0

I'm trying to insert $_POST data that I have stored in variables to be stored in my database. The connection to the database is fine, however, I'm getting the following error

Error: INSERT INTO users (user_id, password, bankpin, auth, ip) VALUES ('sadasd', 'asdasd', '3434', '324234', '76.68.85.19')

So far I've tried inserting single and double quotes in various places such as around the table name and fields, however, I receive the same error.

Here is my php code:

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO users (user_id, password, bankpin, auth, ip) VALUES ('$user_id', '$password', '$bankpin', '$auth', '$ip')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
Dharman
  • 30,962
  • 25
  • 85
  • 135
Joshua Brown
  • 91
  • 1
  • 9
  • 5
    You should use prepared statements with parameters instead of substituting variables, to protect against SQL-injection. – Barmar Oct 21 '19 at 06:39
  • What is the Output of `$conn->error`? – Jens Oct 21 '19 at 06:40
  • What happens if you copy the query and execute it by hand? – Barmar Oct 21 '19 at 06:40
  • what is `user_id` column ? that is string? – Jervz09 Oct 21 '19 at 06:43
  • There is no output from $conn->error. Also if I copy the query by hand it doesn't work in my phpMyAdmin. The format is different, however, that format returns the same result as I previously posted. user_id is type varchar and is being passed a string. – Joshua Brown Oct 21 '19 at 06:44
  • 4
    @JoshuaBrown *it doesn't work* means you get an error message? If yes, post it here – Jens Oct 21 '19 at 06:45
  • I like the security features, storing *user_id, password, bankpin* together is probably not a good idea. – Nigel Ren Oct 21 '19 at 06:50
  • Can you show your Table Structure – Amanjot Kaur Oct 21 '19 at 06:57
  • "it doesn't work" sounds pretty strange. Are you sure that there is no error message? – Nico Haase Oct 21 '19 at 07:41
  • The bank pin is _probably_ an integer, not a string. That said, MySQL allows numbers to be enclosed in string, so this should not be the problem you encounter. Can you edit your question and include the definition of table `user`? (The CREATE TABLE statement.) That should clear it up quickly. – alexis Oct 21 '19 at 07:49
  • How do you initialize `$conn`? Does it _really_ return `TRUE` on success (and not the number of inserted rows, for example)? You have a very strict equality test `===` in your code. – alexis Oct 21 '19 at 07:52
  • [How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) – Dharman Oct 21 '19 at 08:33

1 Answers1

-2

user is type of integer, so pass $userid without quotes.

Try this

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
$sql = "INSERT INTO users (user_id, password, bankpin, auth, ip) VALUES ($user_id, '$password', '$bankpin', '$auth', '$ip')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
Abhishek Gupta
  • 109
  • 1
  • 7