PHP SQL insert not working

Question

I am trying to edit a SQL database from a Cordova app. I have this PHP code:

<?php
$servername = "localhost";
$username = "user1";
$password = "example";
$dbname="users";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
echo "Connected successfully";
$name = "'".$_POST["name"]."'";
$pass = "'".$_POST["password"]."'";
$email = "'".$_POST["email"]."'";
$x = $conn->query("INSERT INTO USERS(Name, Password, email) VALUES ($name, $pass, $email)");
if($x)
echo "OK";
else echo "No";
echo $name;
echo '<br>';
echo $pass;
echo '<br>';
echo $email;

?>

Every time I want to do this action, the PHP prints on the screen the following message:

Connected successfully
No
'abcd'
'abcd'
'abc@email'

The message from above is printed because of the echo functions I wrote. I see that the $name, $pass and $email variables are received from my form, the connection is done successfully, but the "No" message means the data was not introduced in the database.

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Mar 30 '17 at 12:03
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Mar 30 '17 at 12:03
It often helps to echo the actual query before executing it. — DYZ, Mar 30 '17 at 12:04
@JayBlanchard Sir, how can I see the error log. I'm only a begginer, just 17 years old — alex hang, Mar 30 '17 at 12:19
Alex, after your query, try `echo $conn->error` [as per these docs](https://secure.php.net/mysqli_error). — halfer, Mar 30 '17 at 12:23
The error log is on your web server and you should have access to it. It is only a text file but knowing where it is and how to read it will save you from years of coding problems. — Jay Blanchard, Mar 30 '17 at 12:24
@Jay, is it missing the quotes? It looks like they have been incorporated into the strings prior to injecting them. — halfer, Mar 30 '17 at 12:25
Oh wow @halfer - I completely missed that. Not enough coffee in my system yet, I suppose. What a strange way to code this. — Jay Blanchard, Mar 30 '17 at 12:27
It seems that the webhosting service I use is not supporting this type of quotes ( ' ). The only ones that work are these quotes: ( ` ). — alex hang, Mar 30 '17 at 12:33
That doesn't make sense. Where did you use those quotes, around the values? — Jay Blanchard, Mar 30 '17 at 12:36
That's odd, `users` is not a [reserved word in MySQL](https://dev.mysql.com/doc/refman/5.7/en/keywords.html), but `user` is - I wonder if the lack of space in your `USERS(` was responsible? We'd need the database error message anyway to find out. — halfer, Mar 30 '17 at 15:28
Anyway, don't put this live - you are risking your users' security if you do so. As indicated there are two very serious vulnerabilities here. — halfer, Mar 30 '17 at 15:29
If you want some examples of how to run SQL safely, and how to store passwords safely, see [my tutorial here](http://ilovephp.jondh.me.uk/). — halfer, Mar 30 '17 at 15:36

PHP SQL insert not working

0 Answers0