INSERT INTO members cannot be executed

Question

This is the problematic part of code:

$query = mysql_query("INSERT INTO members 
(user, pass, mail, country, city, www, credo)
VALUES  ('$_POST[user]','$_POST[pass]', '$_POST[mail]',
'$_POST[country]', '$_POST[city]', '$_POST[www]', '$_POST[credo]')")
or die ("Error - Couldn't register user.");

I got the die error.
How could I find more specific part which cannot be executed ?
I tried to eliminate fields one by one - without result.

`or die ("Error - Couldn't register user. " . mysql_error());` — nickb, Jul 24 '12 at 19:33
Try outputting your SQL query, and running it directly in the database. That will show you what isn't working. You should also look at moving away from `mysql_*` functions, as they're being deprecated. — andrewsi, Jul 24 '12 at 19:33
Also, this code is probably vulnerable to SQL injection. Interpolating variables from `$_POST` directly into a query is dangerous. — , Jul 24 '12 at 19:34
Also, you need `'{$_POST['something']}'` instead of `'$_POST[something]'`. — Majid Fouladpour, Jul 24 '12 at 19:37
Injecting arbitrary data into your SQL is **not** cool. [Escape your SQL properly](http://bobby-tables.com/php.html) You shouldn't be doing anything this reckless under any circumstances. — tadman, Jul 24 '12 at 19:39
@andrewsi, could you provide source of `mysql_*` functions being deprecated? Thanks. — Majid Fouladpour, Jul 24 '12 at 19:48
@MajidFouladpour - it's on the manual page: http://www.php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated mysql functions are no longer being maintained, and may be removed from future versions of PHP. — andrewsi, Jul 24 '12 at 19:53

Zuul · Accepted Answer · 2012-07-24T20:03:09.417

This should present you the reason behind your failed query, and at the very least prevent some security concerns:

Small Improvement

// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
    $dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}

// try to perform the INSERT query or die with the returned mysql error
$query = mysql_query("
  INSERT INTO members 
  (user, pass, mail, country, city, www, credo)
  VALUES (
    '".$dataArr["user"]."',
    '".$dataArr["pass"]."',
    '".$dataArr["mail"]."',
    '".$dataArr["country"]."',
    '".$dataArr["city"]."',
    '".$dataArr["www"]."',
    '".$dataArr["credo"]."'
  )
") or die ("Error:<br/>".mysql_error());

Medium Improvement

// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
    $dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}

// escape everything
$query = sprintf("
    INSERT INTO members 
    (user, pass, mail, country, city, www, credo) 
    value ('%s', '%s', '%s', '%s', '%s', '%s', '%s')",
    mysql_real_escape_string($dataArr["user"]), 
    mysql_real_escape_string($dataArr["pass"]), 
    mysql_real_escape_string($dataArr["mail"]), 
    mysql_real_escape_string($dataArr["country"]), 
    mysql_real_escape_string($dataArr["city"]), 
    mysql_real_escape_string($dataArr["www"]), 
    mysql_real_escape_string($dataArr["credo"])
);

// try to perform the INSERT query or die with the returned mysql error
$result = mysql_query($query) or die ("Error:<br/>".mysql_error());

Advanced Improvement

If you're starting a new project, or at a point where you can still change your ways, I vividly recommend the use of PHP PDO to prevent many security issues related the current database connection you're using.

Anze Jarni · Answer 2 · 2012-07-24T19:37:22.833

0

INSERT INTO members 
(user, pass, mail, country, city, www, credo)
VALUES  
('".$_POST['user']."','".$_POST['pass']."', '".$_POST['mail']."',
'".$_POST['country']."', '".$_POST['city']."', '".$_POST['www']."', '".$_POST['credo']."')")

Just a short warning. Inserting POST values directly into the database can cause security breaches. Be sure to validate and filter all user input before inserting them in the database.

edited Jul 24 '12 at 19:37

answered Jul 24 '12 at 19:35

Anze Jarni

1,141
7
7

This will work on older versions of PHP, when {$_POST['something']} will work on newer. – Anze Jarni Jul 24 '12 at 19:48

score 0 · Answer 3 · answered Sep 28 '16 at 05:35

Your Sql query is wrong. Here

VALUES  ('$_POST[user]')

You have to use instead

 $_POST['user']

And you are inserting the values in the database directly..!!! It's totally a bad sense. Make it some escape

$user = mysql_real_escape_string(trim($_POST['user']));
$pass = mysql_real_escape_string(trim($_POST['pass']));
$mail = mysql_real_escape_string(trim($_POST['mail']));
$country = mysql_real_escape_string(trim($_POST['country']));
$city = mysql_real_escape_string(trim($_POST['city']));
$www = mysql_real_escape_string(trim($_POST['www']));
$credo = mysql_real_escape_string(trim($_POST['credo']));

Then insert it in the database,

$query = mysql_query("INSERT INTO members 
        (user, pass, mail, country, city, www, credo)
        VALUES  ($user,$pass, $mail,$country, $city, $www, $credo)")
        or die ("Error - Couldn't register user.");

The code is now secured and can insert in the database and is a clean code..

INSERT INTO members cannot be executed

3 Answers3