0

Basicly I have an Register Page where you can register an Account for a Game with an Serial Key. Im checking if the Key that got typed in is in the Database.

$keyquery = mysql_query("SELECT * FROM keys WHERE key = '$_POST[key]' AND used = '$used'") or die(mysql_error());
if(!$row = mysql_fetch_array($keyquery) or die(mysql_error()))
{
//key works
}
else
{
//key doesnt work
}

Now if im trying to register an account, I get an error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'keys WHERE key = '1234' AND used = '0" at line 1

potashin
  • 44,205
  • 11
  • 83
  • 107
Darkenn
  • 25
  • 4
  • 5
    `keys` and `key` are [reserved words](https://dev.mysql.com/doc/refman/5.5/en/keywords.html). Surround them in back ticks. – ImClarky Mar 22 '16 at 12:34
  • 1
    Without mentionning the huge SQL injection possibilities here... – Martin Verjans Mar 22 '16 at 12:35
  • 1
    You might take a look at your code and use `mysql_real_escape_string` for the `$_POST`. e.g. `mysql_real_escape_string($_POST["key"])`. Your current code is full vulnerable to SQL Injections – node_modules Mar 22 '16 at 12:37

1 Answers1

4

key is a reserved word in MySQL, you should escape it with backticks `.

$keyquery = mysql_query("SELECT * FROM `keys` WHERE `key` = '$_POST[key]' AND `used` = '$used'") or die(mysql_error());
potashin
  • 44,205
  • 11
  • 83
  • 107