1

So I'm just trying to make a simple sign up page, but no matter what I do I cant get the any of the information to be inserted into the database, can anyone see what I'm doing wrong?

There are no errors being thrown. And its also not directing me to the listings.php page like I want it, rather, its just bringing me back to the index.php page. 

// include configuration file
include('config.php');

// connect to the database
$dbc = mysqli_connect ($db_host, $db_user, $db_password, $db_name) OR die ('Could not connect to MySQL: ' . mysqli_connect_error());

// continue session
session_start();

// if the form has been submitted
if(isset($_POST['submit']))
{
    // create an empty error array
    $error = array();

    // check for a firstname
    if(empty($_POST['firstname']))
    {
        $error['firstname'] = 'Required field';
    } 

    // check for a lastname
    if(empty($_POST['lastname']))
    {
        $error['lastname'] = 'Required field';
    } 

    // check for a email
    if(empty($_POST['email']))
    {
        $error['email'] = 'Required field';
    } else {

        // check to see if email address is unique
        $query = "SELECT user_id FROM users WHERE email = '{$_POST['email']}'";
        $result = mysqli_query($dbc, $query);
        if(mysqli_num_rows($result) > 0)
        {
            $error['email'] = 'You already have an account';
        }
    }

    // check for a password
    if(empty($_POST['userpass']))
    {
        $error['userpass'] = 'Required field';
    } 

    // if there are no errors
    if(sizeof($error) == 0)
    {
        // insert user into the users table
    "INSERT INTO users (
                    user_id,    
                    firstname,
                    lastname,
                    email,
                    userpass,
                    signupdate
                    ) VALUES (
                        null, 
                    '{$_POST['firstname']}',
                    '{$_POST['lastname']}',
                    '{$_POST['email']}',
                    sha1('{$_POST['userpass']}'),
                    NOW()
                    )";
        $result = mysqli_query($dbc, $query);

        // obtain user_id from table
        $user_id = mysqli_insert_id($dbc);

        // send a signup e-mail to user
        $message = "Dear {$_POST['firstname']} {$_POST['lastname']},\n";
        $message = $message . "Thank you for signing up!\n";
        mail($_POST['email'], 'Sign up confirmation', $message, "From: admin@designingsocialplatforms.com");

        // append user_id to session array
        $_SESSION['user_id'] = $user_id;
        $_SESSION['firstname'] = $_POST['firstname'];
        $_SESSION['lastname'] = $_POST['lastname'];

        // redirect user to profile page
        header("Location: listings.php");
        exit();

    } 
}
Christine Austin
  • 93
  • 1
  • 12
  • "There are no errors being thrown" How do you know? You need to echo out the mysqli errors for the select and insert, to see if there are errors. Also make sure to check your PHP error log file (do not just rely on your in script error reporting, as if those have mistakes or errors, they wont report themselves!) – James Dec 12 '13 at 22:27
  • You probably have an SQL error occurring somewhere. Check the value of `$result` after your query like this: `$result = mysqli_query($dbc, $query) or die(mysqli_error($dbc));`. –  Dec 12 '13 at 22:28

1 Answers1

1

You need to set the $query variable:

if(sizeof($error) == 0)
{
    // insert user into the users table
    $query = "INSERT INTO users (
                user_id,    
                firstname,
                lastname,
                email,
                userpass,
                signupdate
                ) VALUES (
                    null, 
                '{$_POST['firstname']}',
                '{$_POST['lastname']}',
                '{$_POST['email']}',
                sha1('{$_POST['userpass']}'),
                NOW()
                )";

ALSO, a side note... I would use prepare statements like this:

<?php


// include configuration file
require('config.php');

// connect to the database

$mysqli = new mysqli($db_host, $db_user, $db_password, $db_name);

// Checking for mysqli errors
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}


// continue session
session_start();

// if the form has been submitted
if(isset($_POST['submit']))
{
    // create an empty error array
    $error = array();

    // check for a firstname
    if(empty($_POST['firstname']))
    {
        $error['firstname'] = 'Required field';
    } 

    // check for a lastname
    if(empty($_POST['lastname']))
    {
        $error['lastname'] = 'Required field';
    } 

    // check for a email
    if(empty($_POST['email']))
    {
        $error['email'] = 'Required field';
    } else {

        // check to see if email address is unique
        $query = "SELECT user_id FROM users WHERE email = ?";

    if($stmt = $mysqli->prepare($query)){
        $stmt->bind_param('s',$_POST['email']);
        $stmt->execute();
        $stmt->store_result();
        $returned_amount = $stmt->num_rows;
        $stmt->free_result();
        $stmt->close();
    }else die("Query failed to prepare!");

        if($returned_amount > 0)
        {
            $error['email'] = 'You already have an account';
        }
    }

    // check for a password
    if(empty($_POST['userpass']))
    {
        $error['userpass'] = 'Required field';
    } 

    // if there are no errors
    if(sizeof($error) == 0)
    {
        // insert user into the users table
    $query = "INSERT INTO users (
                    user_id,    
                    firstname,
                    lastname,
                    email,
                    userpass,
                    signupdate
                    ) VALUES (
                        null, 
                    ?,
                    ?,
                    ?,
                    sha1(?),
                    NOW()
                    )";
        $result = mysqli_query($dbc, $query);

    if($stmt = $mysqli->prepare($query)){
        $stmt->bind_param('ssss', $_POST['firstname'], $_POST['lastname'], $_POST['email'], $_POST['userpass']);
        $stmt->excute();
        // obtain user_id from table
        $user_id = $mysqli->insert_id;
        $stmt->close();

    }else die("Query failed to prepare itself");


        // send a signup e-mail to user
        $message = "Dear {$_POST['firstname']} {$_POST['lastname']},\n";
        $message = $message . "Thank you for signing up!\n";
        mail($_POST['email'], 'Sign up confirmation', $message, "From: admin@designingsocialplatforms.com");

        // append user_id to session array
        $_SESSION['user_id'] = $user_id;
        $_SESSION['firstname'] = $_POST['firstname'];
        $_SESSION['lastname'] = $_POST['lastname'];

        // redirect user to profile page
        header("Location: listings.php");
        exit();

    } 
}

?>
Arian Faurtosh
  • 17,987
  • 21
  • 77
  • 115
  • Yah! Thanks so much! I must of deleted that at some point and kept looking over it. But if you don't mind me asking, why should it be the `($result)` rather than the `($dbc)` – Christine Austin Dec 12 '13 at 22:52
  • @ChristineAustin I edited my answer to show you how I would write it... You don't have to do it like this but using prepared statements is really secure because no one can do an SQL Injection. I also changed the `include` to require, it won't execute if it doesn't find the file. See here for more info on SQL Injection Prevention: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Arian Faurtosh Dec 12 '13 at 23:00
  • 1
    Thanks so much, its people like you who help me learn that much more about making websites! – Christine Austin Dec 13 '13 at 00:17