-3

can't reach header.php???

if ($_SERVER["REQUEST_METHOD"] == "POST") {   $name = $_POST["firstname"];   $lastname = $_POST["lastname"];   $email = $_POST["email"];   $password = $_POST["password"];   $mobile = $_POST["mobile"];   $office_num = $_POST["office"];

  $sql = mysqli_query($dbcon,"insert into `user_info`(`firstname`, `lastname`, `email`, `password`, `mobile`,`office_contact`) values('$name','$lastname','$email', '$password', '$mobile', $office_num)");

    if (mysqli_query($dbcon, $sql)) {
        echo "New record created successfully";
        header("Location: header.php");
            } else {
        echo "Error: " . $sql . "<br>" . mysqli_error($dbcon);  } ?>

This is the error I am receiving:

Error: 1 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1' at line 1

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
S Sarker
  • 3
  • 5
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Nov 08 '17 at 12:33
  • 1
    **Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Nov 08 '17 at 12:33
  • yes. i m storing password in plane text – S Sarker Nov 08 '17 at 12:36
  • 1
    @JohnConde I had to reopen the question John, they were calling `mysqli_query()` twice; that is why they're getting the `1` as the error ;-) edit: oh, and outputting before header. – Funk Forty Niner Nov 08 '17 at 13:32

1 Answers1

0

The problem here is that you're using mysqli_query() twice.

$sql = mysqli_query($dbcon,"insert into... $office_num)");
       ^^^^^^^^^^^^ There

if (mysqli_query($dbcon, $sql))
    ^^^^^^^^^^^^ and there

The conditional statement is calling it again. You need to remove the first query call, which explains the 1 coming back as the error.

Your code is also prone to an sql injection; use a prepared statement:

You're also outputting before header with the following lines of code:

echo "New record created successfully"; // <<  Remove this line
        header("Location: header.php");

Remove the echo statement for it and add exit; after header to avoid further execution.

Note: Make sure that the value for $office_num is indeed an integer such as 5551234 and not 555-1234. If it is the latter, you will need to wrap that variable with quotes as you did for the other string values.

Don't store plain text passwords, especially if you're going live with this.

Use password_hash() and password_verify() and please read over those manuals attentively:

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141