0

I have reviewed the code and everything appears right so I am not sure what is wrong. I keep getting the following error s1s01 1136 column count does match.

I believe I used all the correct security codes please note if I did not thank you.

 <?php
include ('wording/en-translation.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>
<?php
// define variables and set to empty values
$user_nameErr = $user_emailErr = "";
$user_name = $user_email = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  if (empty($_POST["user_name"])) {
    $user_nameErr = "Name is required";
  } else {
    $user_name = mysql_real_escape_string($_POST["user_name"]);
    //check if name only contains letters and whitespace
    if (!preg_match("/^[a-zA-Z]*$/",$user_name)) {
        $user_nameErr="Only letters and white spaces allowed";
    }
  }

  if (empty($_POST["user_email"])) {
    $user_emailErr = "Email is required";
  } else {
    $user_email = mysql_real_escape_string($_POST["user_email"]);
    //check if email is well-formed
    if (!filter_var($user_email, FILTER_VALIDATE_EMAIL)) {
        $user_emailErr = "Invalid Email Format";
    }
  }

if ($_SERVER["REQUEST_METHOD"] == "POST") {
   $user_name = mysql_real_escape_string($_POST["user_name"]);
   $user_email = mysql_real_escape_string($_POST["user_email"]);
}

function mysql_real_escape_string($data) {
   $data = trim($data);
   $data = stripslashes($data);
   $data = htmlspecialchars($data);
   return $data;
}
}
?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <label for="user_name"><?php echo WORDING_REGISTRATION_USERNAME; ?></label>
    <input id="user_name" type="text" pattern="[a-zA-Z0-9]{2,64}" value="<?php echo $user_name; ?>" name="user_name" required />
            <span class="error">* <?php echo $user_nameErr;?></span><br>
    <label for="user_email"><?php echo WORDING_REGISTRATION_EMAIL; ?></label>
    <input id="user_email" type="email" name="user_email" value="<?php echo $user_email; ?>" required />
            <span class="error">* <?php echo $user_emailErr;?></span>
    <input type="submit" name="register" value="<?php echo WORDING_REGISTER; ?>" />
</form>
<?php
echo $user_name;
echo "<br>";
echo $user_email;
echo "<br>";
?>
<?php
$servername = "localhost";
$username = "admin";
$password = "";
$dbname = "login";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO users(user_name, user_email)
    VALUES(
    ". mysql_real_escape_string($user_name) ."',
    ". mysql_real_escape_string($user_email) ."'
    )";
    // use exec() because no results are returned
    $conn->exec($sql);
    echo "New record created successfully";
    }
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;




?> 


</
shutterfly
  • 33
  • 2
  • 9
  • 1
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Dec 09 '15 at 19:20
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Dec 09 '15 at 19:21
  • 1
    `function mysql_real_escape_string($data)` not a good idea, since it may very well be colliding with the real escaping function, should you want to use all mysql_ functions. – Funk Forty Niner Dec 09 '15 at 19:21
  • 1
    You're mixing `mysql_*` and PDO functions. That won't work. – Jay Blanchard Dec 09 '15 at 19:21

1 Answers1

0

You're generating broken SQL, by having completely WRONG quoting on your values:

$sql = "INSERT INTO users(user_name, user_email)
VALUES(
". mysql_real_escape_string($user_name) ."',
                                          ^---start sql string
". mysql_real_escape_string($user_email) ."'
                                           ^---end of sql string
)";

That means you're generating

INSERT INTO users (user_name, user_email) VALUES (Bob, 'bob@example.com')
                                                   ^--unknown field

you're also mixing mysql libraries, which is flat out IMPOSSIBLE, and you're vulnerable to sql injection attacks.

In short, this code is totally cargo-cult programming, and you really need to sit back and learn PHP properly.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • Thanks everyone I was trying to follow w3c and I guess they are not up to date. I'll go back through and fix it comparing to php.net. thank you again for all the pointers. – shutterfly Dec 09 '15 at 22:38