¿Qué hay de malo en esta declaración de inserción de MySQL?

The form is ok and it captures all of the information correctly, however, the errors started when I used a function to generate a random string that is used for user activation.

function generateActivationString() {
    $randomSalt = '*&(*(JHjhkjnkjn9898';
    $uniqId = uniqid(mt_rand(), true);
    return md5($randomSalt.$uniqId);
}

if (!get_magic_quotes_gpc()) {
// $_POST['pass'] = addslashes($_POST['pass']);
$username = addslashes($_POST['username']);
$firstname = addslashes($_POST['firstname']);
$surname = addslashes($_POST['surname']);
// $_POST['email'] = addslashes($_POST['email']);
$email = mysql_real_escape_string(addslashes($_POST['email']));
$pass = mysql_real_escape_string(sha1($_POST['pass']));
$activationString = generateActivationString();
}

$insert = "INSERT INTO users (username, password, firstname, surname, email, activation_string) 
VALUES ('".strtolower($username)."', '".$pass."', '".strtolower($firstname)."', '".strtolower($surname)."', '".strtolower($email)."', '".$activationString."')";

Here is the echoed insert statement:

INSERT INTO users (username, password, firstname, surname, email, activation_string) VALUES ('', '', '', '', '', '')

I know it has created a new entry as the auto_increment id row is populated however al of the other fields remain empty.

Here is the code from the generateActivationString() so I know that's working too! - 264361eeb6e75d3934ce249a0d05f2c1

Any suggestions are more than welcome and greatly appreciated!

preguntado el 27 de agosto de 11 a las 13:08

There is no error, but when I echo out the sql statement all of the fields within the VALUES are blank. Here is the echoed statement: INSERT INTO users (username, password, firstname, surname, email, activation_string) VALUES ('', '', '', '', '', '') I know it has Thank you. You have successfully registered. here is the code from the generateActivationString() so I know that's working! - 264361eeb6e75d3934ce249a0d05f2c1 -

Try to give the output of echo $insert. That will show you the actual query (edit it into your question) -

probably the if (!get_magic_quotes_gpc()) { return false and all the variables are not set. try var_dump(!get_magic_quotes_gpc()) before the if statement to see what's the value. -

[Use prepared statements][1]. [1]: stackoverflow.com/questions/60174/… -

Tal vez get_magic_quotes_gpc() is true and variables aren't getting set? BTW, it's a really bad idea to depend on magic quotes. It's a deprecated feature, the right thing to do is to check for them and undo any changes it does. -

3 Respuestas

Going strictly by the code above, your variables like $username,$password etc are in the scope of your if block, move them outside of the if.

Respondido 27 ago 11, 17:08

Thank you, I deleted the if block as @mithunsatheesh said and it worked fine with a few other errors that I sorted. - Michael

I don't see you send that query anywhere, maybe that's your problem...

Respondido 27 ago 11, 17:08

I left that out as I thought that that was a given, the query was executing fine, just the magic_quotes was stopping the activation code form being inserted. - Michael

Oh dear. The biggest problem with your statement is that you are not using prepared statement and taking info directly from the POST parameters. This is a recipe for disaster and how most sites get hacked.

Respondido 27 ago 11, 18:08

care to explain disaster scenario? - Tu sentido común

Can you explain how I go about checking/validating the user input? - Michael

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.