PHP and mysql not INSERTing

<html>
<head>
<title> Register </title>
</head>
<body>

Thanks for showing interest, please register below.
<br>


<br/>
<form action="register.php" method="POST">
Username: <input type="text" name="username">
<br>

</br>
Password: <input type="password" name="password">
<br>

</br>
Age:      <input type="text" nam开发者_如何转开发e="age">
<br>

</br>
Car:      <input type="text" name="car">
<br>


<input type="submit" value="register"/>
<input type="reset" value="Reset fields"/>
</form>

<?php

    //db connect
    $host="localhost"; 
    $dbuser="site1login";
    $dbpass="site1login";
    $dbname="login";
    $tblname="userdata";

    //form post
    $Username=$_POST['username'];
    $Password=$_POST['password'];
    $Age=$_POST['age'];
    $Car=$_POST['car'];
    $con = mysql_connect("$host","$dbuser","$dbpass") or die (mysql_error());

    mysql_select_db($dbname, $con);

    $result = mysql_query("INSERT INTO `userdata` (Username,Password,Age,Car) VALUES ($Username, $Password, $Age, $Car)" or die(mysql_error()));
    echo "Success!";

?>

</body>

</html>

So, that's my code - I'm confused - it doesn't work - it says "success", but not inserted e anything

---

Change the following portion -

$result = mysql_query("INSERT INTO `userdata` (Username,Password,Age,Car) VALUES 
             ($Username, $Password, $Age, $Car)" or die(mysql_error()));
echo "Success!";

into this -

$result = mysql_query("INSERT INTO userdata (Username,Password,Age,Car) VALUES 
          ('$Username', '$Password', '$Age', '$Car')");

if($result)
{
    echo "Success!";
}
else
{
    die(mysql_error());    // Thanks to Pekka for pointing this out.
}

If the above doesn't work, try checking if your connection parameters are ok and if MySQL is running.

Also you should test the $resut value to check whether any successful query execution has occured -

if($result)
{
    // Successful query execution
}
else
{
    // Some error occured while executing query.
    // Show some useful information using echo/print.
    // Then stop execution after taking other necessary steps
}

Edit

As Pekka has mentioned, your database is vulnerable to SQL Injection attack since you are not sanitizing your input. You should use at least mysql_real_escape_string method to ensure that this doesn't occur.

---

As others have noted before me, you are missing quotes around the field values. Also, this construction is severely flawed:

$result = mysql_query("INSERT INTO `userdata` (Username,Password,Age,Car) 
          VALUES ($Username, $Password, $Age, $Car)" or die(mysql_error()));

the or die is inside the query parameter. Not sure how that can work at all.

Remove the or die part and do error handling like so:

$result = mysql_query("INSERT INTO `userdata` (Username,Password,Age,Car) 
          VALUES ('$Username', '$Password', '$Age', '$Car')");

if (!$result) 
 die("SQL Error: ".mysql_error());

echo "Success";

Also

• Your script is vulnerable to SQL injection

• Your script will always be executed, regardless whether the form was submitted or not - you want to change that to prevent getting empty records

---

I suppose, that Username, Password and Car are strings so it should be:

$result = mysql_query("INSERT INTO `userdata` (Username,Password,Age,Car) VALUES ('$Username', '$Password', $Age, '$Car')") or die(mysql_error();

Good advice - try using PDO ;)

---

You need to surround your variables with '' so the SQL will be correct.

---

In your VALUES statement, you need to wrap the $Username in a single quote.

VALUES ('$Username', '$Password', $Age, '$Car')"

Also, I would remove the or die statement from your call. Then, I would test the $result in a if statement.

if ($result)