Canit insert into my MYSQL table

Question

I am trying to make a registration form in which I have connected to the database and it can also check whether the username is unique or not but unfortunately, I can't insert the new data in my table. I would really appreciate if anyone could help me with this.

<?php
error_reporting(E_ALL ^ E_DEPRECATED);
include 'connect.inc.php'; 
if(isset($_POST['submit'])) {
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']); 
    $password2 = mysql_real_escape_string($_POST['password2']);       
    $firstname = mysql_real_escape_string($_POST['firstname']);
    $lastname = mysql_real_escape_string($_POST['lastname']);

    //md5 password
    $password_hash = md5($password);

    //check to see if the fields are empty
    if(empty($username) || empty($password)|| empty($firstname)|| empty($lastname)) {
        echo "Not all fields filled!<br /><br />";
        exit();
    }

    //check if password is equal

    if($password != $password2) {
        echo "Your Passwords Do Not Match.<br />";
        exit();
    } else { 
        $query = "SELECT `username` From `users` WHERE username='$username'"; 
        $result = mysql_query($query);

        if(mysql_num_rows($result) ==1) { 
            echo "Sorry, that user has already exists.";
            exit();
        } else {
            $query1= mysql_query("INSERT INTO `users` ('',username,password,firstname,lastname) VALUES ('','$username',     '$password_hash', '$firstname', '$lastname'");
            if($result1 = mysql_query($query1)) {
                echo "Registered Successfully";
            } else {
                echo "Sorry, You could not Register";           
            }
        }
    } 
} 

?>
<form action="" method="POST">
    Username:<br />
    <input type="text" name="username" /><br /><br />        

    Password:<br />
   <input type="password" name="password" /><br /><br />

    Confirm Password:<br />
    <input type="password" name="password2" /><br /><br />

    First Name:<br />
    <input type="text" name="firstname" /><br /><br />

    Last Name:<br />
    <input type="text" name="lastname" /><br /><br />

    <input type="submit" value="Register" name="submit" />
</form>

Also, please do not use mysql_* functions. See this question for more details: http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php — Michael, Jul 22 '16 at 22:35
Show your table's CREATE statement, I have a hard time believing (_as @Bailey pointed out_) that MySQL allowed you to have a nameless column. _Even if it did, I am not sure it would allow you to delimit it with single quotes either._ — Uueerdo, Jul 22 '16 at 22:53
SQL injection risk and plain text passwords? Yikes! This code should *never* be used in production! — Jay Blanchard, Jul 23 '16 at 00:38
@SheikhEmadUddin: That's not really relevant, because the beginner learning material that you're reading absolutely should not be teaching you this stuff in this manner. Indeed, because you're a beginner, you're the _worst_ person to teach it like this to!! May I ask what you are using to learn PHP? — Lightness Races in Orbit, Jul 23 '16 at 01:00
@LightnessRacesinOrbit I'm following some tutorials on youtube, I respect to everyone's opinion and suggestion here! If you have any better solution that can turn me best from worst then please give me. — , Jul 23 '16 at 01:35
@SheikhEmadUddin: Please link us to those tutorials so that we may correct them. And learn PHP from a book instead. — Lightness Races in Orbit, Jul 23 '16 at 11:22

Bill Karwin · Accepted Answer · 2016-07-23T00:52:28.877

Your INSERT statement is missing a closing parenthesis.

$query1= mysql_query("INSERT INTO ... '$lastname'");

$query1= mysql_query("INSERT INTO ... '$lastname')");
                                                 ^

By the way, I find it easier when doing a single-row INSERT to use an alternative syntax, so the column names and the value are matched up:

$query1= mysql_query("INSERT INTO `users` SET
    username='$username',
    password='$password',
    firstname='$firstname',
    lastname='$lastname'");

That's easier to make sure you have the columns matched up to the right variables. Also there's no closing parenthesis to worry about.

See http://dev.mysql.com/doc/refman/5.7/en/insert.html for details on this syntax.

