PHP SQL INSERT INTO error message

Question

So I'm doing some self learning on creating online forms with php.

On my first page I have the following:

<!doctype html>
<html>
<head>
<title> Hi </title>
</head>
<body>
<form method="POST" action="Page2.php">
Username: <input type="text" name="username" >
Password: <input type="text" name="password" >
<input type="submit" name="submit" value="submit">
</body>
</html>

On my 2nd page (Page2.php):

 <?php


     if($_POST["submit"] == "submit")
     {
             $username=$_POST["username"];
             $password=$_POST["password"];

    $db = mysql_connect("localhost","root","root");
    if(!$db) die("Error connecting to MySQL database.");
    mysql_select_db("testdatabase" ,$db);

    $sql="INSERT INTO testdatabase_table ('username', 'password') VALUES (". PrepSQL($username) . "," . PrepSQL($password) . ")";

    $query=mysql_query($sql);
    echo $query;
    if(!$query)
    {
        echo "Failed".mysql_error();
    }


    exit();


    }
                function PrepSQL($value)
                {
                // Stripslashes
                if(get_magic_quotes_gpc()) 
                {
                   $value = stripslashes($value);
                }

                  // Quote
                  $value = "'" . mysql_real_escape_string($value) . "'";

                  return($value);
               }
?>

Here's the error I'm getting: FailedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''username', 'password') VALUES (' ', ' ')' at line 1

Any quick suggestions will be greatly appreciated, Thank you.

btw: The [mysql extension is deprecated](http://www.php.net/manual/en/function.mysql-query.php). Consider switching to [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO](http://www.php.net/manual/en/ref.pdo-mysql.php) and using prepared statements. — TimWolla, Jun 22 '13 at 23:52
possible duplicate of [When to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) — mario, Jun 22 '13 at 23:57

score 1 · Answer 1 · answered Jun 22 '13 at 23:53

1

Use backticks to escape column and table names, not quotes

INSERT INTO testdatabase_table (`username`, `password`) VALUES ...

answered Jun 22 '13 at 23:53

juergen d

201,996
37
293
362

hey, yeah i tried this and I changed everything into mysqli instead of mysql, now the mysql_error(); isn't showing ? – john doe Jun 23 '13 at 01:20

score 0 · Answer 2 · answered Jun 22 '13 at 23:53

0

Omit the single quotes in the column list:

INSERT INTO testdatabase_table (username, password) VALUES ...

answered Jun 22 '13 at 23:53

TimWolla

31,849
8
63
96

score 0 · Answer 3 · answered Jun 02 '16 at 05:29

This will work with your code.

$userSafe = PrepSQL($username);
$passSafe = PrepSQL($password);
    $sql="INSERT INTO testdatabase_table ('username', 'password') VALUES ('$username','$password')";

But you should use some type of crypt/hash, i also tested.

$username = mysqli_real_escape_string($dbc, filter_var(($_POST['username']), FILTER_SANITIZE_STRING));
$password = mysqli_real_escape_string($dbc, filter_var(($_POST['password']), FILTER_SANITIZE_STRING));
    $passhash = hash('sha512', $password);

$sql="INSERT INTO testdatabase_table ('username', 'password') VALUES ('$username','$password')";

PHP SQL INSERT INTO error message

3 Answers3