0

This is my first post on stackoverflow, though I have done extensive research using it along with other sources on a regular basis (including the subject I need help with here.)

To be concise, I am working on a shared session/login/register between a client's site and the EasyAppointments scheduling application. While compiling the config.php for the registration form on my client's site I received this error. I have searched everywhere, please help me understand this:

INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles) VALUES(testing, test, 000000000, 000000000, 123 example street, Birmington, Alabama, 00000, , )INSERT INTO `ea_user_settings` (username, password, salt, working_plan, notifications, google_sync, google_token, google_calendar, sync_past_days, sync_future_days) VALUES(TestUser, 0000000000, , , 0, , , , , )
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , 0, , , , , )' at line 2

Here is my config.php code (please excuse my unorthodox variables for sql1/sql2):

<?php
define('DB_HOST', 'localhost'); 
define('DB_NAME', '####'); 
define('DB_USER','####'); 
define('DB_PASSWORD','####'); 

$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL:  " . mysql_error()); $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());

$first_name = $_POST['first_name']; 
$last_name = $_POST['last_name']; 
$mobile_number = $_POST['mobile_number'];
$phone_number = $_POST['phone_number'];
$address = $_POST['address']; 
$city = $_POST['city']; 
$state = $_POST['state'];
$zip_code = $_POST['zip_code'];
$noteboy = $_POST['notes'];
$privs = $_POST['id_roles']; 
$email = $_POST['email']; 
$nick = $_POST['nick'];
$password = $_POST['password'];
$salt = $_POST['salt']; 
$working_plan = $_POST['working_plan']; 
$notifications = $_POST['notifications'];
$google_sync = $_POST['google_sync'];
$google_token = $_POST['google_token']; 
$google_calendar = $_POST['google_calendar']; 
$sync_past_days = $_POST['sync_past_days'];
$sync_future_days = $_POST['sync_future_days'];

$bang = "INSERT INTO `ea_users` (first_name, last_name, mobile_number,         phone_number, address, city, state, zip_code, notes, id_roles) 
VALUES($first_name, $last_name, $mobile_number, $phone_number, $address, $city, $state, $zip_code, $noteboy, $privs)";
echo $bang;

$banger = "INSERT INTO `ea_user_settings` (username, password, salt, working_plan, notifications, google_sync, google_token, google_calendar, sync_past_days, sync_future_days)
VALUES($nick, $password, $salt, $working_plan, $notifications, $google_sync, $google_token, $google_calendar, $sync_past_days, $sync_future_days)";
echo $banger;

$result = mysql_query($bang); mysql_query($banger);
if($result) {
    echo "Successfully updated database";
} else {
    die('Error: '.mysql_error($con)); 
} 

mysql_close($con);
Synchro
  • 35,538
  • 15
  • 81
  • 104
Tyree Daniels
  • 3
  • 3

1 Answers1

0

I doubt you're storing phone numbers as integers, so you should be quoting all those zeroes. SQL doesn't like missing values in the VALUES clause, so you need to fix that to default to a format that's appropriate for your fields, such as empty string, a zero or a NULL. You also need to think about escaping too to avoid errors and SQL injection vulnerabilities - using PDO might be good idea if you're early on in your project, and you should definitely switch to mysqli at the very least.

Your check for query failure only looks at your first query - you should check both.

Anyway, here's how you might apply escaping and quoting to avoid the error you're seeing using your current approach:

$bang = "INSERT INTO `ea_users` (first_name, last_name, mobile_number, phone_number, address, city, state, zip_code, notes, id_roles) 
VALUES('".
    mysql_real_escape_string($first_name)."','".
    mysql_real_escape_string($last_name)."','".
    mysql_real_escape_string($mobile_number)."','".
    mysql_real_escape_string($phone_number)."','".
    mysql_real_escape_string($address)."','".
    mysql_real_escape_string($city)."','".
    mysql_real_escape_string($state)."','".
    mysql_real_escape_string($zip_code)."','".
    mysql_real_escape_string($noteboy)."','".
    mysql_real_escape_string($privs)."')";
Community
  • 1
  • 1
Synchro
  • 35,538
  • 15
  • 81
  • 104
  • Thank you so much. I'm going to apply this method and let you know if it succeeds, I am kind of green when it comes to programming so I'll need all the help I can get. – Tyree Daniels Jul 04 '14 at 09:41
  • okay so the page dies without inserting to database after implementation of this method, may need more assistance – Tyree Daniels Jul 07 '14 at 12:32
  • As always, check your logs, check your return values, when they fail look at what is returned by things like `mysql_error()`. I just noticed that my post was truncated, so it won't work as is - I'll fix it. – Synchro Jul 07 '14 at 12:37
  • I've fixed the example now. – Synchro Jul 07 '14 at 12:39
  • Understood, and yes this is working now that I have notated from your change of the example. Now I am having one other issue concerning failure to update a child row but Im sure I can handle it from here, thanks alot for your help! – Tyree Daniels Jul 07 '14 at 18:46