0

When I build a query string using variables in PHP, it does not seem to be working. My current query is:

$u = "admin";
$hash = password_hash("password", PASSWORD_DEFAULT);
$set_login = "INSERT INTO users (username, password) VALUES ({$u}, {$hash})";

*I am executing the query further down in the script

If I replace {$u} with the string literal it represents, and replace {$hash} with just a string literal for a password, such as password, the query works fine. However, when I introduce variables that is when it breaks. I've tried breaking up the query string and using the concatenation operator:

$set_login = "INSERT INTO users (username, password) VALUES ( " . $u . ", " . $hash . ")";

This did not work either. I then thought it might be something with the hash, so I modified the code to (for testing):

$u = "admin";
$p = "password";
$set_login = "INSERT INTO users (username, password) VALUES ({$u}, {$p})";

This did not work either.

Improve this question
4
  • 2
    use prepared statements instead Commented Apr 21, 2017 at 14:02
  • 1
    This is really bad approach in general, you should use prepared statements. BUT, try adding quotes to the query. Something like "INSERT INTO users (username, password) VALUES ('{$u}', '{$hash}')"; Commented Apr 21, 2017 at 14:03
  • Make sure the column for the password is at least 60 characters or you will have problems when trying to verify passwords. Commented Apr 21, 2017 at 14:12
  • You need to stop this bad habit of not accepting answers Commented Apr 21, 2017 at 14:39

2 Answers 2

Reset to default
1

The best solution is to use prepared statements, it's very simple.

here's how you will do it with prepared statements

mysqli 

<?php
$u = "admin";
$hash = password_hash("password", PASSWORD_DEFAULT);
$set_login = "INSERT INTO users (username, password) VALUES (?,?)";
$query = $ConnectionString->prepare($set_login);
$query->bind_param("ss",$u,$hash);

if($query){
    echo "success";
}else{

    error_log("error".$ConnectionString->error);
}

?>

PDO

<?php
$u    = "admin";
$hash = password_hash("password", PASSWORD_DEFAULT);

$query = $ConnectionString->prepare("INSERT INTO users (username, password) VALUES (?,?)")->execute(array($u,$hash));

if ($query) {
    echo "success";
} else {

    error_log("error" . $ConnectionString->errorInfo());
}

?>

Some useful resources.

PDO Connection PDO Tutorials Mysqli Prepared

NB: AS Jay have indicated in his comment make sure your password field size in the database is at least 60 Characters

In your query the problem is that you did not wrapper the strings around quotes

Your query should be:

$set_login = "INSERT INTO admin (uname, upass) VALUES ('{$u}', '{$hash}')";

But this is not the best recommended way of doing quires, you should use one of the methods above using prepared statements.

Here's why you should : Bobby Tables

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0 
INSERT INTO users (username, password) VALUES ('{$u}', '{$hash}')

Don't forget to wrap string with a quotation mark

But as mentioned in comments, it's bad idea to put data directly, use prepared statements

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.