You should also abandon the deprecated mysql extension, and use PDO instead. Read this nice tutorial: https://phpdelusions.net/pdo

And Jay Blanchard is correct that your code is insecure. Security, like correctness, is not an add-on feature. You mention you are a beginner, but you should not start developing bad habits. Read https://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/

msantos · Answer 2 · 2016-07-23T00:53:11.830

0

You want to probably insert the user id in the database.Define it as Autoincrement e remove the blank data from the query below:

Before:

$query1= mysql_query("INSERT INTO `users` ('',username,password,firstname,lastname) VALUES ('','$username',     '$password_hash', '$firstname', '$lastname'");

After:

$query1= mysql_query("INSERT INTO `users` (username,password,firstname,lastname) VALUES ('$username',     '$password_hash', '$firstname', '$lastname')") or die(mysql_error());

And you need also to replace the line with the code if($result1 = mysql_query($query1)) { by if($result1) {

edited Jul 23 '16 at 00:53

answered Jul 22 '16 at 22:39

msantos

691
5
6

Tried this too but it is still echoing the else result which is "Sorry, You could not Register". – Jul 22 '16 at 22:46
Could you use mysql_error() to check what is happening? – msantos Jul 22 '16 at 22:50
can you tell me where to put this? – Jul 22 '16 at 23:03
I think you need the change of line if($result1 = mysql_query($query1)) { by if($result1). Try it. – msantos Jul 22 '16 at 23:32
I actually defined it inside the if statement, should I define this variable on top? – Jul 22 '16 at 23:40
"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1" – Jul 22 '16 at 23:52
Can you print the query using echo $query1= mysql_query("INSERT INTO `users` (username,password,firstname,lastname) VALUES ('$username', '$password_hash', '$firstname', '$lastname'"); – msantos Jul 22 '16 at 23:58
It is not echoing anything but giving the same error which is- "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1" – Jul 23 '16 at 00:02
echo like it "INSERT INTO users (username,password,firstname,lastname) VALUES ('$username', '$password_hash', '$firstname', '$lastname'"); – msantos Jul 23 '16 at 00:03
Sorry I got your point later.. yes tired it! not echoing anything :/ echo "INSERT INTO `users` (username,password,firstname,lastname) VALUES ('$username', '$password_hash', '$firstname', '$lastname'"; – Jul 23 '16 at 00:09
Sorry my bad! I put the echo statement on top of the file rather than putting it in a condition. – Jul 23 '16 at 00:49
I ve edited the answer. You forgot to close the parenthesis in the mysql insert into.Test your code now. – msantos Jul 23 '16 at 00:54
it says Registered Successfully! thank-you so much mate! I really appreciate your concern to me! stay blessed :) – Jul 23 '16 at 00:58

score 0 · Answer 3 · answered Jul 22 '16 at 22:40

0

Try using

$query1= mysql_query("INSERT INTO users (username,password,firstname,lastname) VALUES ('$username', '$password_hash', '$firstname', '$lastname'");

answered Jul 22 '16 at 22:40

Israel Pinheiro

95
1
9

Tried this too but it is still echoing the else result which is "Sorry, You could not Register". – Jul 22 '16 at 22:45

Chibueze Opata · Answer 4 · 2016-07-23T00:37:29.090

0

Replace your else block with

else {
    die('Error: ' . mysql_error());
    //echo "Sorry, You could not Register";
}

From your comment, your INSERT QUERY is wrong. To find out what is wrong with your SQL query, add var_export($query1, true) with die. i.e.

die('Error: ' . mysql_error().'<br>Info: '.var_export($query1, true));

My guess is that you are still using your old query which has '' as one of the column names.

edited Jul 23 '16 at 00:37

answered Jul 22 '16 at 23:48

Chibueze Opata

9,856
7
42
65

"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1" solve this too and take my best wishes! – Jul 22 '16 at 23:57

Canit insert into my MYSQL table

4 Answers4