fico7489 Oct 25 '15 at 18:12
  • @fico7489 **you** might be using php for a private crawler but the OP doesn't seem to be –  Oct 25 '15 at 18:16
  • You see that user not using php fraework, so his code is probaby not secured for crsf, brute force passwords, hash pass etc. an he only want his code to work you don't need to write on every raw php script -> use framework, secure queries, hash passwords bla bla..... – fico7489 Oct 25 '15 at 18:20
  • Is this what you mean then i should do: – Joosh Oct 25 '15 at 19:05
  • $uuid = mysqli_real_escape_string($sqlLink, $_POST['uuid']); – Joosh Oct 25 '15 at 19:05