...

View Full Version : Syntax Error!



pelehelp
03-28-2009, 08:27 AM
Hi,
I am a PHP and MySQL beginner. I have faced a problem but not really sure whether is from the PHP coding or MySQL. It seems like a very simple problem but I could not find out the error. It give a error msg as such 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near.......near line 1. Due to this matter, I can't proceed to add the data into the database.Can anybody give me some guidelines? Thanks.....

<html>
<body>
<form action="adduser.php" method="post">
<p>&nbsp;</p>
<p>&nbsp;</p>
<table align="center" width="380" height="250" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="170"><div align="left"><strong>Username</strong></div></td>
<td width="10"><div align="center"><strong>:</strong></div></td>
<td width="200"><input type="text" name="username" value="" /></td>
</tr>
<tr>
<td><div align="left"><strong>Password</strong></div></td>
<td><div align="center"><strong>:</strong></div></td>
<td><input type="text" name="password" value="" /></td>
</tr>
<tr>
<td><div align="left"><strong>Full Name</strong></div></td>
<td><div align="center"><strong>:</strong></div></td>
<td><input type="text" name="fullname" value="" /></td>
</tr>
<tr>
<td><div align="left"><strong>IC Number</strong></div></td>
<td><div align="center"><strong>:</strong></div></td>
<td><input type="text" name="ic" value="" /></td>
</tr>
<tr>
<td><div align="left"><strong>Telephone</strong></div></td>
<td><div align="center"><strong>:</strong></div></td>
<td><input type="text" name="telephone" value="" /></td>
</tr>
<tr>
<td><div align="left"><strong>Email</strong></div></td>
<td><div align="center"><strong>:</strong></div></td>
<td><input type="text" name="email" value="" /></td>
</tr>
<tr>
<td><div align="left"><strong>History</strong></div></td>
<td><div align="center"><strong>:</strong></div></td>
<td><input type="text" name="history" value="" /></td>
</tr>
</table>
</p>
<table align="center" width="100" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><input type="submit" name="save" value="Save" onclick="location.href='adduser.php'"/></td>
<td><input type = "reset" value = "Reset"></td>
<td><input type="button" name="cancel" value="Cancel" onclick="location.href='Content.html'"/></td>
</tr>
</table>
<p>&nbsp;</p>
<div align = right>
<p>
<input type="button" name="cance" value="Back To Main" onclick="location.href='Content.html'"/>
</p>
</p>
</div>
</form>

<?php



$username = trim($_POST['username']);
$psassword = trim($_POST['password']);
$fullname = trim($_POST['fullname']);
$ic = trim($_POST['ic']);
$telephone = trim($_POST['telephone']);
$email = trim($_POST['email']);
$history = trim($_POST['history']);

$connection = mysql_pconnect('localhost','root','fsktm') or die('Unable to connect!');

mysql_select_db('cinema') or die('Unable to select database!');



if (isset($_POST['save']))
{
$insert = "INSERT INTO user(username,password,full_name,ic_number,telephone,email,history) VALUES ($username, $password, $fullname, $ic, $telephone, $email, $history)" or die ("Could not insert new data :" . mysql_error());

mysql_query($insert) or die(mysql_error());
}

else
{
echo "All fields are required to be completed !! <br />";
}

mysql_close($connection);

?>

</body>
</html>

bdl
03-28-2009, 08:41 AM
$insert = "INSERT INTO user(username,password,full_name,ic_number,telephone,email,history) VALUES ($username, $password, $fullname, $ic, $telephone, $email, $history)" or die ("Could not insert new data :" . mysql_error());


1) $insert = is a variable assignment; you're assigning the string contained in the "double quotes" on the right to the variable $insert on the left. It is not a function call, thus you cannot use or die() at the end of it. Make the assignment and end it.
2) Your SQL statement isn't using any quotes to surround the data, e.g. '$username', '$password', etc. This is the cause of your syntax error.



$psassword = trim($_POST['password']);

3) You've misspelled 'password' in your variable assignment.
4) Whatever you do, don't insert a plaintext password into the database. At least if this is any sort of application you want to keep secure for any length of time. At the very least use SHA1 or SHA256 to hash the password and store that value instead.

5) Speaking of security, all you're doing is reassigning the incoming POST data to local variables for insertion into the database. Make sure you get into the habit of properly validating and escaping data (http://www.lmgtfy.com?q="sql+injection+mysql+php") that gets anywhere near your db.

abduraooft
03-28-2009, 08:47 AM
Hi pelehelp, please don't post your entire code in bold, it gives a impression of shouting. You may use
][/COLOR] tags to wrap your client side code, just like the
][/COLOR] tags.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum