mysql_query insert

mysql_query("INSERT INTO Player (`name`, `password`, `attack`, `strength`, `defense`, `agility`, `dexterity`, `gold`, `level`, `email`) VALUES('".mysql_real_esacpe_string($_POST['account_name'])."','". mysql_real_escape_string(md5($_POST['password']))."','".mysql_real_escape_string($_POST['email'])."','10','10','10','10','10','100','1'") or die('Server Error: ' . mysql_error());


I am getting a error message saying:Server Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Though I don't see anything wrong with it.

Change your mysql_query("INSERT INTO Player (`name`, `password`, `attack`, `strength`, `defense`, `agility`, `dexterity`, `gold`, `level`, `email`) VALUES('".mysql_real_esacpe_string($_POST['account_name'])."','". mysql_real_escape_string(md5($_POST['password']))."','".mysql_real_escape_string($_POST['email'])."','10','10','10','10','10','100','1'")
or die('Server Error: ' . mysql_error()); to

echo $sql="INSERT INTO Player (`name`, `password`, `attack`, `strength`, `defense`, `agility`, `dexterity`, `gold`, `level`, `email`) VALUES('".mysql_real_esacpe_string($_POST['account_name'])."','". mysql_real_escape_string(md5($_POST['password']))."','".mysql_real_escape_string($_POST['email'])."','10','10','10','10','10','100','1'";
mysql_query($sql) or die('Server Error: ' . mysql_error()); and carefully observe the parsed outputof $sql (obtained in the browser).

I'm still getting the same error. I'm not to sure what is giving me this error. I can't figure it out.

I'm still getting the same error.I hadn't given any solution to your issue.
Post your echoed output of $sql here.

<?php
$name = $_POST['account_name'];
$password = $_POST['password'];
$retype_password = $_POST['pass'];
$email = $_POST['email'];
$email2 = $_POST['email2'];

$con = mysql_connect('localhost","username","password");
if(!$con) {
die('Server Error: ' . mysql_error());
}

mysql_select_db('database', $con);

$email = mysql_query("SELECT email FROM player WHERE email='$email'") or die('Server Error: ' . mysql_error());
$check = mysql_num_rows($email);

if($check['email'] > 1) {

$error4 = "This email is already being used.";

}

if(isset($_POST['go'])) {

if($_POST['account_name'] =='') {

$error1 = 'Please type in your account name.';

}elseif($_POST['password'] =='' || $_POST['pass'] =='') {

$error2 = 'Please type in a password to use.';

}elseif($_POST['password'] !='' && $_POST['pass'] !='' && $_POST['password'] != $_POST['pass']) {

$error2 = "Your password doesn't match!";

}elseif($_POST['email'] =='' || $_POST['email2'] =='') {

$error3 = "Please type in a email address";

}elseif($_POST['email'] !='' && $_POST['email2'] !='' && $_POST['email'] != $_POST['email2']) {

$error3 = "Your emails do not match.";

}else {

$con = mysql_connect('localhost','username','password');
if(!$con) {
die('Server Error: ' . mysql_error());
}

mysql_select_db('database', $con);

mysql_query("INSERT INTO player (name, password, attack, strength, defense, agility, dexterity, gold, level, email) VALUES('$name','$password','10','10','10','10','10','100','1','$email'") or die('Server Error: ' . mysql_error());



}

}

?>

Would you please reread my first post? :(

$con = mysql_connect('localhost","username","password");

replace ' with " in that place and follow abduraooft suggestion.

best regards

<?php
if(isset($_POST['submit'])) {

$con = mysql_connect("localhost","username","password");
if(!$con) {
die('Server Error: ' . mysql_error());
}

mysql_select_db("mydatabase", $con);

$email = $_POST['address'];


$comfirm = mysql_query("SELECT email FROM users WHERE email='$email'") or die('Server Error: ' . mysql_error());
$check = mysql_num_rows($comfirm);

if($check >= 1) {

$error = "This email address is already being used.";

}

mysql_close($con);

if($_POST['account_name'] =='') {

$error = "You must fill in a account name.";

}elseif($_POST['password'] =='' || $_POST['pass'] =='') {

$error = "Please fill in a password.";

}elseif($_POST['password'] != $_POST['pass']) {

$error = "These passwords do not match!";

}elseif($_POST['address'] =='' || $_POST['email'] =='') {

$error = "Please fill in your email.";

}elseif($_POST['address'] != $_POST['email']) {

$error = "Your emails do not match!";

}else {

$con = mysql_connect("localhost","username","password);
if(!$con) {
die('Server Error: ' . mysql_error());
}

mysql_select_db("mydatabase", $con);


$account_name = $_POST['account_name'];
mysql_real_escape_string($account_name);
$email = $_POST['address'];
mysql_real_escape_string($email);
$password = $_POST['password'];
mysql_real_escape_string(md5($password));
$pass = $_POST['pass'];
mysql_real_escape_string(md5($pass));
$email = $_POST['address'];
mysql_real_escape_string($email);
$email2 = $_POST['email'];
mysql_real_escape_string($email2);

mysql_query("INSERT INTO users (`name`, `password`, `email`) VALUES('". $_POST['account_name'] ."', '". $_POST['password'] ."','". $_POST['email'] ."'") or die('Server Error: ' . mysql_error());


}

}
?>


Could someone to explain to me what and why everytime no matter what I seem to do I get the following error: Server Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

I know the details are limited but it truely has me going crazy trying to figure this one out. I've been over this code a hundred times I've looked at other PHP scripts that are almost the same code which happens to work fine and I just can't see whats wrong with this...

