0

I am receiving the following error from the code below.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@doe.com,username,5f4dcc3b5aa765d61d8327deb882cf99,09/05/2011 1:11:13 AM)' at line 1

$username = $_GET['username'];
$password = md5($_GET['password']);
$firstname = $_GET['firstname'];
$lastname = $_GET['lastname'];
$email = $_GET['email'];
$date = uk_date();
$conn = mysql_connect('localhost', 'myuser', 'mypass');
mysql_select_db('dbname');
$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES (". $firstname . ",". $lastname ."," . $email . "," . $username . "," . $password . "," . $date . ")";
$result = mysql_query($query) or die(mysql_error());
echo 'Success';
mysql_close($result);

Please could you let me know what my problem is? I am new to MySQL and PHP so please can you provide an explanation to what I have done wrong for later reference.

Improve this question
5
  • 3
    The problem is that you're (blah blah quotes blah blah escape blah blah SQL injection) and you're not using prepared statements. Commented May 9, 2011 at 0:17
  • What do you mean by prepared statements? Commented May 9, 2011 at 0:18
  • 1
    Take a look at this article in the PHP PDO manual. Prepared statements are indispensable in helping guard against SQL injection attacks, which most web apps are vulnerable to. Commented May 9, 2011 at 0:18
  • I love how you used password as the password Commented May 9, 2011 at 0:23
  • 1
    prepared statements or escape your variables before inserting them in your sql query, or you might become of sql injection. Meaning someone can insert some code in your sql and do stuff like... delete all your tables Commented May 9, 2011 at 0:24

3 Answers 3

Reset to default
5

You haven't quoted any of the values in your INSERT, you should be saying something more like this:

$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" . $username . "','" . $password . "','" . $date . "')";

You should also be using mysql_real_escape_string on all those variables to make sure that any embedded quotes and such are properly encoded.

A better version would be something like this:

$query = sprintf("INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')",
    mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname),
    mysql_real_escape_string($email),
    mysql_real_escape_string($username),
    mysql_real_escape_string($password),
    mysql_real_escape_string($date));

You should also listen to BoltClock and use PDO and placeholders so you don't have to worry about your quotes and escaping so much. PDO will also make it easier to switch databases.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Your quotes is wrong in the first query (the first '). You have them switched.
@judda: Good eyes, thanks and fixed. You've pointed out a good reason not to try building a query that way: too many quotes fighting each other and making an unreadable mess.
4

Probably user input have a single quote character, so it will be safe to escape special character before send it as query to database, this will prevent your script from sql injection.

$query = "INSERT INTO accounts (FirstName, LastName, Email, Username, Password, LastLoginDate) VALUES ('$firstname', '$lastname', '$email','$username','$password', '$date')";
Improve this answer

Comments

0

Once you have escaped your variables like suggested by other, you need to surround them with quotes if they are string varialbles :

mysql_select_db('dbname'); 
$query = "INSERT INTO accounts 
       (FirstName, LastName, Email, Username, Password, LastLoginDate) 
       VALUES ('". $firstname . "','". $lastname ."','" . $email . "','" .
       $username . "','" . $password . "','" . $date . "')"; 
$result = mysql_query($query) or die(mysql_error());
echo 'Success'; mysql_close($result);

In this case i added single quotes. you shouldnt have any errors now

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.