After creating a form for user registration, I want to add groups.
Now I first tried editing the prepared statement but that did not work, so I tried this:
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
include('connect.php');
// If the values are posted, insert them into the database.
if (isset($_POST["username"]) && isset($_POST["password"])){
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$epassword = hash("sha512", $password);
$group = 'user';
$query1 = "SELECT * FROM `user` WHERE email='$email'";
$result = mysqli_query($connection, $query1) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
if ($count == 1){
$msg1 = "Dit E-mailadres is al in gebruik voor een andere gebruiker.";
}else{
$query = "SELECT * FROM `user` WHERE username='$username'";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
if ($count == 1){
$msg2 = "Deze gebruikersnaam is al in gebruik.";
}else{
$stmt = $connection->prepare("INSERT INTO `user` (username,password,email) VALUES(?,?,?)");
$stmt->bind_param("sss", $username, $epassword, $email);
$stmt->execute();
$msg = "De gebruiker is aangemaakt.";
$sql2 = "UPDATE user
SET group = $group
WHERE username = $username" ;
$retval = mysqli_query( $connection, $sql2);
if(! $retval )
{
die('Could not update data: ' . mysqli_error($connection));
}
}
}
}
?>
and now it is creating the user (with no group) after showing the following error:
Could not update data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group = user WHERE username = test' at line 1
could you help me with this?
thanks to juergen d this is the working code:
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
include('connect.php');
// If the values are posted, insert them into the database.
if (isset($_POST["username"]) && isset($_POST["password"])){
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$epassword = hash("sha512", $password);
$modus = "user";
$query1 = "SELECT * FROM `user` WHERE email='$email'";
$result = mysqli_query($connection, $query1) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
if ($count == 1){
$msg1 = "Dit E-mailadres is al in gebruik voor een andere gebruiker.";
}else{
$query = "SELECT * FROM `user` WHERE username='$username' ";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
if ($count == 1){
$msg2 = "Deze gebruikersnaam is al in gebruik.";
}else{
$stmt = $connection->prepare("INSERT INTO `user` (username,password,email) VALUES(?,?,?)");
$stmt->bind_param("sss", $username, $epassword, $email);
$stmt->execute();
$msg = "De gebruiker is aangemaakt.";
$sql2 = "UPDATE `user`
SET `modus` = '$modus'
WHERE username = '$username'";
$retval = mysqli_query( $connection, $sql2);
if(! $retval )
{
die('Could not update data: ' . mysqli_error($connection));
}
}
}
}
?>
group is a reserved word and needs to be escaped with backticks.
UPDATE user
SET `group` = '$group'
WHERE username = '$username'"
And as others already mentioned - put your strings in quotes or better look into Prepared Statements.
You need to wrap strings in apostrophes, just like you did in one of your previous queries; example:
$sql2 = "UPDATE `user` SET `group` = $group WHERE username = '$username'";
Also, as per juergen d's answer, you need to enclose the group column in backticks, as it is a reserved word.
I don't know whether mysql allow you to use "group" as column name, but the most obvious error is you need wrap the group value with double quotes: set group="$group"
try:
$sql2 = "UPDATE `user`
SET `group` = '$group'
WHERE `username` = '$username'";
Related
I have a problem on this, I can't find where is the problem in my code, anyone help me, pls.
<?php
if($_POST['submit']) {
$username = $_POST['username'];
$password = $_POST['password'];
$id = $_POST['id'];
$query = "UPDATE users SET ";
$query .="username = '$username' ";
$query .="password = '$password' ";
$query .="WHERE id = $id";
$result = mysqli_query($connection, $query);
if(!$result) {
die ('QUERY FAILED' . mysqli_error($connection));
}
}
?>
I need to update the new data into MySQL, but it show me the error message:
Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'password='av' WHERE id='
Missing ',' in your query.
