Member Avatar for scottymex

I keep getting this error from a working script since using Mysql 5.1 This data from the formshould go to the database with table called users and also sendconfirmation email with the details on using regmail. This works on other site but have to use 5.1 for this site and error is doing my head in
THE ERROR MESSAGE

Error: 1064:- You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES ('', '', '', '', '', '8am-10am ', '', '', '', '', '', ''

THE SIDE SCRIPT

<?php
	ob_start();
	session_start();
// 	include section	
	define('DIR', '.');
	include(DIR."/includes/phpclass.inc.php");		
	include(DIR."/includes/functions.php");	
	$db = new PHP_fun();	// object for php class

	extract($_REQUEST);
	$s_chk = "select * from users where username = '".$username."' ";
	$r_chk = $db->select_row($s_chk);
	if (count($r_chk) == 0)
	{
		$s_ins = "INSERT INTO `users` (`firstname` ,  `familyname` ,  `email` ,  `address` ,  `phone` ,  `besttime` ,  `resortname` ,  `joindate` ,  `whatyouown` ,  `timeofuse` , `price` , `tradein` , `deposit` , `balance` , `method` , `cancel` , `whathappened` , `creditcard` , `whattheysaid` , `username` ,  `passwd` ,  `passwdhint` , `answer`) VALUES ('".$name."', '".$email."', '".$address."', '".$telephone."', '".$bestcontacttime."', '".$wherejoin."', '".$joindate."', '".$membershiplength."', '".$iac_number."', '".$username."', '".$passwd."', '".$passwdhint."', '".$answer."', NOW())";
		$r_ins = $db->insert_row($s_ins);
		if ($r_ins > 0)
		{
			ob_start();
				include("regmail.php");
			$message = 	ob_get_contents();
			ob_end_clean();
			$to = "register@mysite.com";
			$headers  = 'MIME-Version: 1.0' . "\r\n";
			$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
			$headers .= 'From: '.$name.' <'.trim($_REQUEST['email']).'>' . "\r\n";
			$subject = "New TRP Registration" ;
			$sent = mail($to, $subject, $message, $headers);
			if ($sent)
			{ print ""; }
		}
		?>
		<script language="javascript">
			alert("TRP web user Registration Successfully please wait for member services to confirm and activate your account.");
			window.location = 'thankyou.htm';
		</script>
	<?
	}
	else
	{ ?>
		<script language="javascript">
			alert("A member with TRP already has that username");
			window.location = 'register.htm';
		</script>
	<?
	}
?>
Edited by deceptikon because: added code tags
  • 3 Contributors
  • 5 Replies
  • 138 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for Zagga

Hi scottymex,

You are trying to insert data into 23 fields but you are only supplying 14 values.

Member Avatar for scottymex

Hi scottymex,

You are trying to insert data into 23 fields but you are only supplying 14 values.

here is the correct code with the correct values however I get the same error message.

<?php
    ob_start();
    session_start();
//  include section 
    define('DIR', '.');
    include(DIR."/includes/phpclass.inc.php");      
    include(DIR."/includes/functions.php"); 
    $db = new PHP_fun();    // object for php class

    extract($_REQUEST);
    $s_chk = "select * from users where username = '".$username."' ";
    $r_chk = $db->select_row($s_chk);
    if (count($r_chk) == 0)
    {
        $s_ins = "INSERT INTO `users` (`firstname` ,  `familyname` ,  `email` ,  `address` ,  `phone` ,  `besttime` ,  `resortname` ,  `joindate` ,  `whatyouown` ,  `timeofuse` ,  `price` ,  `tradein` ,  `deposit` ,  `balance` ,  `method` ,  `cancel` ,  `whathappened` ,  `creditcard` ,  `whattheysaid` ,  `username` ,  `passwd` ,  `cpasswd` ,  `passwdhint` ,  `answer` VALUES ('$_POST[firstname]','$_POST[familyname]','$_POST[email]','$_POST[address]','$_POST[phone]','$_POST[besttime]','$_POST[resortname]','$_POST[joindate]','$_POST[whatyouown]','$_POST[timeofuse]','$_POST[price]','$_POST[deposit]','$_POST[tradein]','$_POST[balance]','$_POST[method]','$_POST[cancel]','$_POST[whathappened]','$_POST[creditcard]','$_POST[whattheysaid]','$_POST[username]','$_POST[passwd]','$_POST[cpasswd]','$_POST[passwdhint]','$_POST[answer]')";
        $r_ins = $db->insert_row($s_ins);                
        $r_ins = $db->insert_row($s_ins);

