ok, i was doing good until now, when people register they register with a username, pass, email, and their runescape name....i am registering myself and displaying all of the above but something went wrong with my insert.php file i get this error now,

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 5


can anyone tell me what i did wrong....just in case here is my code the values anyway


<?php
$con = mysql_connect("mysql","cheese","pizza");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}mysql_select_db("cheese", $con);$sql="INSERT INTO UserInfo (username, pass, email, rsname)
VALUES
('$_POST[username]','$_POST[pass]','$_POST[email]','$_Post[rsname])";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "<p>Thank you <b>".$_POST['username']."</b>, your information has been added to the database, "
."you may now <a href=\"/\">log in</a>.</p>";
mysql_close($con)
?>

Your just asking to be hacked by posting that very badly insecure code here.

Put all values through mysql_escape_string() before putting them in a sql query.

As for the error you are missing a ' after $_Post[rsname]

I dont think you can use php values like that though, so your probably just going to end up inserting empty rows.

Better this way:$sql='INSERT INTO `UserInfo` (`username`, `pass`, `email`, `rsname`)
VALUES
(\''.mysql_escape_string($_POST['username']).'\',\''.mysql_escape_string($_POST['pass']).'\',\''.mysql_escape_string($_POST['email']).'\',\''.mysql_escape_string($_POST['rsname']).'\')';

omg! thank you sooo much it was a success! you guys are great =)

oh yeah and about taht being hacked thing...none of that stuff is related to my account at all i filled it in with cheese pizza just for nonsense...and if you dont beleive me go ahead and try it...im not dumb when it comes to stuff like that, i switched all of my important stuff with nonsense stuff...thanks a ton though =)