Possible Duplicate:
MySQL Syntax error. Can't solve it
Can anyone improve this code so it is secure and uses prepared statements?
$sql= "INSERT INTO users
(level,fname, mname, lname, dob, age, reg_date, phone, email, login, pwd, type, `group`, region, school, class, ip, subject, ban, university, profession, activation_code)
VALUES
('1','$data[fname]', '$data[mname]', '$data[lname]', '$dob', '$age', now(), '$data[phone]', '$email', '$login', '$pwd', '$type', '$group', '$region', '$school', '$class', '$ip', '$subject', NULL, '$university', '$profession', '$activ_code')";
$result = $db->query($sql) or die(printf("Error: %s
", $db->error));
$id = $db->insert_id;
$md5_id = md5($id);
$db->query("update users set md5_id='$md5_id' where id='$id'");
// echo "<h3>Thank You</h3> We received your submission.";
?>
If we assume, that all the direct variables are filled with user-generated content, your code is wide open for sql injections. Instead, use a prepare statement and bind_param() to automatically set the correct security settings / escaping:
$stmt = $dbh->prepare(
"INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam('name', $name);
$stmt->bindParam('value', $value);
mysqli_stmt_execute($stmt);
How are the columns defined? MySQL only uses the single quotes for strings, try taking them out of the non-string fields (level, dob, age).