        if ($r_ins > 0)
        {
            ob_start();
                include("regmail.php");
            $message =  ob_get_contents();
            ob_end_clean();
            $to = "register@djscottyis@yahoo.com";
            $headers  = 'MIME-Version: 1.0' . "\r\n";
            $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
            $headers .= 'From: '.$name.' <'.trim($_REQUEST['email']).'>' . "\r\n";
            $subject = "New TRP Registration" ;
            $sent = mail($to, $subject, $message, $headers);
            if ($sent)
            { print ""; }
        }
        ?>
        <script language="javascript">
            alert("TRP web user Registration Successfully please wait for member services to confirm and activate your account.");
            window.location = 'thankyou.htm';
        </script>
    <?
    }
    else
    { ?>
        <script language="javascript">
            alert("A registered client with TRP already has that username");
            window.location = 'register.htm';
        </script>
    <?
    }
?>
Edited by TrustyTony because: fixed formating
Member Avatar for diafol

1) use code tags
2) don't use extract on request - bad things can happen - existing variables can be overwritten - malicious code can be inserted e.g. ...?userlevel=3 (could give an user something like admin rights).
3) you've used extract, but continue to use post vars
4) as previously mentioned - your fields-values are not balanced
5) the s_ins sql statement isn't closed
6) js alert? why not just echo a message? alerts look rubbish and depend on js

I'm sure there are a few other things I missed

Member Avatar for scottymex
  1. use code tags
  2. don't use extract on request - bad things can happen - existing variables can be overwritten - malicious code can be inserted e.g. ...?userlevel=3 (could give an user something like admin rights).
  3. you've used extract, but continue to use post vars
  4. as previously mentioned - your fields-values are not balanced
  5. the s_ins sql statement isn't closed
  6. js alert? why not just echo a message? alerts look rubbish and depend on js

I'm sure there are a few other things I missed

So ive removed the post but it still doesnt work. I am new to php but making head way for this charity site. Thanks for yor help.
Here is the amend code.

<?php
$con = mysql_connect("site","site","site");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("site", $con);
    $s_ins = "INSERT INTO `users` (`firstname` ,  `familyname` ,  `email` ,  `address` ,  `phone` ,  `besttime` ,  `resortname` ,  `joindate` ,  `whatyouown` ,  `timeofuse` ,  `price` ,  `tradein` ,  `deposit` ,  `balance` ,  `method` ,  `cancel` ,  `whathappened` ,  `creditcard` ,  `whattheysaid` ,  `username` ,  `passwd` ,  `cpasswd` ,  `passwdhint` ,  `answer` 
    VALUES
     ('$_POST[firstname]','$_POST[familyname]','$_POST[email]','$_POST[address]','$_POST[phone]','$_POST[besttime]','$_POST[resortname]','$_POST[joindate]','$_POST[whatyouown]','$_POST[timeofuse]','$_POST[price]','$_POST[deposit]','$_POST[tradein]','$_POST[balance]','$_POST[method]','$_POST[cancel]','$_POST[whathappened]','$_POST[creditcard]','$_POST[whattheysaid]','$_POST[username]','$_POST[passwd]','$_POST[cpasswd]','$_POST[passwdhint]','$_POST[answer]')"

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "Thank you for your Request you will be contacted with your Quote very soon.";

mysql_close($con)
?>
Edited by TrustyTony because: fixed formating
Member Avatar for diafol

1) You STILL haven't used [ CODE ] tags in the editor
2) You're using unescaped $_POST vars directly in the SQL - SQL injection risk - clean with mysql_real_escape_string()
3) Fields and values STILL unbalanced
4) SQL STILL not ended properly

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.