What is wrong with my PHP/SQL registration script?

Question

I'm trying to make my first registration script using PHP/SQL. Part of my code isn't working:

if(!$errors){

    $query = "INSERT INTO users (email, password) VALUES ($registerEmail, $registerPassword)";

    if(mysqli_query($dbSelected, $query)){
        $success['register'] = 'Successfully registered.';
    }else{
        $errors['register'] = 'Registration did not succeed.';
    }
    }

When I test my code I get the error 'Registration did not succeed.' For reference, $errors and $success are arrays. Is there anything wrong with this part of my script?

$dbSelected is:

    $dbLink = mysqli_connect('localhost', 'root', 'PASSWORD');
    if (!$dbLink) {
        die('Can\'t connect to the database: ' . \mysqli_error());
    }

    $dbSelected = mysqli_select_db($dbLink, 'devDatabase');
    if (!$dbSelected) {
        die('Connected database, but cannot select
            devDatabase: ' . \mysqli_error());
    }

I'm sure I am connecting and selecting the database.

Any help would be greatly appreciated! I am very new to PHP/SQL so forgive me for any noob mistakes.

Answer 1

Quote the string like below

$query = "INSERT INTO users (email, password) VALUES ('$registerEmail', '$registerPassword')";

You can also do

echo $query;

and take the output on the browser, copy and paste into PHPMyAdmin and execute it from there. It should tell you what is wrong with the query.

I suggest you to use prepared statement as using string concatenation in SQL Statement is prone to SQL injection attack. Refer the example PHP mysqli prepare

Answer 2

First off, PHP is deprecating mysql_ functions, you should migrate to PDO instead.

Also, make sure since you're using the older mysql_ functions to sanitize your entries using mysql_real_escape_string

Also, your entries need to be quoted. Here's a redo of your query string:

$query = "INSERT INTO users (email, password) VALUES ('{$registerEmail}', '{$registerPassword}')";