0

What's wrong on that code? -- It's keep refusing to create account.

$query = "
    INSERT INTO `accounts`(`username`, `dispname`, `email`, `password`, `type`, `blocked`, `points`)
    VALUES ($disname,$username,$email,$password,1,false,0)";        
$result = mysql_query($query);
if($result){
    $Registered = "You have registered successfully.";
} else {
    $ERROREMAIL = "There Were an Error Registering your email, please contact our support.";    
}

I am totally confused.

By the way this is the structure of the database, hopefully someone helps.

CREATE TABLE `accounts` (
  `id` int(11) NOT NULL,
  `username` varchar(255) DEFAULT NULL,
  `dispname` varchar(255) NOT NULL DEFAULT 'someone',
  `email` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL,
  `type` int(10) NOT NULL,
  `blocked` tinyint(1) NOT NULL DEFAULT '0',
  `points` int(10) NOT NULL
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

ALTER TABLE `accounts`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `username` (`username`);

ALTER TABLE `accounts`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT,AUTO_INCREMENT=2;
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Slavi
  • 576
  • 1
  • 3
  • 18
  • 2
    Missing the `quotes` for values. `VALUES ('$disname','$username','$email','$......` – Sougata Bose Dec 23 '15 at 12:24
  • 6
    It doesn't seem to matter how many times we repeat the words "MySQL deprecated" or "Switch to MySQLi or PDO and use prepared statements/bind variables", nobody ever seems to listen – Mark Baker Dec 23 '15 at 12:33
  • 1
    @MarkBaker , i'd listen, i just want a solution. – Slavi Dec 23 '15 at 12:36
  • 4
    Then listen.... stop using the old MySQL extension (which isn't even available in the latest versions of PHP), and switch to using MySQLi or PDO; use prepared statements with bind variables; and you'll not only eliminate the need to escape your string values and reduce the risk of SQL injection against your database, you won't need to remember to quote strings in SQL statements either – Mark Baker Dec 23 '15 at 12:40
  • $connection = mysqli_connect($DBHOST, $DBUSER, $DBPASS, $DBNAME); also mysqli_query($connection, $query); – Slavi Dec 23 '15 at 12:43
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Dec 23 '15 at 12:45
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Dec 23 '15 at 12:45
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Dec 23 '15 at 12:46
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Dec 23 '15 at 12:47
  • Although change to Mysqli or PDO might take more change, but in long term its worth it. At least it wont bite back in the nearest future. – Andrew Dec 23 '15 at 12:48

4 Answers4

2

Try this Query:

$query = "INSERT INTO `accounts` 
(`username`, `dispname`, `email`, `password`, `type`, `blocked`, `points`) 
VALUES ('$disname','$username','$email','$password',1,0,0)";

What change?

  • Adding single quote on string variables.
  • Also changed the value of blocked column as 0.
devpro
  • 16,184
  • 3
  • 27
  • 38
1

OP's comment:

"$connection = mysqli_connect($DBHOST, $DBUSER, $DBPASS, $DBNAME); also mysqli_query($connection, $query); – Ahmed Alaa 1 hour ago"

2 things wrong here. You're connecting with mysqli_ then querying with mysql_. 

$result = mysql_query($query);

which should read as

$result = mysqli_query($connection, $query);

Those different APIs do NOT intermix. You must use the same one from connecting to querying.

Then, missing quotes around your variables (for strings) in values.

VALUES ($disname,$username,$email,$password,1,false,0)";

which should read as:

('$disname','$username','$email','$password',1,false,0)

But that leaves you open to SQL injection.

Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code during testing.

This does not help you during testing in order to get the real error(s):

else {
    $ERROREMAIL = "There Were an Error Registering your email, please contact our support.";
}

This will:

else {
    echo "Error: " . mysqli_error($connection);
}

You can set it back to your original method once there are no more errors.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

You need to pass strings as strings not as integers

Try this:

$query = "
INSERT INTO `accounts`(`username`, `dispname`, `email`, `password`, `type`, `blocked`, `points`)
VALUES ('$disname','$username','$email','$password',1,false,0)";
Danyal Sandeelo
  • 12,196
  • 10
  • 47
  • 78
0

Thanks for you all.

Solution is as it is.

Updating your php version to PHp 7_0_0. Updating phpmyadmin to 4_5_2. Updating MySql to 5_6_27.

Update the usage of old mysql -> PDO.

Slavi
  • 576
  • 1
  • 3
  • 18