Hey guys I know that this is probably just a simple sql statement but I can not figure out the problem. It adds the user to the database but it will not add the firstname of the user. If I switch the sql statement around for example have username and email before first name it then does not insert the password switches name and email. Does anyone know how to fix this problem and have all of the information inserted into the proper tables in the database.
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
</head>
<body>
<?php
$db_server = "server";
$db_username = "name";
$db_password = "pass";
$con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$database = "Account_Holder";
$er = mysql_select_db($db_username);
if (!$er)
{
print ("Error - Could not select the database");
exit;
}
// table name
$tbl_name=Account_Holder;
// Random confirmation code
//$confirm_code=md5(uniqid(rand()));
// values sent from form
$firstName=$_POST['firstName'];
$email=$_POST['email'];
$password=$_POST['password'];
$username=$_POST['username'];
// Insert data into database
$sql="INSERT INTO $tbl_name(firstname, username, email, password)VALUES('$firstname', '$username', '$email', '$password')";
$result=mysql_query($sql);
echo "You have been added to the database! You may now log on using your username."
?>
<a href ="login.html"> Login Page </a>
</body>
</html>
Looking at your code, nothing seems wrong, except major security flaws. Perhaps you wrote some value from the $_POST array wrong. Do a print_r on the array to see the exact names.
First of all, your code is extremely vulnerable to SQL injection, you should use mysql_real_escape_string on every of your user input. You can never trust any user input.
You should make your SQL look like:
$sql = "INSERT INTO $tbl_name (firstname, username, email, password) VALUES ('".mysql_real_escape_string($firstname)."', '".mysql_real_escape_string($username)."', '".mysql_real_escape_string($email)."', '".mysql_real_escape_string($password)."')";
I am unsure whether the ommited spaces will have any effect on the query, but its good to have to make it easier to read. If you're unsure about whats wrong, you should always use mysql_error to show the error, like this:
$result=mysql_query($sql) or die(mysql_error());
Third and last thing. You should never store passwords as plaintext in the database. For the love of god, please hash it or something :-)
I think this is your problem. Your first name variable has a capitol 'N' for name. Change your code to either of these and it should work fine.
$sql="INSERT INTO $tbl_name(firstname, username, email, password)VALUES('$firstName', '$username', '$email', '$password')";
or
$firstname=$_POST['firstName'];
Also, I would also suggest using PDO over regular MySQL. But that's just me...
My guess is you mean $_POST['firstname'] rather than $_POST['firstName'].
By the way, you really need to sanitize user input before putting it into a database the way you are here. This code would be trivial to write a SQL injection exploit against. For a start, run the user-supplied values through mysql_real_escape_string(). As it stands now, your code will blow not work if the user input contains an apostrophe/single quote.
If you think the problem is that the query is generating an error, use mysql_error() right after mysql_query() to see if there was an error. It will return an empty string if there was no error. Otherwise, it will return the error.
Also, I would strongly recommend storing the password using a hashing function in MySQL (using PASSWORD()) if at all possible.