<?php
if($_POST['submit']) {
$username = $_POST['username'];
$password = $_POST['password'];
$id = $_POST['id'];
$query = "UPDATE users SET ";
$query .= "username = '$username', "; // missing ','
$query .= "password = '$password' ";
$query .= "WHERE id = $id";
$result = mysqli_query($connection, $query);
if(!$result) {
die ('QUERY FAILED' . mysqli_error($connection));
}
}
?>
The Update query should be :
UPDATE users SET username = 'username', password = 'password' where id = 1
As correctly pointed out by Majharul, the error is caused by the missing comma (,) between the columns listed in your SET clause. The error is almost always immediately preceding the part of the query returned in the error: password='av' WHERE id=.
More importantly, you should never store passwords in plain text, nor should you be simply concatenating strings and/or interpolating variables directly into your SQL. This is a very obvious SQL Injection vulnerability and easy to exploit. You should be using parameterized prepared statements to pass your variables into your query.
This is a simplistic example (validation of user input should be added) of how you might improve your code:
<?php
if($_POST['submit']) {
$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$id = $_POST['id'];
/* Prepare your UPDATE statement */
$stmt = mysqli_prepare($connection, 'UPDATE users SET username = ?, password = ? WHERE id = ?');
/* Bind variables to parameters */
mysqli_stmt_bind_param($stmt, 'ssi', $username, $password, $id);
/* Execute the statement */
$result = mysqli_stmt_execute($stmt);
if(!$result) {
die ('QUERY FAILED' . mysqli_error($connection));
}
}
Please read PHP docs for password_hash() for more detailed explanation.
Is it possible to show variable username before I am putting it into DB? Echo, alert, console or something? I want to check what is in $username before do INSERT
<?php
require_once 'connect.php';
$data = json_decode(file_get_contents("php://input"));
$username = mysqli_real_escape_string($connect, $data->username);
$query = "INSERT into tablename (username) VALUES ('$username')";
mysqli_query($connect, $query);
echo true;
?>
Try this
$username = mysqli_real_escape_string($connect, $data->username);
if($username)
{
echo $username;
$query = "INSERT into tablename (username) VALUES ('$username')";
mysqli_query($connect, $query);
}
<?php
require_once 'connect.php';
$data = json_decode(file_get_contents("php://input"));
$username = mysqli_real_escape_string($connect, $data->username);
$query = "INSERT into tablename (username) VALUES ('$username')";
echo "<script>alert('".$username."')</script>";
mysqli_query($connect, $query);
echo true;
?>
Godd night. I have this code for php to add data to my database but i dont get succes.
<?php
require("config.inc.php");
if (!empty($_POST)) {
$user = $_POST['User'];
$mail = $_POST['Mail'];
$token = $_POST['Token'];
$pass = $_POST['Pass'];
$result = mysqli_query($con,"SELECT 1 FROM Proteos where
User='$user'");
$row = mysqli_fetch_array($result);
$data = $row[0];
if($data==0){
echo $data;
echo "Hey, un grato saludo mister ".$user."!\n";
$query = "INSERT INTO Proteos (User, Mail ) VALUES ($user,$mail ) ";
}
mysqli_close($con)
And this is my config.inc
<?php
define('DB_SERVER','mysql.smartfreehosting.net');
define('DB_NAME','u178665800_prote');
define('DB_USER','u178665800_carin');
define('DB_PASS','xxxxxx');
$con = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
mysql_select_db(DB_NAME,$con);
?>
Put your value in single quote And than execute query
$query = "INSERT INTO Proteos (User, Mail ) VALUES ($user,$mail ) ";
to
$query = "INSERT INTO Proteos (User, Mail ) VALUES ('$user','$mail') ";
And after that pass $query to mysqli_query like
mysqli_query($con,$query);
String values have to be passed in quotes. Also execute the query .
To debug use mysqli_error
$query = "INSERT INTO Proteos (User, Mail ) VALUES ('{$user}','{$mail}' ) ";
mysqli_query($con,$query);
or
mysqli_query($conn, $query) or die(mysqli_error($conn));
to connect with mysqli (ref) change in config.inc
$con = mysqli_connect(DB_SERVER,DB_USER,DB_PASS, DB_NAME);
You are inserting VARCHAR (string) data into Database without single quotes.
