SQL Query error, but why is that piece of data showing? - Computer Programmers, Programming Forum

EAW · #1 10-11-2009

Hi,

I'm having a bit of trouble figuring this one out. I think I know why the query was failing but I would really like to know where a certain value came from seeing as it's the password field.

Array ( [email] => [pass] => [pass_confirm] => [f_name] => a [lname] => s [address_1] => [address_2] => [suburb] => [city] => [submit] => Register ) Error in query: INSERT INTO tblUser (userID,fName, lName, email, password, addressLine1,addressLine2, suburb, city, country, phone) VALUES( ,,,,P@ssw0rd,,,,,,). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ',,,P@ssw0rd,,,,,,)' at line 1

Now, in the database there is no default set for that field at all, nor are we in an authenticated session. the variable $_POST['pass'] has been changed so even if the password was still lingering there from a login (which I think it doesn't) it would have been changed.

The code for this page:

PHP Code:


			
<?php

print_r($_POST); 

$f_name = "";
$l_name = "";
$email = "";
$pass = "";
$address_1 = "";
$address_2 = null;
$suburb = "";
$city = "";
$country ="";
$phone = "";
if (isset($_POST['f_name']) || isset($_POST['lname'])) {
    // form submitted
    // check for required values
    if (empty($_POST['f_name'])) {
        die ("ERROR: Please enter username!");
    }
    if (empty($_POST['lname'])) {
        die ("ERROR: Please enter surname!");
    }
    include('db_connect.php'); 
    
    $query = "INSERT INTO tblUser (userID,fName, lName, email, password, addressLine1,addressLine2, suburb, city, country, phone) VALUES( "
    .NULL.","
    .$f_name.","
    .$l_name.","
    .$email.","
    .$pass.","
    .$address_1.","
    .$address_2.","
    .$suburb.","
    .$city.","
    .$country.","
    .$phone.")"; 
    
    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());

}


?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Create Account</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" type="text/css" href="stylesheet.css" />
</head>
<body>
<div id="container">
    <div id="header"><?php include('banner.php'); ?></div>
    <div id="menu">
    <ul id="tabs">
        <li>
            <strong>
            <span class="text">Home</span>
            </strong>
        </li>
    </ul>
    </div>
    <div id="wrapper">
        
        <table width="100%" cellspacing="3" cellpadding="3" border="5" align="center" style="width: 760px;">
        <tr><td><h1>Create Account</h1>
        <p>Please fill in all details required below.</p></td></tr>
        <form method="POST" action="<?php htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES);?>">
        <tr><td>
        Email: <input type="textbox" name="email" /></td></tr>
        <tr><td>Password: <input type="password" name="pass" /></td></tr>
        <tr><td>Confirm: <input type="password" name="pass_confirm" /></td></tr>
        <tr><td>First names: <input type="textbox" name="f_name" /></td></tr>
        <tr><td>Surname: <input type="textbox" name="lname" /></td></tr>
        <tr><td>Address: <input type="textbox" name="address_1" /></td></tr>
        <tr><td><input type="textbox" name="address_2" /></td></tr>
        <tr><td>Suburb: <input type="textbox" name="suburb" /></td></tr>
        <tr><td>City: <input type="textbox" name="city" /></td></tr>
        <tr><td><input type="submit" name="submit" value="Register"></td></tr> 
        
        </form>
        </table>
        
    </div>
<br>
    <div id="footer"><p>Here it goes the footer</p></div>
</div> 
</body>
</html>

Any insights or comments would be appreciated. I will be looking into filtering my inputs later and hashing my passwords.

It's strange as the test user has the password stored in plaintext as P@ssw0rd. Not sure why that would be showing in the error message.

Edvardo

Brenden · #2 12-30-2009

$pass is set somewhere inside db_connect.php, which is overriding the $pass = "" you set before including the connection file.

Brenden · #3 12-30-2009

Also in your query, and the actual reason for the error, you need to surround text values with apostrophes

PHP Code:


			
$query = "INSERT INTO tblUser (userID,fName, lName, email, password, addressLine1,addressLine2, suburb, city, country, phone) VALUES( "
    .NULL.",'"
    .$f_name."','"
    .$l_name."','"
    .$email."','"
    .$pass."','"
    .$address_1."','"
    .$address_2."','"
    .$suburb."','"
    .$city."','"
    .$country."','"
    .$phone."')";

mikeroq · #4 01-15-2010

This:

Code:

$query = "INSERT INTO tblUser (userID,fName, lName, email, password, addressLine1,addressLine2, suburb, city, country, phone) VALUES( "
    .NULL.","
    .$f_name.","
    .$l_name.","
    .$email.","
    .$pass.","
    .$address_1.","
    .$address_2.","
    .$suburb.","
    .$city.","
    .$country.","
    .$phone.")";

To this:

Code:

$query = "INSERT INTO tblUser (`userID`,`fName`, `lName`, `email`, `password`, `addressLine1`, `addressLine2`, `suburb`, `city`, `country`, `phone`) 
VALUES('','$f_name',$l_name','$email','$pass','$address_1','$address_2','$suburb','$city','$country','$phone')"

Looking# · #5 03-10-2010

I believe that it is because you haven't surrounded the 'P@ssword' (or whatever it was) with single quotes (''). For this reason, SQL is probably seeing the @ sign in your query and freaking out.

Still, it's just a guess.

Welcome to our forums...

Latest Posts

Forum Statistics

Partner Sites

Friends

Welcome to our forums...

Latest Posts

Forum Statistics

Partner Sites

Sponsor

Friends