-2

The following mysqli query does not execute, since I check my 'users' table and it does not contain any records:

//connection.php//

$db_connect = mysqli_connect('myremotehost', 'myremoteuser', 'mypass', 'mydatabase');

if(mysqli_connect_errno($db_connect)){
echo mysqli_connect_error();
exit();
}

//

include 'database/connection.php';
$username = $_POST['username'];
$password = md5($_POST['password']);
$email = $_POST['email'];
$email_code = md5($_POST['username'] + microtime());
$gender = $_POST['gender'];
$ip = getenv('REMOTE_ADDR');

$sql = "INSERT INTO `users` (username, password, email, email_code, gender, ip, signup, lastlogin, notescheck) VALUES('$username','$password','$email','$email_code','$gender','$ip',NOW(),NOW(),NOW())";
$query = mysqli_query($db_connect, $sql);



 //below are the forms with their respective 'input names' that are equal to: username, email and gender (values 'm' & 'f').

 //The action of the actual form is action="" this file.

I know that this code executes since directly below the $sql and $query variables I have some other code that creates a folder in the /users/ directory upon execution, and whenever I check my online directory it does get created, but again, the problem is that the query does not post anything on the database.

Any suggestions?

Thanks guys!

Sven
  • 69,403
  • 10
  • 107
  • 109
JJJack
  • 61
  • 1
  • 1
  • 4
  • Q: Why do you have `users` inside backticks? It's not a reserved word. – Funk Forty Niner Jul 29 '13 at 20:47
  • 2
    It does not do any harm. – Sven Jul 29 '13 at 20:47
  • 1
    Before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). When using `mysqli` you should be using [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to insert values like `$username` into your query, largely avoiding these issues. – tadman Jul 29 '13 at 20:56
  • Secondly, **never** use MD5 for encrypting passwords. It's almost effortless to crack and is not much better than plain-text, especially when you don't even bother to use a salt. Do it properly with [bcrypt](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) or you will eventually get into trouble. This is the sort of mistakes you make when you roll your own user management system rather than using a [popular PHP framework](http://www.phpframeworks.com/top-10-php-frameworks/) where all of this would already be done for you, or available as a module. – tadman Jul 29 '13 at 20:57
  • @tadman what php framework do you recommend for a social network-like site? I honestly I am kinda new to programming with php and especially using MYSQLi. I also know that PDO is a more secure way to Insert/retrieve data to/from the database. Any helpful tutorials guys? any other solutions to my problem? – JJJack Jul 29 '13 at 21:02
  • PDO is exactly as secure as mysqli. Both will be insecure if used incorrectly. – Sven Jul 29 '13 at 21:02
  • The [Yii framework](http://www.yiiframework.com/) seems to have come out on top lately, but [CodeIgnighter](http://codeignighter.com/) and [CakePHP](http://cakephp.org/) are still quite popular and have a lot of community support. Using one of these will give your application structure and support for using third-party modules to add functionality without having to write it all yourself. If you must make low-level calls, PDO is a little easier and more friendly to use than `mysqli`, so I'd recommend that. They're both equivalent in terms of security, but PDO's named placeholders are better. – tadman Jul 29 '13 at 22:41

1 Answers1

0

Add this line after the query:

if (!$query) { die(mysqli_error($db_connect)); }

and see if it prints anything. Act accordingly to the error message, i.e. at least add it to your question.

Sven
  • 69,403
  • 10
  • 107
  • 109