-2

When I submit the form to register a new user on my website, it submits, however it does not submit to the database and i'm getting an error saying this:

Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '####, 800800800)' at line 2 Whole query: mysql_query

Here is my MySQL Query:

    $fname    =   $_POST['fnamein'];
    $lname    =   $_POST['lnamein'];
    $email    =   $_POST['emailin'];
    $phone    =   $_POST['phonein'];
    $password =   sha1($_POST['passwordin']);

    $query='INSERT INTO directoryi (Fname, Lname, password, email, phone) 
    VALUES ('.$fname.', '.$lname.', '.$password.', '.$email.', '.$phone.')';
    $result = mysql_query($query);

    if (!$result) {
        $message  = 'Invalid query: ' . mysql_error() . "\n";
        $message .= 'Whole query: ' . mysql_query;
        die($message);
    }

    echo '<h2>Thank you for registering!</h2>';

    mysql_free_result($result);
    mysql_close($dbconnect);
    ?>

And my HTML Form:

        <form action="register.php" method='post'>
            <input type="text" class="input-small" style="width: 46%;" name="fnamein" placeholder="First Name">
            <input type="text" class="input-small" style="width: 46%;" name="lnamein" placeholder="Last Name">
            <input type="text" class="input" style="width: 46%;" name="emailin" placeholder="Email">
            <input type="text" class="input" style="width: 46%;" name="phonein" placeholder="ex. 7171234567">
            <input type="password" class="input" style="width: 96%;" name="passwordin" placeholder="Password">
            <button type="submit" class="btn">Register</button>
        </form>
von v.
  • 16,868
  • 4
  • 60
  • 84
nackolous
  • 9
  • 1
  • 7
  • 2
    Please _don't_ build a query using string concatenation - this is one of the most common security flaws. Read up on SQL Injection – Basic Apr 24 '13 at 00:19

2 Answers2

5

To answer your question directly, string literals must be wrap with single quotes,

$query="INSERT INTO directoryi (Fname, Lname, password, email, phone) 
        VALUES ('" .$fname. "', '" .$lname. "', '".$password."', '".$email."', '".$phone."')";

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
1

Depending on the data types of your fields, my guess is that you aren't properly providing single-quotes around the insert values. Try this:

$query="INSERT INTO directoryi (Fname, Lname, password, email, phone) 
VALUES ('$fname', '$lname', '$password', '$email', '$phone')";

Note that this assumes all fields are string type fields (like varchar).

You also have significant SQL injection vulnerability, and are using mysql_* functions which are deprecated. I would strongly suggest you learn how to use mysqli or PDO with prepared statements.

Mike Brant
  • 70,514
  • 10
  • 99
  • 103