-1

So I'm creating a simple page and I want that my login and passwords to go to the DB now on the login form:

<form id="form_6de933"  name="validate" action="insert.php" method="post" class="login-form narrow-cols">

I added action="insert.php" and on the insert.php file I tried to do this

 <?php
$servername = "localhost";
$username = "xxx";
$password = "xxx";
$dbname = "xxx";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO nametable (username, password)
('$_POST[username]','$_POST[password]')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

But when I click submit I get this

Parse error: syntax error, unexpected '{' in insert.php on line 10.

So can somone help me fix this error or I'm I doing something wrong?

Marko Fin
  • 7
  • 1
    just adding to the already existing answers that will solve your problem: _don't_ save plain passwords in your database. use [password_hash()](http://php.net/manual/en/function.password-hash.php) and password_validate() – Jeff Sep 14 '17 at 00:03
  • Which line is line 10? – Barmar Sep 14 '17 at 00:05
  • Often an error like this is because of a missing `;` on the line before. I don't see anything like that in your code. – Barmar Sep 14 '17 at 00:06
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Sep 14 '17 at 00:14
  • Do try and get out of the habit of cluttering up your code with needless things like `=== TRUE`. Many functions are designed to return values that evaluate as logically true or false so that's redundant. – tadman Sep 14 '17 at 00:14
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. – tadman Sep 14 '17 at 00:14
  • Besides the missing `VALUES` for the `INSERT`, what was posted will not create the parse error. You're not showing us the whole / real code and your HTML form is incomplete and we don't know if that has anything to do with all this. – Funk Forty Niner Sep 14 '17 at 00:15
  • Ok; you probably left the question. Your not saying anything suggests it, or you're waiting for a magic answer to appear. I can honestly say that the latter will NOT happen. Edit: I have closed the question. Please consult the duplicates (when you get come back). – Funk Forty Niner Sep 14 '17 at 00:20

3 Answers3

0

You forgot the keyword VALUES in your sql statement

$sql = "INSERT INTO 
       nametable 
           (username, password)
       VALUES 
           ('$_POST[username]','$_POST[password]')";
Raymond Dumalaog
  • 353
  • 4
  • 13
0

Your Insert Query is missing "VALUES":

Replace This:

$sql = "INSERT INTO nametable (username, password)
('$_POST[username]','$_POST[password]')";

With This:

$sql = "INSERT INTO nametable (username, password)
VALUES ('$_POST[username]','$_POST[password]')";

Also, I hope you are using this script for testing because the script is NOT secure at all.

Hope it helps, Shah

SG_Rowin
  • 622
  • 3
  • 19
  • you're absolutely right about the securety issue. Maybe you wanna add _why_ it is not secure and what can be done to make it secure? – Jeff Sep 14 '17 at 00:01
  • 1
    This is certainly true, but his code is never even executing the query because of the PHP Parse error. – Barmar Sep 14 '17 at 00:04
  • The Question was not about security, it was about script error. He didnt ask "How can I secure this" , if he did , then I would tell him how – SG_Rowin Sep 14 '17 at 00:05
  • as Bermar said its still not working I'm getting the same error Parse error: syntax error, unexpected '{' in /home/insert.php on line 10 and Line 10 is if ($conn->connect_error) { – Marko Fin Sep 14 '17 at 08:09
0

Replace your code:

$sql = "INSERT INTO nametable (username, password)
('$_POST[username]','$_POST[password]')";

With this:

// it would be useful to use the **real_escape_string** function, 
// since this is a security vulnerability in the current code
$password=$conn->real_escape_string($_POST['password']);
$username=$conn->real_escape_string($_POST['username']);
// Also you can use the **SET** clause instead of VALUES thing
$sql = "INSERT INTO nametable SET username='$username' , password='$password'";

I hope it works for you.

Soysal Tan
  • 11
  • 2