Data without single quotes is considered as either table/field names or integers or keywords.
Your entered data being none of these is causing errors.
Corrected SQL:
$query = "INSERT INTO Proteos (User, Mail ) VALUES ('$user','$mail') ";
<?php
require("config.inc.php");
if (!empty($_POST)) {
$user = $_POST['User'];
$mail = $_POST['Mail'];
$token = $_POST['Token'];
$pass = $_POST['Pass'];
$result = mysqli_query($con,"SELECT 1 FROM Proteos where
User='$user'");
$row = mysqli_fetch_array($result);
$data = $row[0];
if($data==0){
echo $data;
echo "Hey, un grato saludo mister ".$user."!\n";
mysqli_query($con,"INSERT INTO Proteos (User, Mail ) VALUES ('$user','$mail' ) ") or die(mysqli_error());
}
mysqli_close($con);
check above code, values are insert using 'var' like '$user','$mail'
any error shows in the query helps to find the code or die(mysqli_error())
I am trying to update my feedback in my SQL database form with help of submit button but I'm unable to do so. Please help!
if (isset($_POST['submitreport']))
{
$dbCon = mysqli_connect("localhost","root","","Hun");
$report = strip_tags($_POST['report']);
$sql = "UPDATE Feedback SET report='$report' WHERE username='$username' AND date='$date' ";
$query = mysqli_query($dbCon, $sql);
}
<?php
if (isset($_POST['submitreport']))
{
$monthDayYear = date('m-d-Y');
$dbConnnection = mysqli_connect("localhost","root","","Hun");
$dbUsername = strip_tags($_POST['report']);
$sqlQuery = "UPDATE Feedback SET report='".$report."' WHERE username='".$username."' AND date='".$monthDayYear."'";
$queryExecute = mysqli_query($dbConnection, $sqlQuery);
}
?>
<?php
if (isset($_POST['submitreport']))
{
$dbCon = mysqli_connect("localhost","root","","Hun");
$username = 'test';
$report = strip_tags($_POST['report']);
$date = date('m-d-Y');
$sql = "UPDATE Feedback SET report='".$report."' WHERE username='".$username."' AND date='".$date."'";
$query = mysqli_query($dbCon, $sql);
}
?>
EDIT: I know the error is somewhere here:
$connection = #mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = #mysql_select_db($db_name,$connection) or die(mysql_error());
$sql = "SELECT * FROM authorize WHERE username = '$_SESSION[user_name]' and password = '$_SESSION[password]'";
$result = #mysql_query($sql, $connection) or die(mysql_error());
$num = mysql_num_rows($result);
$lstbalance = 0;
$balance = 0;
//set session variables if there is a match
if ($num != 0)
{
while ($sql = mysql_fetch_object($result))
{
$lstbalance = $sql -> lostbalance;
$balance = $sql -> balance;
}
}
if ($win==true)
{
$sql = "update users set lostbalance='($lstbalance+(($payouts[$result1.\'|\'.$result2.\'|\'.$result3])*(int)$_POST[\'bet\']))' WHERE username = '$_SESSION[user_name]' and password = '$_SESSION[password]'";
}
else
{
$sql = "update users set lostbalance='(lstbalance-(int)$_POST[\'bet\'])' WHERE username = '$_SESSION[user_name]' and password = '$_SESSION[password]'";
}
$result = #mysql_query($sql, $connection) or die(mysql_error());
I was able to narrow down the error to this piece of code, help appreciated. Regards.
When I comment it out everything seems to work all the connect variables are from a different file and are valid.
$lostbalance = $lstbalance+(($payouts[$result1])*(int)$_POST['bet']));
$sql = "update users set lostbalance='$lostbalance' WHERE username = '".$_SESSION['user_name']."' and password = '".$_SESSION['password']."'";
i dont understand about ur code on $payout[$result1.\'|\'.$result2.\'|\'.$result3]