Karl DeSaulniers wrote:
Thanks for your response. Here is my query. UserID is auto incrament and UserLastLogin is a current_timestamp.

$query_users = "INSERT INTO users(UserID, Username, UserEmail, UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress, UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone, UserFax, UserEmailVerified, UserRegistrationDate, UserVerificationCode, UserIP, UserLastLogin) VALUES('NULL','".$Username."','".$UserEmail."','".$UserPassword."','".$UserFirstName."','".$UserLastName."','".$UserCompany."','".$UserAddress."','".$UserAddress2."','".$UserCity."','".$UserState."','".$UserCountry."','".$UserZip."','".$UserPhone."','".$UserFax."','".$UserEmailVerified."','".$UserRegistrationDate."','".$UserVerificationCode."','".$UserIP."', now())";

This works as far as populating the database, but my results page does not return anything.

Only if the VALUES is set like this:

VALUES('NULL','".$Username=$_POST['Username']."','".$UserEmail=$_POST['UserEmail']."','".$UserPassword=$_POST['UserPassword']."','".$UserFirstName=$_POST['UserFirstName']."','".$UserLastName=$_POST['UserLastName']."','".$UserCompany=$_POST[$UserCompany]."','".$UserAddress=$_POST['UserAddress']."','".$UserAddress2=$_POST['UserAddress2']."','".$UserCity=$_POST['UserCity']."','".$UserState=$_POST['UserState']."','".$UserCountry=$_POST[$UserCountry]."','".$UserZip=$_POST['UserZip']."','".$UserPhone=$_POST['UserPhone']."','".$UserFax=$_POST[$UserFax]."','".$UserEmailVerified=$_POST[$UserEmailVerified]."','".$UserRegistrationDate=$_POST[$UserRegistrationDate]."','".$UserVerificationCode=$_POST['UserVerificationCode']."','".$UserIP=$_POST[$UserIP]."', now())";

but some do not work with this setup. variables like $UserEmailVerified, $UserRegistrationDate and $UserIP are not created from the form that was submitted.
for example, User IP date is created like this.


Problem 1 is sql injection. Wrap each variable in a mysql_real_escape_string call:

insert into table (...) values ('" . mysql_real_escape_string($username) . "' ....

also quoting 'NULL' means it will add 'NULL' as the id - not what you want. You can leave out the column to use the default from the database.

Any errors from mysql?

echo mysql_error();

after your insert call.


Below is a snip of how I retrieve the info on the result page (dont want to clutter with whole code. also $fieldOne etc are MySql wildcards '%' from some dropdown lists that show before this code is executed. The results from adding show up fine there.)

$query_users = "SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive' AND UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven' AND UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine' AND UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE '$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty' LIMIT $min, $max_results";

Again you need to escape all your data (except $min, $max_results - just make sure they are always integers).

I'm assuming there are no errors reported by mysql.

To debug this, I'd simplify the query and work out which bit isn't matching what you want (it could be $fieldOne isn't quite what you expect, or it could be $fieldEleven or $fieldEighteen or ..).

Start off with one field, then add another and go from there.

Postgresql & php tutorials

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to