-5

I'm new to php and I was trying to make a simple registration form using php and mysql. I have followed a tutorial but it does not seem to work.
Here is my code:

con.php

<?php
    $host = "******";
    $user = "******";
    $pass = "******";
    $db   = '******';

    $con = mysql_connect($host,$user,$pass) or die('could not connect to database.');

    mysql_select_db($db,$con) or die('could not find database');
?>

register.php

<?php
    include "con.php";
    $username = $_POST['user_name'];
    $password = md5($_POST['password']);
    $first    = $_POST['first'];
    $last     = $_POST['last'];
    $insert   = "insert into users (user_name,password,first,last) values(".$username.",".$password.",".$first.",".$last.")";
    mysql_query($insert) or die("Sorry could not complete signup");
    echo 'Signup succsessfull';
?>

HTML

    <form action='register.php' method='post'>
        <div style='color:orange;'>First name:</div>
        <input type='text' name='first' value='<?php if(isset($_POST["first"])){echo $_POST["first"];}?>'>
        <div style='color:orange;'>Last name:</div>
        <input type='text' name='last' value='<?php if(isset($_POST["last"])){echo $_POST["last"];}?>'>
        <div style='color:orange;'>User name:</div>
        <input type='text' name='user_name' value='<?php if(isset($_POST["user_name"])){echo $_POST["user_name"];}?>'>
        <div style='color:orange;'>Password:</div>
        <input type='password' name='password'>
        <input type='reset' value='Reset'>
        <input type='submit' value='Submit'>
    </form>

It would be great if someone could help figure this out because I can't.

Elias Van Ootegem
  • 74,482
  • 9
  • 111
  • 149
user2595211
  • 1
  • 4
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jul 18 '13 at 11:33
  • 1
    You are also [vulnerable to XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) – Quentin Jul 18 '13 at 11:34
  • Use PDO, it's actually pretty simple. – Callombert Jul 18 '13 at 11:34
  • 2
    So what's not working ?! (Besides the whole hacker's sweet dream...) – Callombert Jul 18 '13 at 11:34
  • What result do you get? How does that differ from the result you expect? – Quentin Jul 18 '13 at 11:35
  • You should specifiy in more detail what is "not working". What have you tried to make it work etc.? – eX0du5 Jul 18 '13 at 11:35

2 Answers2

2
$insert = "insert into users (user_name,password,first,last) values(".$username.",".$password.",".$first.",".$last.")";

String values in SQL have to be quoted. You aren't quoting your data.

Move to using prepared statements and bound variables as described in this answer and the database API will take care of adding the quotes for you.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    Also, this "echo 'Signup succsessfull';" just outputs signup successful, it doesn't tell you if the insert was successful. – Callombert Jul 18 '13 at 11:37
1

Change your query to as below

$insert = "insert into users (user_name,password,first,last) values('".$username."','".$password."','".$first."','".$last."')";

I think you have selectd varchar datatype of field, so you have to add single quotes to every variable.

jaydeep namera
  • 1,024
  • 7
  • 15