0

I already have this code figured out, but the entries a user submits with the submit button aren't going anywhere. Is there any way to fix this, or should I just use the $_POST method?

PHP code:

    <?php
include ("dbroutine.php");
function register() {
$connect = db_connect;
if (!$connect)
{
die(mysql_error());
}
$select_db = mysql_select_db(securitzed, $connect);
if (!$select_db) {
die(mysql_error());
}
//Collecting info
$fname = $_REQUEST ['fname'];
$lname = $_REQUEST ['lname'];
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$email = $_REQUEST['email'];

//Here we will check do we have all inputs filled

if(empty($_REQUEST['username'])){
die("Please enter your username!<br>");
}

if(empty($_REQUEST['password'])){
die("Please enter your password!<br>");
}


if(empty($_REQUEST['email'])){
die("Please enter your email!");
}

//Let's check if this username is already in use
$user_check = mysql_query("SELECT username FROM members WHERE username = '".$_REQUEST

['username']."'");
$do_user_check = mysql_num_rows($user_check);
//Now if email is already in use
$email_check = mysql_query("SELECT email FROM members WHERE email= '".$_REQUEST['email']."'");
$do_email_check = mysql_num_rows($email_check);
//Now display errors
if($do_user_check > 0){
die("Username is already in use!<br>");
}
if($do_email_check > 0){
die("Email is already in use!");
}


//If everything is okay let's register this user
$insert = mysql_query("INSERT INTO members (username, password, email) 
VALUES ('".$_REQUEST['username']."', '".$_REQUEST['password']."', '".$_REQUEST['email']."', '".$_REQUEST['fname']."', '".$_REQUEST['lname']."')");
if(!$insert){
die("There's little problem: ".mysql_error());
}


}
switch($act){
case "register";
register();
break;
}

HTML code:

   <body>

        <form method="post">
            First Name: <input type="text" name="fname" value="" /> <br />
            Last Name: <input type="text" name="lname" value="" /> <br />
            E-mail: <input type="email" name="email" value="" /> <br />
            Desired Username: <input type="text" name="username" value="" /> <br />
            Password: <input type="password" name="password" value="" /> <br />
            Confirm Password: <input type="password" name="passwordconf" value="" /> <br />
            <input type="submit" value="Submit"/>
        </form>

    </body>

If I need to add anything, could anyone point it out, if not, I could also add some extra code if needed.

Max
  • 175
  • 1
  • 6
  • 24
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 09 '13 at 06:26
  • You shouldn't actually use `$_REQUEST` if you already know it's going to be posted; so you should use `$_POST`. – Ja͢ck Apr 09 '13 at 06:28
  • If usernames are unique, make them unique in your database table structure; this will eliminate much of the code. – Ja͢ck Apr 09 '13 at 06:30
  • Using $_POST will work for you, also implements measures to prevent $_POST data from sql injections from going to the db.. – Coder anonymous Apr 09 '13 at 06:31
  • also in your form specify action and method as post.. – Coder anonymous Apr 09 '13 at 06:31
  • I think you would benefit from a little more debugging; there's an issue somewhere, but I doubt we can help you in a practical way without knowing from which point the code doesn't work. – Ja͢ck Apr 09 '13 at 06:43

4 Answers4

1

$_REQUEST contains: $_COOKIE, $_GET, and $_POST variables. if you use $_REQUEST you have no guarantee that the data came from the post data, which leads to security holes in your script. I would use $_POST but by using this method you are vulnerable to SQL injections.

$_GET retrieves variables from the querystring, or your URL. $_POST retrieves variables from a POST method, such as (generally) forms. $_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET.

Fix

You have to specify the action in your form as below.

<form action="fetch_data.php" method="post">

<form action="URL">

URL - Where to send the form-data when the form is submitted. Possible values:

  • An absolute URL - points to another web site (like action="http://www.example.com/example.htm")

  • A relative URL - points to a file within a web site (like action="example.htm")

Community
  • 1
  • 1
Techie
  • 44,706
  • 42
  • 157
  • 243
  • 2
    This is useful information, but it should be a comment instead because it doesn't really answer the question. Also, I don't think action is really required, it will use the current page by default. – Ja͢ck Apr 09 '13 at 06:29
1

First, I advice you to read more about variables.

Second, $_REQUEST is a variable like $_POST, $_SESSION, $_GET and so on, which can be stored into your database. So, for your question, Yes you can use $_REQUEST to insert data in a MySQL database

HOWEVER, using it as a substitute for the $_POST variable is not secure at all and not a good practice. Take a look at this to see how the $_POST variable works.

Third, you are using mysql_* functions in your code. please consider using PDO or MYSQLI instead to prevent SQL INJECTION and secure your website better. In addition, MYSQL is dupricated in PHP 5.5 and up. take a look at this tutorial, it shows you how to use PDO instead of MYSQL.

Fourth, you should not be storing passwords directly to databases, you need some form of password hashing. read more about it here

Community
  • 1
  • 1
syrkull
  • 2,295
  • 4
  • 35
  • 68
0
  • Use ACTION in your HTML form.
  • Sanitize the data as well from sql injection.
  • Check if data from $_REQUEST is not empty.
swapnesh
  • 26,318
  • 22
  • 94
  • 126
0

Try using

    $fname = $_POST ['fname'];
$lname = $_POST ['lname'];
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];

You could also do following to check request params

var_dump($_POST);
Jaydeep Rajput
  • 3,605
  • 17
  • 35