1

I am trying to read and write to a database. Here is the code I have so far:

$mysql = mysqli_connect("example.com", "johndoe", "abc123"); // replace with actual credidentials
$username = mysqli_real_escape_string("username");
$sql = "CREATE DATABASE IF NOT EXISTS dbname";
if (!mysqli_query($mysql, $sql)) {
    echo "Error creating database: " . mysqli_error($mysql);
}
if (mysqli_connect_errno()) {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysqli_close($mysql);
$mysql = mysqli_connect("example.com", "johndoe", "abc123", "dbname"); // replace with actual credidentials
$sql = "CREATE TABLE IF NOT EXISTS Users(ID INT NOT NULL AUTO_INCREMENT, PRIMARY KEY(ID), username CHAR(15), password CHAR(15), email CHAR(50))";
if (!mysqli_query($mysql, $sql)) {
    echo "Error creating table: " . mysqli_error($mysql);
}
$sql = "INSERT INTO Users(username, password, email) VALUES(" . $username . ", " . $password . ", " . $email . ")";
if (!mysqli_query($mysql, $sql)) {
    echo "Error: " . mysqli_error($mysql);
}
mysqli_close($mysql);

However, when I try to run it, it has an error: 

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , )' at line 1

Could anybody tell me how to fix this?

Improve this question
3
  • 1
    Would like to, but where is there a MySQL_real_escape_string in this program? Commented Feb 28, 2014 at 5:26
  • 1
    It's spelled "escape", not "excape". :) Commented Feb 28, 2014 at 5:34
  • oops, sorry that was a typo. Commented Feb 28, 2014 at 5:35

4 Answers 4

Reset to default
1

mysqli_real_escape_string requires connection parameter too...

$username = mysqli_real_escape_string($mysql,"username");
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Use preapred statements: http://hu1.php.net/mysqli_prepare they automatically escape the params...

Btw. the params in your last sql are not properly escaped and concatenated.

Improve this answer

Comments

0

Rewrite your second SQL query like this..

$sql = "INSERT INTO Customers(`username`, `password`, `email`) VALUES ('$username','$password','$email')";

The problem was there was improper escaping.

Sidenote: Switching to PreparedStatements is even more better to ward off SQL Injection attacks !

Improve this answer

1 Comment

@inf3rno, I agree. Sidenote added.
0

Escaping characters and making them clean before inserting in database, you can use below function to santizie them properly,

<?php
function cleanInput($input) {

  $search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );

    $output = preg_replace($search, '', $input);
    return $output;
  }
?>

and finally when output, to escape ' on page, use :

htmlspecialchars($quote_str, ENT_QUOTES); or htmlentities($quote_str, ENT_QUOTES);

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.