1

I keep getting the following error

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(''),'','','','','')' at line 3

My code can be seen below:

//Insert statement into the Users table with the values posted from the form
$sql="INSERT INTO Users (Username, Password, Forename, Surname, Email, `Post Code`, `Phone Number`)
VALUES
('$_POST[username]', md5.('$_POST[password]'),'$_POST[fore]','$_POST[sur]','$_POST[email]','$_POST[postcode]','$_POST[phone]')";
jarlh
  • 42,561
  • 8
  • 45
  • 63
DrivingFail
  • 43
  • 1
  • 5
  • Can you show us $sql's contents? – jarlh Mar 18 '16 at 16:09
  • `md5` will be interpreted as string and not a function by PHP – Rizier123 Mar 18 '16 at 16:09
  • md5 works on my other PHP files so it might just be the way I have declared it here, also what do you mean by the sql contents? Sorry im new to PHP – DrivingFail Mar 18 '16 at 16:11
  • Your code is open to SQL Injection. Read here how to fix: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Johan Mar 18 '16 at 16:12
  • First, make sure that $_POST is what you think it is. Then follow Johan's advice, which will fix both your md5 issue and any quoting issues you might run into. – aynber Mar 18 '16 at 16:13
  • Yeah I understand the security flaws, this is just a small project for my college course, no need to go over the top with security my lecturer said just in this example work – DrivingFail Mar 18 '16 at 16:13
  • Then chck the quotes within the $_POST variable too. $_POST[username] is not correct, $_POST['username'] might be. – Johan Mar 18 '16 at 16:14

2 Answers2

0

Found the problem, I needed to md5 my password before the sql statement, silly me! works now anyway, thanks to anyone who tried to help xD

DrivingFail
  • 43
  • 1
  • 5
0

Your Quotes are missed !
this is correct $_POST[username] only if username is defined like this :

define ('username', 'username');

Also : md5() is a function, and not an object , please refer to the manual here

You should try as follow ( don't be affraid to get your code more clear to read)

$username   = isset($_POST['username']) ? $_POST['username']        : '';
$password   = isset($_POST['password']) ? md5($_POST['password']) : '';
$fore       = isset($_POST['fore'])      ? $_POST['fore']           : '';
$sur        = isset($_POST['sur'])   ? $_POST['sur']            : '';
$email      = isset($_POST['email'])     ? $_POST['email']      : '';
$postcode   = isset($_POST['postcode']) ? $_POST['postcode']        : '';
$phone      = isset($_POST['phone'])     ? $_POST['phone']      : '';


$sql="INSERT INTO Users (Username, Password, Forename, Surname, Email, `Post Code`, `Phone Number`)
VALUES
('$username', $password'),'$fore','$sur','$email','$postcode','$phone')";
Halayem Anis
  • 7,654
  • 2
  • 25
  • 45