0

I am trying to register a user with a MySQL database. I have narrowed the problem down to this block of code.

$query = "INSERT INTO `Users`(`User`, `Pass`, `Email`, `RegKey`, `KeyList`, `ID`, `UserType`) VALUES ([".$user."],[".$pass."],[".$email."],[".$regkey."],[''],[". $NumUsers + 1 ."],['Default'])";
$result = mysqli_query($con,$query);
if($result != false){
        //Successfully created the user
        mysqli_free_result($result);
        $query = "UPDATE Keys SET Paid=1
        WHERE Key='".$regkey."'";
        $result = mysqli_query($con,$query);
        mysqli_free_result($result);
        header('Location: '.$website.'register.php?success');
} else{
    //Failed to create the user
    mysqli_free_result($result);

    header('Location: '.$website.'register.php?e3');
}

Can someone help me figure out what is wrong with my PHP? I have looked up everything and I think it has something to do with the result of the query but I am not sure.

UPDATE:

I Edited the query and I believe it follows the mysql syntax, but i am still getting an error

Updated $query

$query = "INSERT INTO Users(User, Pass, Email, RegKey, KeyList, ID, UserType) VALUES ('".$user."','".$pass."','".$email."','".$regkey."','',". $NumUsers + 1 .",'Default')";

UPDATE 2:

Fixed the Sql Query but I am still getting the same issue...

Fixed Query:

$query = "INSERT INTO `Users`(`User`, `Pass`, `Email`, `RegKey`, `KeyList`, `UserType`) VALUES ('".$user."','".$pass."','".$email."','".$regkey."','','Default')";
Lystic
  • 3
  • 3

2 Answers2

1

Your INSERT statement is wrong. If you are not parameterizing the value, the values whose data type is string (including dates) must be wrapped with single quotes, not with brackets. For example:

INSERT INTO tableName(strCol, dateCol, intCol) 
VALUES ('string value', '2013-01-01 00:00:00', 0)

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at this article to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
0

I agree that this is prone to SQL injection. But I think the problem here is that you are trying to insert ID. Now if the ID is auto_increment therefore you don't need to insert or include that in your query.

Another thing, the query itself is incorrect. Since this is in PHP5, you should use PDO or MySQLi.

try this

$query = "INSERT INTO `Users`(`User`, `Pass`, `Email`, `RegKey`, `KeyList`, `UserType`) VALUES ('".$user."','".$pass."','".$email."','".$regkey."','','Default')";
Mark
  • 8,046
  • 15
  • 48
  • 78