-1

Could someone explain to me what's wrong with my registration page? The database connection is fine but when I check the table there aren't any new users.

My HTML

<form action="register.php" method="post">
<input type="text" name="username" placeholder="username"><br/>
<input type="password" name="password" placeholder="password"><br/>
<input type="text" name="email" placeholder="E-mail"><br/>
<input type="submit" value="Submit">
</form>

My PHP

<?php

$user_name = "mah user name";
$password = "mah password";
$database = "Peoples";
$server = "mysql6.000webhost.com";

$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);
$username = test_input($_POST["username"]);
$email = test_input($_POST["email"]);
$password = $_POST["password"];
$registered=0;

if ($db_found) {

$SQL = "INSERT INTO users (username,password,email,registered) VALUES ($username, $password, $email,$registered)";

$result = mysql_query($SQL);

mysql_close($db_handle);

print "Records added to the database";

}
else {

print "Database NOT Found ";
mysql_close($db_handle);

}

function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}

Sorrry If there is too much code. ?>

Mister Joe
  • 135
  • 1
  • 2
  • 6

2 Answers2

0

Try to put function test_data before values.

<?php

  $user_name = "mah user name";
  $password = "mah password";
  $database = "Peoples";
  $server = "mysql6.000webhost.com";

  $db_handle = mysql_connect($server, $user_name, $password);
  $db_found = mysql_select_db($database, $db_handle);

  function test_input($data){
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
  }

  $username = test_input($_POST["username"]);
  $email = test_input($_POST["email"]);
  $password = $_POST["password"];
  $registered=0;


  /* or you could use PHP built in filters

  $username  = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
  $password  = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
  $email     = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
  */


  $SQL = "INSERT INTO users (username,password,email,registered) VALUES ('$username','$password','$email','$registered')";

  $result = mysql_query($SQL) or die(mysql_error());

  if($result) {
    echo 'Registration was successfull.';
  }
  else {
    echo 'Registration was not successfull';

  }

mysql_close($db_handle);
?>

more about built in filters PHP Filters

Milan and Friends
  • 5,560
  • 1
  • 20
  • 28
0

I've had these problems before, it generally takes a little sussing as MySQL errors don't show up as PHP errors - and so aren't printed to the page. Personally I'd make use of MySQLi with PHP as it has greater support for several things, just do a google search if you want specifics, sometimes SQL can just need wrapping the table and database names in queries with ` characters (left of 1 key on windows keyboards)

Try using the following code instead:

<?php
    // Init databse connection
    $db_handle = new mysqli("mysql6.000webhost.com","username","password","Peoples") or die("Database connection error");

    // check connection
    if ($db_handle->connect_errno) {
        printf("Connect failed: %s\n", $mysqli->connect_error);
        exit();
    }

    // Strip function for query string
    function test_input($data){
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;
    }

    $username = test_input($_POST["username"]);
    $email = test_input($_POST["email"]);
    $password = $_POST["password"];
    $registered=0;

    // Try insert query, sometimes wrapping the table name in ` characters solves the issue - only use on database and table names not values
    if($result = $db_handle->query("INSERT INTO `users` (username,password,email,registered) VALUES ('$username','$password','$email','$registered');")) {
        echo 'Records added to the database';
        // free result set
        $result->close();
    }
    else {
        echo 'Database NOT Found';
    }

    $db_handle->close();
?>

Also it's good practice to unset($var); 's but to be honest if you're expecting little traffic it's nothing really to worry about.

If you are holding user data in your database, holding raw passwords can upset people and you really shouldn't do it in the event that data gets stolen from you and then you have to explain to all your users why someone is running around with the username and password they like to use for everything they login to.

You should use:

$password = hash('sha256',$_POST['password']);

And store that string, or any other hash variant you prefer - sha256 happens to be the one I like to use. When a user tries to login you should again hash the password they've provided and check it against the hash stored in your database.

And finally some users might prefer you use SSL encryption for your domain if they are entering passwords online, again just do a google search if you are unfamiliar, any more questions I'll answer as best I can :)

GroovyCarrot
  • 514
  • 3
  • 6
  • Server side hash is too late, the password may have been intercepted already. Use a client side hash and send the already encoded password so if intercepted the thief gains nothing. – Gary Hayes Sep 21 '13 at 03:47
  • I wouldn't necessarily say hashing client side is needed unless you didn't trust the server for some reason, as I said though you should be using a HTTPS tunnel (SSL), if you want to get really technical you shouldn't even be storing the whole hash and just using salts but the debate of security in web development goes on forever – GroovyCarrot Sep 22 '13 at 11:36