$sql = "INSERT INTO $table_name VALUES
('$_POST[firstname]', '$_POST[lastname]', '$_POST[username]', password('$_POST[password]'), 'Users', '', '', '$pchange',
'$_POST[email]', '$default_url', '$verify', '', 0, '', 0)";
$result = @mysql_query($sql,$connection) or die(mysql_error());
$sql, $connection and $table_name are all valid and are used previously in the script and the database, this is how my database looks like:
firstname varchar(20) latin1_swedish_ci Yes NULL Change Drop More
lastname varchar(20) latin1_swedish_ci Yes NULL Change Drop More
username varchar(20) latin1_swedish_ci Yes NULL Change Drop More
password varchar(50) latin1_swedish_ci Yes NULL Change Drop More
group1 varchar(20) latin1_swedish_ci Yes NULL Change Drop More
group2 varchar(20) latin1_swedish_ci Yes NULL Change Drop More
group3 varchar(20) latin1_swedish_ci Yes NULL Change Drop More
pchange varchar(1) latin1_swedish_ci Yes NULL Change Drop More
email varchar(100)latin1_swedish_ci Yes NULL Change Drop More
redirect varchar(100)latin1_swedish_ci Yes NULL Change Drop More
verified varchar(1) latin1_swedish_ci Yes NULL Change Drop More
last_login date Yes NULL Change Drop More
balance double UNSIGNED Yes 0 Change Drop More
address varchar(60) latin1_swedish_ci Yes NULL Change Drop More
lostbalance double Yes 0 Change Drop More
Thanks in advance.
No error because of @:
@mysql_query($sql,$connection) or die(mysql_error());
The @ suppresses the errors from the mysql_query() function.
I see multiple errors in your statements:
'$_POST[firstname]'
- is suppossed to be $_POST['firstname']
. Store the value in a variable or use concatenation: "'.$_POST['firstname'].'"
Use mysql_query($sql) or die(mysql_error());
Escape all the data you are storing in the db.
First of all, it is not good security practice to leave any user input unfiltered, because soon you will be victim of SQL injection and/or XSS attacks. You should filter your user input this way:
$var = filter_var($_POST['var']), FILTER_SANITIZE_STRING);
Then you should use this $var
in your SQL query, instead of directly using the $_POST['var'].
ie:
$sql = "INSERT INTO $table_name VALUES
('$firstname', '$lastname', '$username', password('$password'), 'Users', '', '', '$pchange',
'$email', '$default_url', '$verify', '', 0, '', 0)";
您必须在“ VALUES”前面命名表列
INSERT INTO $table_name (field_1, field2, ...) VALUES ($_POST_1, ...)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.