Failing connecting/submitting to MySQL with "PHP form"

Question

I have 2 problems. Basic story: I have created a SIMPLE registration and login system.
Problem1: If I try to register a new account then it says "user registration failed". At the moment it should say that because mysql can't get right information from forms. But problem is that I don't know why. Everything seems correct...
Problem2: If I try to login with existent account then it seems that browser is only refreshing the page and nothing else...
Registration with php code:

 <?php
   require ('insert.php');
  // If values posted, insert into the database.
    if (isset($_POST['username']) && isset($_POST['password'])){
        $name = $_POST['name'];
        $email = $_POST['email'];
        $username = $_POST['username'];
        $password = $_POST['password'];

        // nimi refers to name, it's correct
        $query = "INSERT INTO `user` (nimi, email, username, password) 
                    VALUES('$name', '$email', '$username', '$password')";

        //POST retrieves the data.
        $result = mysqli_query($connection, $query);

        if($result){
            $smsg = "User Created Successfully.";
        } else {
            $fmsg = "User Registration Failed";
        }
    }

    mysqli_close($connection);
    ?>
     <html>
    ...
    <body>
    ...
    <div>

        <form method="POST" class="form-horizontal" role="form">

        <!-- Status, how registering went -->
        <?php if(isset($smsg)){ ?><div class="alert alert-success" role="alert"> <?php echo $smsg; ?> </div><?php } ?>
        <?php if(isset($fmsg)){ ?><div class="alert alert-danger" role="alert"> <?php echo $fmsg; ?> </div><?php } ?>


        <!-- Registration form starts -->
            <h2>Form</h2><br>


                <label for="Name"></label>
                <input name="name" type="text" id="name" maxlength="40" placeholder="Ees- ja perenimi" class="form-control" autofocus> <!-- lopp -->

                <label for="email"></label>
                <input name="email" type="email" id="email" maxlength="65" placeholder="Email" class="form-control"> <!-- lopp -->


                <label for="Username"></label>
                <input name="username" type="text" id="userName" maxlength="12" placeholder="Kasutajatunnus/kasutajanimi" class="form-control" required> <!-- lopp -->

                <label for="Password"></label>
                <input name="password" type="password" id="password" maxlength="12" placeholder="Parool" class="form-control" required>

<button type="submit" class="btn btn-primary btn-block">Join</button>
            </form> <!-- /form -->

        </div> <!-- ./container -->
    ...
    </body>
</html>

Login:

<?php
session_start();
require ('insert.php');

//Is username and password typed?
if (isset($_POST['username']) and isset($_POST['password'])){
    //Making vars from inputs
    $username = $_POST['username'];
    $password = $_POST['password'];
    //Checking existent of values.
    $query = "SELECT * FROM `liikmed` 
                WHERE username='$username' 
                and password='$password'";

    $result = mysqli_query($connection, $query) 
                    or die(mysqli_error($connection));
    $count = mysqli_num_rows($result);
    //3.1.2 If values equal, create session.
    if ($count == 1){
        $_SESSION['username'] = $username;
    } else {
        //If credentials doesn't match.
        $fmsg = "Invalid Login Credentials.";
    }
}
//if user logged in, welcome with message
if (isset($_SESSION['username'])){
    $username = $_SESSION['username'];
    echo "Hai " . $username . "";
    echo "This is the Members Area";
    echo "<a href='logout.php'>Logout</a>";

}else{}
?>

<html>
...
<body>
...
<div id="bg"></div>


    <form method="POST" class="form-horizontal">
        <h2>Login</h2><br>

        <label for="User"></label>
        <input name="username" type="text" maxlength="15" placeholder="Username" class="form-control" required autofocus>

        <label for="Password"></label>
        <input name="password" type="password" maxlength="50" placeholder="Password" class="form-control" required autofocus>

        <button type="submit" class="btn btn-primary btn-block">Enter</button>

</form>   
</div>
...
</body>
</html>

And finally php database connection file (called insert.php):

<?php
$connection=mysqli_connect("localhost","root","pw");
if (!$connection){
    die("Database Connection Failed" . mysqli_error($connection));
}
$select_db = mysqli_select_db($connection, 'my_database');
if (!$select_db){
    die("Database Selection Failed" . mysqli_error($connection));
}
?>

Instead of echoing a faily unhelpful message like `$fmsg = "User Registration Failed";` Instead capture and show the real database error (while testing) using `$result->error` Then you will know something went wrong and more importantly **what went wrong** — RiggsFolly, Feb 13 '17 at 12:54
Please dont store plain test password **its a huge security disaster** PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) — RiggsFolly, Feb 13 '17 at 12:56
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Feb 13 '17 at 12:57
O.k thanks. I know it's full of security risks that's why I call it "simple" but thanks for advices :) Trying $result->error. — Rainer Lanemann, Feb 13 '17 at 13:00
Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you cannot miss or ignore. — RiggsFolly, Feb 13 '17 at 13:04
Thanks, it gave me a hint, had one wrong word in query... >.> But yeah, thanks for this tip! :) — Rainer Lanemann, Feb 13 '17 at 13:17

score 2 · Accepted Answer · answered Feb 13 '17 at 13:07

2

First of all in your login PHP code, you only started a session but you didn't tell the from where to direct to if login is successful. Add a header to the code. That is;

if ($count == 1){
    $_SESSION['username'] = $username;
    header("Location: page.php"); //the page you want it to go to
}

And your registration PHP code looks ok. Check your database table if you've misspelt anything there.

answered Feb 13 '17 at 13:07

Oke Tega

850
10
21

Thanks, i don't know why I forgot this... But yeah, thanks! :) Everything's fine now. – Rainer Lanemann Feb 13 '17 at 13:18

score 0 · Answer 2 · answered Feb 13 '17 at 13:25

Your logic to set the $_SESSION['username'] requires that the username and password combination exists once in your database. This might sound silly but can you confirm that this is the case (i.e. confirm that you have not created the same username and password combination). Altering the logic to be > 1 would also get around this temporarily. So your code

    if ($count == 1){
    $_SESSION['username'] = $username;
}

should become

    if ($count > 1){
    $_SESSION['username'] = $username;
}

Failing connecting/submitting to MySQL with "PHP form"

2 Answers2