[TheEmpty]

most likely you need to escape a ' in your posted data. Use mysql_real_escape_stringuntil you decide to use PDO (like we, and PHP, advised).

[Quinn]

The main problem I see is your lack of

[code][/code]

tags.

[renewaltopics]

TheEmpty, on 14 July 2012 - 07:12 PM, said:

most likely you need to escape a ' in your posted data. Use mysql_real_escape_stringuntil you decide to use PDO (like we, and PHP, advised).

May I ask what that real escape function does? and how to use it?

[Quinn]

renewaltopics, on 14 July 2012 - 07:25 PM, said:

May I ask what that real escape function does? and how to use it?

Right now, you're letting the user add whatever they want to the database. That's a giant no-no. What

mysql_real_escape_string()

does is it purifies, or cleans (escapes) the strings that you're giving to the database so that your SQL queries can't easily be attacked. There are a number of other checks that you should do (but don't necessarily need to do) that would also help, but until you start using something like PDO (Kyek has a nice tutorial here) you're going to need to escape, or clean the strings yourself before inserting them into the database.

Edit: Also, since you are using mysql_, try adding

or die(mysql_error());

at the end of the

mysql_query()

line.

[Renegade]

I'm not sure you can access the contents of an array in PHP directly from a string. Trying setting them in their own variables and then insert them or concating them using the dot operator.

Example:

$name = $_POST['name'];

echo "My name is $name"; //Notice the double quotes

//or
echo 'My name is ' . $_POST['name'];

[Kyek]

I don't really respond to PMs for questions that could be asked publicly on the forum, but I will respond to your thread because I had the tab open ;-)

The way you're formatting your SQL string is really really bad. Not only would it be super easy for someone to attack that via SQL injection and dump all your data (see this post), the PHP involved in building that string is shaky. While you could add {} symbols to make sure those values resolve correctly, it's much more reliable to concatenate instead.

With that said, though, please please check out PDO and the concept of prepared queries via the link above. It takes maybe 10 minutes and will make your code more secure forever.

Once you fix that, though, if you're still having issues, just look at the error message . If you're using PDO, just var_dump the output of this function: http://www.php.net/m....errorinfo.php. If you're not using PDO (which is bad -- again, take the 10 minutes for PDO) then this function will do it: http://www.php.net/m...mysql-error.php

Note, in that last link, the large red warning that you should be using PDO, directly from the guys who wrote PHP. Just in case my suggestion wasn't clear enough ;-).

[callumacrae]

First thing I saw:

mysql_select_db("users, $con")

0_o you sure?

[Ruku]

Renegade, on 14 July 2012 - 08:18 PM, said:

I'm not sure you can access the contents of an array in PHP directly from a string. Trying setting them in their own variables and then insert them or concating them using the dot operator.

You can; you just have to wrap them in curly braces to help the interpreter:

echo "my name is {$_POST['name']}";

[Kyek]

callumacrae, on 14 July 2012 - 11:45 PM, said:

First thing I saw:

mysql_select_db("users, $con")

0_o you sure?

Oh my, I totally missed that xD. That's why code tags and syntax highlighting are important!

[callumacrae]

Hey, I saw it without ;-)