-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0|616|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
Socoder -> Web Development -> SQL syntax error trying to insert data...

Posted : Wednesday, 30 March 2011, 09:25
I am trying to insert a bunch of data into my database with the following line -

but I am getting the following error:

It's obviously something to do with the email address (i used my own as dummy data) but what is it going on about?

Check out my excellent homepage!
Posted : Wednesday, 30 March 2011, 11:33
Evil Roy Ferguso
It might help to assign the query to a local variable first and print it out to see what your string substitution is actually created:

In this case I think your problem is that you need quotes around your string values -- you need " '$_POST[Username]' " instead of " $_POST[Username] ", for example. But you're open to SQL injection attacks this way -- you need to either escape those values, or, preferably, use prepared statements, which will take care of both the escaping AND the "do I need quotes" question for you.
Posted : Wednesday, 30 March 2011, 15:08
What Roy said. $_POSTs inside of mysql will open you up to mysql injection attacks.

You might also want to try wrapping the $_POSTs in {brackets}, otherwise it might not parse correctly.

Posted : Thursday, 31 March 2011, 06:37
I did it the following way....

Which seemed to work fine.

I assume though that encrypting the password in some way would be a good idea. Would it be best to use some sort of decrypt-able encryption, allowing the user to retrieve a forgotten password. Or would a hash key style work better, so that the users password can in no way be retrieved from the password stored in the database?

Check out my excellent homepage!
Posted : Thursday, 31 March 2011, 18:03
Change your code to this to protect yourself from MySQL injection:

For your second question, use hashing. The whole point of storing it securely is so that hackers can't break in to your database and steal the passwords. Not only should you hash, but you need to use a computationally expensive hash. GPUs are really good at cracking passwords these days. I use 100,000 rounds of SHA-256 to protect passwords.

This is a more advanced way to do it:

Quit posting and try Google.
Posted : Thursday, 31 March 2011, 19:54
I kinda disagree with Stealth. I think it should be done in the order:

By keeping all stages separate it is easier to ensure each section works correctly, and keeps your architecture simpler. It's also easier to automate sections (such as automating making the SQL safe).
Posted : Thursday, 31 March 2011, 20:19
I jsut noticed that you have your $_POST variable inside the string. PHP just assumes that $_POST is a variable and ['stuffHere'] is a string. which is gonna cause trouble.

a simple (not best practise) way would be like this.

of course, everyone else is correct about best practice
Posted : Friday, 01 April 2011, 15:55
Or, as Evil Roy Ferguson said, avoid the issue entirely and use Prepared Statements!

blog | work | code | more code