Posting form not working for mysql

mrbell11 · September 13, 2020, 4:58am

So I understand enough of php to get that this should post. I have a register page that is basically identical to this one but for some reason I keep getting this error and I don’t know what is wrong with it since I use the same information to register accounts into my database

" Fatal error : Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘key,length,lifetime)VALUE(‘asdasdasd’,‘1’,‘0’)’ at line 1 in FILELOCATION Stack trace: #0 FILELOCATION(43): mysqli_query(Object(mysqli), ‘INSERT INTO lic…’) #1 {main} thrown in FILELOCATION on line 43"

<?php

require_once "header.php";
if(!isset($_SESSION["id"])){
header("Location:login.php");
}else{
$id = $_SESSION["id"];
$query = mysqli_query($connect,"SELECT * FROM users WHERE id=$id AND level > '0' AND blacklisted < '1'");
if(mysqli_num_rows($query) == 0){
header("Location:logout.php");
}else if(mysqli_num_rows($query) > 0){
$row = mysqli_fetch_assoc($query);
$username = $row["username"];
$email= $row["email"];
$lastip= $row["lastip"];
$level= $row["level"];
$created= $row["createdon"];
}
}
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
/* START OF LICENSE SHIT */
if(isset($_POST["submit"]) && $_SERVER["REQUEST_METHOD"] == "POST"){
  $key = $_POST["key"];
  $length = $_POST["length"];
  $lifetime = $_POST["lifetime"];
  $error = "";
  $success = "";
if(empty($key)){
$error = "Please Input license key";
}else{
  mysqli_query($connect,"INSERT INTO license(key,length,lifetime)VALUE('$key','$length','$lifetime')");
    $success = "Key Successful!";
}  
}

?>

Here is the stuff for the form

<form method="post" autocomplete="off">
 <div class="form-horizontal">
  <div class="form-group">
   <label class="col-sm-2 control-label">Key?</label>
   <div class="col-sm-10">
    <input type="key" name="key" class="form-control" placeholder="License Key" required>
   </div>
   </div>
   <div class="form-group">
    <label class="col-sm-2 control-label">Length of key?</label>
    <div class="col-sm-10">
    <select type="length" name="length" class="selectpicker form-control">
      <option value="1">7 days</option>
      <option value="2">1 month</option>
      <option value="3">Lifetime</option>
      </select>
      </div>
       </div>
       <div class="form-group">
       <label class="col-sm-2 control-label">Lifetime?</label>
       <div class="col-sm-10">
       <select type="lifetime" name="lifetime" class="selectpicker form-control">
       <option value="0">No</option>
       <option value="1">Yes</option>
       </select>
      </div>
     </div>
      <div class="form-group">
      <label class="col-sm-2 control-label">Submit</label>
      <div class="col-sm-10">
      <button class="btn btn-success" name="submit" type="submit" id="update-button" value="license">Create Key</button>
      </div>
     </div>
   </form>

phdr · September 14, 2020, 1:45pm

The point where MySql/MariaDB found a problem near the 'key, … part of the sql query statement, must be something it cannot understand. Perhaps see this - https://dev.mysql.com/doc/refman/8.0/en/keywords.html#keywords-8-0-detailed-K

Next, this code has a couple of serious operational/security issues, among other problems. Because the login check code does not STOP code execution, if the user is not logged in, the insert part of the code always runs, i.e. anyone can submit the expected post data to this code and it will get used. You MUST have an exit/die statement after every redirect in order to stop code execution. Also, don’t put external, unknown, dynamic data values directly into an sql query statement, since this allows sql special characters in the data to break the sql query syntax, which is how sql injection. For the INSERT query, anyone can inject sql to convert that into an INSERT … SELECT query to grab any values from any of your database tables and insert it where they can then view it on your web site. Use a prepared query when supplying external, unknown, dynamic data values to a query when it gets executed.

mrbell11 · September 16, 2020, 10:25pm

Not gonna lie, I took a few days off cause this stuff was really frustrating me. As soon as I saw “key” in the link you sent it made sense PHP was calling the key function instead of trying to post into the key column in mysql.