Help!! lol

Does anyone have a clue?

Change your mysql_query("INSERT INTO Player (`name`, `password`, `attack`, `strength`, `defense`, `agility`, `dexterity`, `gold`, `level`, `email`) VALUES('".mysql_real_esacpe_string($_POST['account_name'])."','". mysql_real_escape_string(md5($_POST['password']))."','".mysql_real_escape_string($_POST['email'])."','10','10','10','10','10','100','1'")
or die('Server Error: ' . mysql_error()); to

echo $sql="INSERT INTO Player (`name`, `password`, `attack`, `strength`, `defense`, `agility`, `dexterity`, `gold`, `level`, `email`) VALUES('".mysql_real_esacpe_string($_POST['account_name'])."','". mysql_real_escape_string(md5($_POST['password']))."','".mysql_real_escape_string($_POST['email'])."','10','10','10','10','10','100','1'";
mysql_query($sql) or die('Server Error: ' . mysql_error()); and carefully observe the parsed outputof $sql (obtained in the browser).

I hadn't given any solution to your issue.
Post your echoed output of $sql here.

Would you please reread my first post? :(


$con = mysql_connect('localhost","username","password");

replace ' with " in that place and follow abduraooft suggestion.

best regards

Does anyone have a clue?
???

best regards

Okay, so all of that I have done. I have echo the Mysql query out on to the page. It looks totally fine. I did fix the typo, that was a typo when I was editing the user name and password to post the PHP. I've gone through the code more then once now. Each and every time I get the same exact error.


INSERT INTO users username, password, email VALUES 'jon', 'password','myemailaddress'


That is what the query looks like when I echo it on the page.

you miss another " after password.

$con = mysql_connect("localhost","username","password");



<?php
$con = mysql_connect("localhost","username","password");
if(!$con) {
die('Server Error: ' . mysql_error());
}

mysql_select_db("mydatabase", $con);


$account_name = $_POST['account_name'];
mysql_real_escape_string($account_name);
$email = $_POST['address'];
mysql_real_escape_string($email);
$password = $_POST['password'];
mysql_real_escape_string(md5($password));
$pass = $_POST['pass'];
mysql_real_escape_string(md5($pass));
$email = $_POST['address'];
mysql_real_escape_string($email);
$email2 = $_POST['email'];
mysql_real_escape_string($email2);

mysql_query("INSERT INTO users (`name`, `password`, `email`) VALUES('". $_POST['account_name'] ."', '". $_POST['password'] ."','". $_POST['email'] ."'") or die('Server Error: ' . mysql_error());


}

}
?>


Okay, so all of that I have done. I have echo the Mysql query out on to the page. It looks totally fine. I did fix the typo, that was a typo when I was editing the user name and password to post the PHP. I've gone through the code more then once now. Each and every time I get the same exact error.


INSERT INTO users username, password, email VALUES 'jon', 'password','myemailaddress'


That is what the query looks like when I echo it on the page.
that could because of missing ", but also could be a problem with the query.
correct the quote, I suggest you to use a editor with highlight syntax.

add to the top of your file this:

ini_set('display_error',1);
error_reporting(E_ALL);


best regards

You should also secure these with proper escaping.
I see you're doing some mysql_real_escape_string; however, its incorrect. MySQL_real_escape_string does not alter a reference, it takes a string and returns a string. Later in you're query, you've gone back to using the $_POST directly.


$name = mysql_real_escape_string($_POST['account_name']);
$password = md5($_POST['password']);
$email = mysql_real_escape_string($_POST['email']);

mysql_query("INSERT INTO users (`name`, `password`, `email`) VALUES('". $name ."', '". $password ."','". $email ."'") or die('Server Error: ' . mysql_error());


If you're using an md5 or similar hash, you won't actually need to escape it. The results are always hex digits, so you'll never have a ' or invalid character in it.

I've figure this problem out. The problem was that I had a ) outside of the mysql_query

Good Query


mysql_query("INSERT INTO users (`username`,`password`,`email`,`attack`,`strength`,`defense`,`agility`,`dexterity`,`gold`,`level`) VALUES('".$_POST['account_name']."','". md5($_POST['password']) ."','". $_POST['email'] ."','10','10','10','10','10','100','1')") or die('Server Error: ' . mysql_error());


Bad Query ...


mysql_query("INSERT INTO users (`username`,`password`,`email`,`attack`,`strength`,`defense`,`agility`,`dexterity`,`gold`,`level`) VALUES('".$_POST['account_name']."','". md5($_POST['password']) ."','". $_POST['email'] ."','10','10','10','10','10','100','1'")) or die('Server Error: ' . mysql_error());


Notice at the very end of it that the ) are two on the outside of the query.

Bad


'10','10','100','1'"))


Good


'10','10','100','1')")


Thanks a lot for all of the help. :)

keep in mind to correct what Fou-Lu said else mysql_real_escape_string is useless.

best regards