-2

I am facing problem which is mentioned as follows.

ERROR: Could not able to execute 
INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('jayesh vyas', 'jay', ::1). 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near '::1)' at line 1.

My code is mentioned as below.

<?php
$link = mysqli_connect("localhost", "root", "", "apptitude");
$ip_user = $_SERVER['REMOTE_ADDR'];
// Check connection
if($link == false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}

// Escape user inputs for security
$uname = mysqli_real_escape_string($link, $_REQUEST['uname']);
$username = mysqli_real_escape_string($link, $_REQUEST['username']);

// attempt insert query execution
$sql = "INSERT INTO user_db (Name,UserId,Ip_addr) VALUES ('$uname', '$username', " . $ip_user . ")";
if(mysqli_query($link, $sql)){
    echo "Records added successfully.";
} else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}

// close connection
mysqli_close($link);
?>

can anyone please help me to understand that why it is happened???

Thanks in advance.

Strawberry
  • 33,750
  • 13
  • 40
  • 57
Jayesh Vyas
  • 31
  • 4
  • 3
    Don't forget to change your password – Strawberry Mar 02 '17 at 19:36
  • 4
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). Accidentally unescaped data is a serious risk. – tadman Mar 02 '17 at 19:38
  • 1
    Using placeholder values would immediately fix this problem because it's an escaping issue. – tadman Mar 02 '17 at 19:38
  • 1
    Turn it into a prepared statement with binds and it'll fix it http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – clearshot66 Mar 02 '17 at 19:46

1 Answers1

1

Your SQL statement is missing single quotes around the IP address. So as you did it for $user and $username, just use it again on $_SERVER['REMOTE_ADDR'] (after connecting to the MySQL server): $ip_user = mysqli_real_escape_string($link, $_SERVER['REMOTE_ADDR']);. And as tadman said, please use prepared statements.

Btw. $_SERVER['REMOTE_ADDR'] must not the clients IP address. Take a look at this Post.

Community
  • 1
  • 1
Kyoya
  • 343
  • 2
  • 5